(Jana Subramanian serves as APJ Principal Cybersecurity Advisor for Cloud Security and also holds Fellow of Information Privacy (FIP), a distinction given by the International Association of Privacy Professionals (IAPP). In his capacity, he is responsible for guiding strategic customer interactions concerning cybersecurity, data privacy, integration architecture of multi-cloud security, contractual assurance, audit and compliance.)

 Introduction

In the modern business world, there is a growing trend of moving to cloud-based systems. This shift has placed data security, data privacy and compliance to regulation at the forefront of business considerations. The rise of stringent data regulations around the world (Data Privacy regulation applicable in almost over 150 countries.) has also shown that businesses can no longer afford to be reactive when it comes to data protection. They need to be proactive in fortifying their digital ecosystems to ensure compliance with ever-evolving regulations. SAP Cloud Services is a key player in this space, offering a comprehensive suite of solutions that help businesses safeguard, comply with, and control personal data. SAP Cloud Services are designed to help businesses do just that, providing them with the tools and resources they need to stay compliant with ease.

In this blog, we will provide you with an overview of the data privacy controls and tools available to customers as Data Controllers through SAP Cloud Services. Customers, as data controllers, will be better equipped to enhance their data privacy controls in cloud services with the available tools. We will also highlight the primary controls and tools that are available to customers to satisfy these controls.

SAP Multilayer Personal Data Protection:

SAP protects personal data in the cloud with multiple layers of data protection and security. Firstly,  SAP provides contractual assurance to protect personal data via SAP Data Processing Agreement (DPA). The SAP Data Processing Agreement includes Technical and Organizational measures.

Secondly, SAP's cloud applications are developed with privacy by design and privacy by default principles. The cloud applications have built-in data protection controls that can be customized by customers. This lets customers manage their personal data privacy effectively.

It is important to note that while SAP as a “Data Processor” delivers contractually an extensive array of Technical and Organizational measures designed to safeguard personal data when providing cloud services. SAP gives customers a lot of control over how they protect and manage security and data privacy of their specific application landscape in SAP cloud services. As data controllers, customers are given a variety of tools to manage security and data privacy in relation to their application & data hosted in SAP cloud services. Some procedures are specific to individual SAP cloud services, and it is up to the customer to use these tools effectively to improve security and maintain data privacy.

Figure 1: Multilayer Personal Data Protection

The following table broadly explains tools & controls available to customers as a Data Controller to manage their application and their associated data in the SAP cloud services.

