SAP S/4 HANA RISE Private Cloud Edition and SAP Security – Who’s Responsible?
Did you know that the security of your SAP S/4 HANA running as RISE Private Cloud is still the customer’s responsibility?
An S/4 HANA RISE contract is by no means a ‘set and forget’ activity, and the SAP S/4 HANA Roles and Responsibilities documentation shows that the Customer is responsible for the security of its SAP systems.
A standard RISE contract doesn’t include things like security management, monitoring, testing or risk remediation as standard. It is up to the customer to continue to manage these in-house, with an outside partner, or negotiate a range of security-related Cloud Application Services with SAP
RISE Services
Firstly, to recap. 4 types of services are offered within a RISE contract.
- Standard Services: Standard with every RISE contract.
- Optional Services: Optional and can be included.
- Additional Services: Optional and can be included.
- SAP Cloud Application Services (CAS): CAS Packages can be included to cover services not included as standard, optional, or additional. Unlike the other services, where there is no option these activities can be performed by the Customer.
Only Standard Services or optional CAS Packages are available for SAP security tasks and activities.
SAP Security RISE Services Included
Very few of the 400 – 500 services that come with every RISE contract as standard are SAP security-related. In summary, these are as follows:
- SAP will define and implement an infrastructure security concept.
- SAP will evaluate its SAP security notes and identify any critical notes as part of a standard contract. However, only those notes implemented without manual effort will be delivered as part of the standard contract. For the rest, the Customer must include a relevant CAS Package in its contract, or check the security notes on SAP for Me and create a Service Request.
- SAP will maintain user profiles, roles, authorizations, source data and passwords in client 000 and provide customer access to client 000. However, this is limited to restricted and predefined profiles, a limited set of users, and services provided on request only.
- SAP will provide audit log information to customers within the standard contract. However, this is by request only to support incident investigations, but not regularly. SAP and general security and data protection policies will determine the format, content, and procedure used.
SAP Security Activities Excluded
A range of SAP security activities are excluded from a RISE contract. These will need to be performed by the customer or a services provider, or contracted separately with SAP or the partner delivering the RISE program.
These excluded activities include the following:
- Security Audit Log Analysis.
- Analysis and implementation of application-related ABAP and JAVA stack SAP Security Notes.
- Testing following implementation of the Notes.
- Customer user administration and monitoring including user creation, change, or deletion, and maintenance of user profiles, roles, authorizations, source data and passwords.
- Security risk analysis of the system landscape and any remediation to address areas of high risk.
- Securing access to remote function call (RFC) modules
- Security Monitoring to monitor applications including reporting on Security KPIs and associated remediation activities.
- Global Change parameters (SE06) updates and default system settings (SCC4)
- Designing and implementing the overall security concept and Single Sign On (SSO) solutions for the cloud environment. (This can only be delivered by the customer)
SAP Security Cloud Application Packages
RISE SAP Cloud Application (CAS) Packages are available for each of the excluded security activities mentioned.
Although the basic content of each package is published, in most cases what is included is opaque and lacking in important detail.
More about this will be covered in a forthcoming article.
In the meantime., one can learn more by looking through the Roles and Responsibilities RISE with SAP S/4HANA Cloud, private edition and SAP ERP, tailored option (version v.7-2024v2) document.
About us
Leg Up Software Up Software is an expert in SAP IT operational and infrastructure software automation solutions, including those that support enterprises’ transformation journeys.
www.legupsoftware.com
We know the SAP operations and infrastructure automation solutions landscape and have already done the legwork identifying the best available solutions.
We have excellent relationships with many software vendors, including the ones mentioned here, and can negotiate an evaluation process that best suits your circumstances and budget.
Why not set up a time to start the conversation by putting something in our calendar?