SAP Security RISE

Balancing Cost, Control, and Coverage: Navigating SAP RISE Private Cloud Security

By
4 Minute Read

S/4 HANA RISE Private Cloud provides scope for the customer to manage aspects of the system, and in some cases, it might be prudent to do so. Maintaining control of system security activities can minimize unexpected expenses and provide better outcomes.

A standard RISE contract includes a limited number of security services. Things like non-critical SAP security notes application, monitoring, testing, user management and remediation activities are up to the customer to manage in-house or negotiate a Cloud Application Services package with SAP, which SAP will control.

It is a matter of cost, control, and security coverage.

SAP RISE security services

SAP Security Notes:

As a standard RISE service, SAP will evaluate its SAP Security Notes and identify and apply those it deems critical. However, only those notes that can be applied without manual effort will be delivered as part of the standard contract.

For consideration:

  • SAP decides what is critical (typically CVSS 9 and 10), and the customer is responsible for the rest.
  • If the critical notes require any manual effort, it is the customer's responsibility to apply them.
  • The customer needs to apply the notes SAP doesn’t deem critical.
  • The customer still needs to validate SAP’s successful application of SAP Security Notes to ensure they have been applied and applied correctly.
  • The customer's responsibility is to test the notes that have been applied, including those applied by SAP.

In short, although SAP is doing some of the work, successfully applying SAP Security Notes is still the customer's responsibility. SAP Security Notes that fall short of SAP’s criticality measure or need manual work must be applied by the customer or SAP as part of an agreed Cloud Application Service.

User administration:

SAP will maintain a limited set of predefined user profiles, user roles, authorizations, source data, and passwords in client 000 and provide customer access to client 000.

This service is provided on request only.

The customer is responsible for the remainder of user creation, change, deletion, and maintenance of user profiles, roles, authorizations, source data, and passwords. These must be managed by the customer or by SAP as part of an agreed Cloud Application Service.

Audit log:

SAP will provide audit log information to customers within the standard contract. However, this is by request only to support incident investigations, but not on a regular basis e.g. to monitor administrative activities. Format, content and procedure used will be determined by SAP and by general security and data protection policies.

For consideration:

  • Hopefully, SAP’s processes will be equal or better, but what if the customer’s format, content, and procedure differ?
  • How many requests come standard, and what is the fee for additional?

Security Risk Check:

SAP will provide a detailed profile of the customer’s system landscape related to security risks and initiate remediation to address high-risk areas.

For consideration:

  • There are dozens and dozens of SAP security vulnerabilities, some well-known and others not. How can the customer be sure everything has been investigated?
  • Who decides what is and what is not high risk?
  • How are the risk checks performed, and what areas are covered?
  • What is the frequency of the security risk checking? Is this annual, bi-annual, quarterly?
  • How can the customer be assured that the risks identified have been fully remediated?

Assessing security risks should be an ongoing activity. System changes, code changes, router changes, and many other day-to-day activities can open—or reopen—areas of high risk. The customer will be responsible for additional risk analysis unless a Cloud Application Service package is negotiated with SAP.

Interface Security:

The standard contract provides customers guidance for secure access to remote function call (RFC) modules by implementing a secure framework for RFC modules and restricting access to needed modules only.

Global Change parameters (SE06) and default system settings (SCC4):

Any updates will be based on customer specifications. The customer is responsible for ensuring these settings will be secure even though SAP will make the updates.

Application Security Monitoring:

SAP does not provide security monitoring as a standard. The customer is responsible and must negotiate a Cloud Application Service or manage monitoring themselves.

If a Cloud Application Service is negotiated, customers must still consider the following:

  • What is included in the monitoring, e.g. what security status will be monitored?
  • Who sets the KPI, and who oversees the remediation activities?
  • Will the monitoring highlight previously remediated risks that reopen?

Cost, Control and Coverage

When planning an SAP RISE Private Cloud agreement, SAP customers should consider the overall cost of the contract, the amount of control retained (or relinquished), and the total security coverage received.

Firstly, the cost.

Given the variable nature of SAP system security, arriving at a fixed cost could be impossible unless the customer takes what is given and doesn’t request anything extra. However, it’s clear that this would only cover basic security as standard and could leave the customer systems vulnerable.

If customers want SAP to cover more, additional Cloud Application Services packages will be required. This cost could be difficult to fix and may require careful negotiation.

Then, there is a matter of control.

Although SAP might be managing the entirety of your SAP security, customers are still responsible. The customer’s company brand is at stake, and its board and executive are held responsible for any damage. Holding responsibility without maintaining control has never been a good plan.

Finally, security coverage.

SAP security is complex. There is a lot to cover from patching to connections and user management to code vulnerabilities. SAP customers must assure themselves that SAP has it fully covered. However, this might be costly, and ultimately, coverage assurance may be difficult.

Final word

To ensure that SAP RISE Private Cloud systems and infrastructure are secured cost-effectively, customers may want to maintain control and keep as much of the management in-house as the contract allows. Internal SAP Basis and security teams are experts on customer systems and represent a fixed cost. Retaining these resources helps keep control of SAP security in-house, leading to better outcomes and predictable costs.

For further information, investigate ‘Roles and Responsibilities RISE with SAP S/4HANA Cloud, private edition and SAP ERP, tailored option’. This article is based on version v.7-2024v2.

About us

Leg Up Software Up Software is an expert in SAP IT operational and infrastructure software automation solutions, including those that support enterprises’ transformation journeys.

www.legupsoftware.com

We know the SAP operations and infrastructure automation solutions landscape and have already done the legwork identifying the best available solutions.

We have excellent relationships with many software vendors, including the ones mentioned here, and can negotiate an evaluation process that best suits your circumstances and budget.

Why not set up a time to start the conversation by putting something in our calendar?

Chat with Rick

Rick Porter

Rick Porter

With over two decades of working within the SAP ecosystem, Rick has met and worked with SAP IT professionals from broad backgrounds and experiences. Rick knows the stresses and strains experienced by those managing SAP systems and enjoys bringing these insights and reflections into conversations.

Author