S.No	Security and Data Privacy Controls	Available Measures/Tools
1	Physical Access Control Physical Access Control is a set of security measures that are designed to restrict or control access to a specific physical area, such as a building, room, or specific locations within a building.	SAP and Third-Party Data Centres implement a range of physical access control, encompassing professional security staff, video monitoring, intrusion detection systems, and various electronic methods to oversee and regulate access to the data centres. In instances involving IaaS providers like AWS, Azure, and Google Cloud, the responsibility for physical access control falls on the IaaS provider, and these controls are assessed for compliance against the standards established by SAP. This control is under SAP responsibilities although SAP may use sub-processors for IaaS providers (AWS, Azure and GCP) who manage their respective DC. In case, customer subscribe to RISE with SAP S/4HANA cloud, private edition – Customer Data Center option, Customers will be responsible for Physical Access Control and must adhere to standards required by SAP.
2	System Access Control  System Access Control refers to the mechanisms in place to manage and control who or what can access and use a cloud-based system, application, or data. It's an essential component of cloud security, designed to protect against unauthorized access and potential data breaches.	SAP cloud services are bundled with SAP Identity Authentication Service (IAS) and SAP Identity Provisioning Service (IPS) available in SAP Business Technology Platform. SAP Identity Authentication Service (IAS) is a cloud service for authentication, single sign-on, and user management in SAP cloud and on-premises applications. It can act as an identity provider itself or be used as a proxy to integrate with an existing single sign-on infrastructure. Single Sign-On (SSO) Multi-factor Authentication (MFA) Identity Federation: SAML 2.0. Open ID, OAuth 2.0. Authentication can be delegated to Corporate IDP Social Sign-On: SAP IAS can be integrated with social network identities like Google, Facebook, and LinkedIn. User Self-Service: Users can manage their account data and password themselves. Risk-Based Authentication: Based on the context of the user's login, SAP IAS can challenge the user with step-up authentication to ensure a secure login process.
3	Data Access Control  Data access control is a security mechanism that regulates who can access what data. It is a fundamental part of data security and helps to protect sensitive information from unauthorized access.	SAP Authorization & Trust Management service: This service provides a comprehensive set of features for managing authorizations in SAP BTP. These features include role-based access control (RBAC), attribute-based access control (ABAC), and fine-grained authorization. SAP Identity Authentication Service (IAS): IAS manages authentication, single sign-on, and user self-services. SAP Identity Provisioning Service (IPS): This service helps manage identities and their access across SAP cloud and on-premises applications. It allows you to automate identity lifecycle processes like provisioning, de-provisioning, and replication of user accounts, ensuring only authorized users have access to your data. SAP Cloud Identity Access Governance (IAG): This service can help to ensure compliance with data access policies. It provides capabilities such as role design, role management, user provisioning, access certification, and segregation of duties (SoD) analytics. SAP HANA Rules Framework: This tool allows developers to create business rules that can control access to data in SAP HANA databases. SAP Data Custodian: This service is specifically designed for data access control. It allows customers to control and monitor data access at a granular level in real-time.
4	Data Transmission Controls This is set of measures and protocols that ensure the security, integrity, and confidentiality of data while it's being transferred from one location to another. This could be across different cloud systems, on-premises to cloud or Users to Cloud Applications. In other words, it's about safeguarding your data when it's in transit.	Transport Layer Security (TLS): SAP Cloud Services use TLS 1.2 protocols to encrypt data during transmission. This prevents unauthorized parties from being able to read or modify the data while it's in transit. Virtual Private Networks (VPN): For connections between on-premises systems and SAP Cloud services, SAP provides the option to establish a VPN, creating a secure, encrypted tunnel for data transmission. This is applicable for SAP S/4HANA cloud, private edition. AWS and Azure Private Link: enables private connectivity between two services, effectively keeping the traffic off the public Internet. This applies to specific connectivity use case with SAP BTP and customer owned systems with AWS and Azure. SAP Cloud Connector: It allows for secure mutual TLS1.2 encrypted tunnel for data communication between on-premises systems or cloud (such as SAP S/4HANA cloud, private edition) to SAP Business Technology Platform services/application and provides additional features like principal propagation for end-to-end user identity. Secure Network Communications (SNC): For SAP's ABAP-based systems, SNC can be used to provide an additional layer of security for data in transit. IP Filtering/Whitelisting: SAP Cloud Services often provide the option to whitelist certain IP addresses, so only traffic from these trusted IPs will be allowed to access the services. This is applicable only for certain SAP cloud Services such as SAP SuccessFactors. In case of SAp S/4HANA cloud, private edition, SAP defines WAF rules for inbound traffic from Internet to protect against OWASP type of vulnerabilities Data Integrity Checks: SAP systems include mechanisms to verify the integrity of data after transmission, such as digital signatures, to ensure that it hasn't been tampered with during transit.
5	Data Input Control  This refers to the processes and measures put in place to ensure the accuracy, integrity, and completeness of data at the point it is entered into a system. Data security control that is used to prevent unauthorized or incorrect data from being entered into a system.	SAP GUI and Fiori UI Field Validation: These user interfaces offer basic input validation controls. SAP Data Services: SAP Data Services software can validate, cleanse, transform, and enrich data. It can be used to ensure the quality of data that is being input into SAP systems, especially during data migration or integration processes. SAP Information Steward: This tool enables data profiling and metadata management. It helps to understand data anomalies, set validation rules, and monitors data quality metrics over time. SAP Cloud Integration (CPI): SAP Integration Suite can enforce validation rules to ensure the accuracy, completeness, and consistency of data being input into the system from external sources. It allows for data transformation and mapping to ensure the data conforms to the requirements of the target system. Master Data Governance (MDG): SAP MDG helps to ensure the quality and integrity of master data by standardizing, validating, and de-duplicating data before it is saved in the system. SAP LSMW (Legacy System Migration Workbench): This tool is often used during data migration projects and provides data checks and balances to ensure data integrity. SAP BRFplus (Business Rule Framework plus): This tool allows for the creation of business rules that can be used to validate input data. SAP AIF (Application Interface Framework): This solution provides a structured and traceable way of error handling and monitoring when exchanging data between your SAP system and external systems.
6	Job Control This control refers to data access and processing responsibilities of different roles within the organization, and implementing measures to ensure that each person can only access and process the data that is necessary for their specific role or "job". This includes establishing protocols for how data is handled and ensuring the proper training is in place for all personnel.	SAP Identity Authentication Service (IAS): IAS manages authentication, single sign-on, and user self-services. SAP Identity Provisioning Service (IPS): This service helps manage identities and their access across SAP cloud and on-premises applications. It allows you to automate identity lifecycle processes like provisioning, de-provisioning, and replication of user accounts, ensuring only authorized users have access to your data. SAP Cloud Identity Access Governance (IAG): This service can help to ensure compliance with data access policies. It provides capabilities such as role design, role management, user provisioning, access certification, and segregation of duties (SoD) analytics. The following can be some of the examples of Job Control: SAP Identity Access Governance (IAG) - Hire to Retire: In an organization, from the point when an employee is hired till they retire, there are several stages like promotions, transfers, or exits where the access rights of the user must be controlled. For instance, if an employee is promoted from a junior developer to a project manager, they may require additional access rights. Similarly, when an employee retires, their access needs to be completely revoked to ensure security. SAP IAG provides automated workflows and approval processes for managing these access rights. SAP SuccessFactors Learning Management System (LMS) - Training Awareness Programs: This system can be set to automatically enroll employees into relevant training programs based on their job role, department, or individual career growth plan. Managers and supervisors can have a control view of their team members' progress, ensure that mandatory training is completed, and manage job transitions based on skill development. SAP IPS SCIM Connector - Integration for Third-Party IAM: Here, job control can refer to managing access to third-party apps. For example, a user who is given access to a third-party analytics tool through the Identity Provider (IdP). Their access level can be controlled based on their job role, ensuring they have the necessary rights to perform their tasks without compromising security. SAP IAG Firefighter - Privileged Application Access: In some instances, employees need temporary elevated access to perform certain tasks. With Firefighter, you can manage and monitor this temporary access. For example, a system admin might need high-level access to debug a system issue, but that access level would not be necessary for their day-to-day tasks. With Firefighter, you can grant this temporary access and monitor their actions during this period. SAP SuccessFactors (SFSF) Proxy as a User: Sometimes HR administrators or managers need to act on behalf of a user (for example, to approve leave requests or complete tasks during the user's absence). Using SFSF's proxy feature, they can perform these tasks while the system logs these actions for audit and compliance purposes.
7	Availability Control  This security measures ensure data and systems are readily accessible and usable when needed by authorized entities. They are designed to keep services up and running, prevent system downtime, and ensure timely and reliable access to information.	The security measures are under responsibility of SAP cloud services with Systems Availability SLA. SAP delivers backup and restore as a standard service. While standard DR may be available for most of SaaS offerings, customer can subscribe to enhanced DR such as SAP S/4HANA cloud, SAP SuccessFactors. High Availability (Multi-AZ): SAP Cloud Services are typically deployed across multiple data centres in a region to provide redundancy. If one data centre experiences an outage, the workload can be automatically transferred to another, ensuring continuous service availability. Backup and Restore: Regular backups are taken to protect data against loss or corruption. Backup data is stored in separate, secure locations and can be restored if required. Disaster Recovery (DR): SAP has a robust disaster recovery strategy, which includes regular testing of DR processes. In case of a major incident, services can be recovered at a DR site. Load Balancing: Traffic to SAP Cloud Services is distributed evenly across servers to prevent overloading and ensure optimal performance. Health Monitoring and Alerting: SAP continuously monitors the health and performance of its cloud services and uses alerting mechanisms to quickly identify and respond to potential availability issues. Maintenance Windows: Scheduled maintenance activities are carried out during predefined maintenance windows to minimize impact on service availability. Data Replication: SAP Cloud Services often use data replication strategies, ensuring that if the primary data source becomes unavailable, the service can switch to a replica with minimal downtime.
8	Data Separation Control  This  refers to the measures that are in place to segregate or isolate customers' data from each other. This is especially important in multi-tenant environments, where multiple customers share the same physical infrastructure. The main goal of data separation control is to prevent unauthorized access or leakage of data from one customer to another.	Logical Separation: In this approach, all customers' data may reside in the same database but is logically segregated using identifiers or keys tied to each customer. The system is designed such that a customer can only access their own data and cannot see or interact with others' data. Dedicated Instances: In some cases, customer data may be stored in separate databases or different schema within the same database. This can provide an additional layer of security. In SAP S/4HANA cloud, private edition, SAP provides single tenanted landscape where dedicated resources to are delivered for customer landscape. Data Encryption: Data from different customers may be encrypted using different keys, providing another layer of separation. Access Control: Role-based access control and other security measures are used to ensure that only authorized personnel can access specific data. SAP Master Data Governance (MDG): This ensures central governance of master data to ensure data integrity, quality, and compliance across different systems in an organization. It supports the principle of data separation by facilitating a controlled distribution of data across various operational and analytical systems. SAP MDG allows for the separation of duties where one user is responsible for the creation of data, another for its approval, and another for its distribution. This separation ensures that there's a degree of control and oversight on each step of the process, thus helping to maintain the integrity and security of the data. All SAP cloud services offerings are designed to keep customer data separate and secure. This is managed through a combination of architectural design, security features, operational procedures, and compliance measures. It's important to note that the specific data separation controls can vary depending on the particular SAP service in question.
9	Data Integrity Control  This refers to strategies, processes, and tools employed to ensure the accuracy, consistency, and reliability of data during its entire lifecycle. These controls safeguard data from unauthorized modifications, deletions, or other forms of corruption, thus maintaining its consistency across various databases and systems.	SAP Data Access Control : SAP delivers various Data Access Control mechanism within SAP cloud applications. SAP Authorization & Trust Management service : This service provides a comprehensive set of features for managing authorizations in SAP Cloud Platform. These features include role-based access control (RBAC), attribute-based access control (ABAC), and fine-grained authorization. SAP Audit Log API: The SAP BTP Audit Management service provides a way to collect and analyse audit logs from SAP Cloud Platform applications. This can be used to track data access and identify potential security incidents. SAP Enterprise Data Integrity Testing by Tricentis: Automate data testing to maintain data accuracy – wherever your data travels and whatever happens to it on its journey. SAP Master Data Governance (MDG): This tool helps in governing and maintaining the integrity of master data by ensuring consistency and eliminating duplication across the entire system landscape. SAP Data Services: This tool provides capabilities for data integration, transformation, data quality management, and data profiling to ensure that the data is consistent, accurate, and reliable. SAP Information Steward: It combines data profiling, data lineage, and metadata management tools to improve enterprise data quality and strengthen ongoing information governance efforts. SAP Identity Access Governance: It aids in mitigating access risk and preventing fraud by managing and validating user access to systems and data. SAP Audit Management: This tool allows for tracking changes to sensitive data, ensuring that any potential corruption or unauthorized changes can be traced and rectified. SAP Change and Transport System (CTS): A tool for transporting changes from a development system to a production system in a controlled way, maintaining the integrity and consistency of data. SAP Advanced Data Migration (ADM) by Syniti: This is an SAP Solution Extension tool that helps ensure clean, consistent, and compliant data across all systems.

Cybersecurity via Zero Trust Architectural Principles

Zero trust architecture (ZTA) is a security framework that assumes that no user or device is inherently trusted, even if they are within the organization's network. This means that all access to resources is first authenticated and authorized, regardless of where the user or device is located. In traditional security models, trust is assumed within the network perimeter. This means that users and devices inside the network are trusted, while those outside the network are not. However, this model is no longer effective in today's world, where users and devices are increasingly mobile and connected to the internet.

ZTA takes a different approach. It assumes that no user or device is inherently trusted, even if they are within the organization's network. This means that all access to resources is first authenticated and authorized, regardless of where the user or device is located. The diagram below outlines the key architectural components of the zero-trust principles applied to RISE with SAP S/4HANA cloud, private edition. The objective is to secure identities, endpoints, business applications, data, and infrastructure, along with ensuring both internal and external network connections are safe in a hybrid environment. Each data flow requires verification and trust establishment for each session. Dynamic security policies must be clearly laid out and enforcement points strategically placed at various stages. This process includes implementing the principle of least privilege, securing all services, managing system-to-system APIs, handling authentication and authorization, overseeing privileged credential management, and facilitating security automation. Please refer to the blog "RISE with SAP: Adopting to Zero Trust Architecture Principles with SAP Cloud Services" for additional details.

Figure 2: Zero Trust Architecture Principles for SAP S/4HANA cloud, private edition

Enhanced Data Privacy and Protection Tools

Apart from the aforementioned tools, SAP also offers an extensive array of privacy-enhancing technologies and tools, suitable for specific use cases. These include UI Masking and Logging, SAP Enterprise Threat Detection, SAP Data Custodian, SAP Data Retention Manager, and SAP ILM. For a deeper comprehension of each of these tools, consider perusing related blogs and visiting https://help.sap.com.

S.No	Description
1	GRC Tuesdays: What really is SAP Governance, Risk, and Compliance (GRC)? – Focus on the Cybersecurit...
2	Enhanced Data Security and Protections for SAP Cloud Services
3	Essential Data Privacy and Security Controls in SAP Business Technology Platform
4	Safeguarding Your Crown Jewel: UI Data Protection
5	Safeguarding SAP Landscapes: Unleashing the Power of SAP Enterprise Threat Detection (ETD) – An Intr...
6	SAP Solutions for Cyber Security and Data Protection
7	SAP Data Custodian
8	SAP Information Lifecycle Management
9	Define project scope for data protection and compliance projects (DPP) with SAP Information Lifecycl...

Conclusion

In conclusion, SAP's suite of cybersecurity and data privacy tools offers a powerful balance of control, flexibility, and security for customers who manage their applications and data in SAP cloud services. These tools not only protect digital assets but also empower users with greater data governance. Complementing these technical aspects, SAP is a reliable data processor that provides comprehensive contractual assurances through its meticulously designed Technical and Organizational Measures. This demonstrates SAP's commitment to customers to remain compliant with security, data privacy, and regulations, instilling confidence in customer's digital transformation journey.

Disclaimer

© 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to SAP Materials for general audiences.