SAP HANA e SAP S/4HANA Security
What is SAP HANA and what does SAP S/4HANA mean?
Often these terms are used as synonyms, although in reality they are not really. In fact, they are products of a distinct nature.
The first SAP HANA is a database, the second SAP S/4HANA is an application.
These are relatively new products, as SAP has been working for some time on the creation of a high-performance database (taking advantage of in-memory data processing) and in parallel with an S/4HANA application explicitly designed to offer the best performance based on the SAP HANA database.
Innovations are not only technological, especially in the case of S/4HANA. As this new product effectively replaces the previous SAP ECC (ERP Central Component) management system.
But what are the aspects to take into account when we talk about security in the HANA field and security in the S/4HANA field? How should the migration of current systems to new solutions be managed?
What is SAP HANA?
From a technological point of view, it is a relational database management system (RDBMS), available and released by SAP since 2010.
One of the relevant aspects of this issue, now in the past, was the distinction between online transaction processing (OLTP) transactional software and analytical software (OLAP).
These software, such as the SAP ECC application (also known as SAP ERP), were transactional software. So not designed to do massive data analysis. This is also because the underlying databases were not designed for this. The SAP ECC application, in fact, could be installed on any database (DB2, Oracle, Microsoft SQL, ASE, HANA etcc).
In order to analyze the data, then carry out the OLAP part, ad hoc software was needed in the past, such as, for example, in the case of SAP, SAP BI and BW.
With the introduction of the HANA database SAP has constrained the use of its software to the proprietary database. This is to allow you to take full advantage of all the in-memory processing features provided by the database. It also allows you to have a single integrated OLTP and OLAP platform.
But what are the security news of this database?
- The ability to natively manage database encryption
- The ability to encrypt all communication to and from the database
- The possibility of activating HANA Audit Log
- In addition, of course, to access management and profiling of access to the HANA database
- SAP GRC Access Control integration into access management aspects in SAP HANA
In the SAP HANA Enterprise Cloud version it can be managed directly in the Cloud. In this case there are some differences for example:
- 000 SAP HANA Enterprise Cloud client's controlled by SAP
- Firewall logs, networks are not provided to customers
- You can connect via VPN or MLPS (multiprotocol label switching)
- The application management of the system is done directly by the customer
What is SAP S/4HANA?
It's the evolution of SAP ERP. It is the new SAP management application based on the HANA database, publicly released in 2015.
But what are the main terminologies?
- SAP Business Suite, refers to the SAP ERP Netweaver system
- SAP Business Suite S/4HANA, refers to the new HANA-based application and may have two versions
- SAP S/4HANA On-Premise
- SAP S/4HANA Cloud
Not only new technologies but also new processes and new user interfaces. In fact, SAP has reviewed the main business processes in this system and completely renewed access to "transactions".
These can still be used but can also be replaced by the respective APPS. Through the use of SAP FIORI, it is in fact possible to install APPS that effectively replace the use of transactions as they are known to those who already use transactional SAP systems today.
SAP FIORI, the technology that allows sap to be used in mobile devices, is also the graphical interface used by SAP S/4HANA.
Every year a new version of SAP S/4HANA On-Premise is released while every six months a new release of SAP S/4HANA Cloud. The release code identifies the SAP S/4HANA On-Premise 1909 release date means that the release took place in the year 2019 in September. At the same time less in cloud release versioning.
S/4HANA Upgrade. From SAP ECC to SAP S/4HANA what are the scenarios?
Here, too, we have to distinguish. Are you migrating the database or are you migrating the application (SAP ECC)?
In the case of the database, this is a purely technological step. There are therefore no impacts at the application level, except in case you also have to update the current SAP ECC system. In this case, however, this would be a normal SAP upgrade. The permit part and the segregation logic would also remain the same.
In the case of the migration from SAP ECC to SAP S/4HANA?
Here, unlike the previous scenario, there may be several situations.
As in the past, where in case of upgrades, we were talking about:
- Technical upgrade
- Functional upgrade
Also in the context of migration to S/4HANA there are two distinct types of migration, which follow the following:
In the case of brownfield, a technical migration actually takes place, without reviewing the processes currently in use and therefore without taking advantage of any new features.
While in the case of greenfield the upgrade process becomes a global reimagining of the processes currently in place. As if it were, in some respects, a newly implemented project.
Managing Segregation of Duties in S/4HANA environment
When upgrading systems, in addition to new implementations, you need to take into account the segregation of duties within your company. You will see how to approach the various stages:
- Risk definition
- Risk analysis
- Continuous compliance
Remember that the remediation part and especially the mitigation part can be very demanding. During the project but also during the day by day.
Risk matrices must also be adjusted during a migration to S/4HANA.
GDPR - General Data Protection Regulation
Compliance with EU Regulation 2016/679 and Legislative Decree 101/2018 is in fact mandatory for those who manage personal data.
Here, too, a precise process must be followed in order to deal with it. This process involves not only a business department but many e.g. Legal, ICT, Business, HR. SAP contains a lot of personal data (sensitive data). It is therefore important to carry out a privacy risk analysis (PIA) to identify non-conformities and understand how to manage them, for example through:
- Data encryption in SAP
- SAP hardening
- Masking data
- SAP data scrambling
- Staff training e.g. training Security awarness
Read here how it is best to deal with GDPR in particular on SAP, to protect personal data. The move to SAP HANA and S/4HANA can help address the management of the European regulation.
The move to SAP HANA and S/4HANA can help address the management of the European regulation.
SAP Governance Risk and Compliance (GRC)
One of the tools SAP provides to control and manage the company's compliance with the reference regulations is the SAP GRC.
This tool made up of different systems, allows in the case of Access Control, to manage the following aspects.
- ARA - Access Risk Analysis, Segregation of duties, all phases of the sod except the mitigation part for testing controls (this requires the use of GRC Process Control)
- BRM - Role management, that is, managing an authorization role lifecycle
- EAM - Emergency Access Management, i.e. the management of privileged access (super users, firecall, system administrator)
- ARQ - Access Request Management, that is, the management of the sap user lifecycle through the use of approved workflows
From version 12 of the tool you can activate several features specific to the HANA and S/4 scope:
- The use of firefighter emergency utilities in sap fiori
- The use of emergency utilities in the SAP HANA database
- La risk analysis delle SAP APP (SAP FIORI-based S/4HANA applications)
- Integration with systems in the Cloud (Success Factors, SAP IAG etcc)
How can Aglea help you?
Since 2003 we have been dealing exclusively with providing SAP security advice in Italy and also abroad.
We have carried out many dozens of SAP security concept design and authorization review projects. This allowed us to define project accelerators and tools that help to get the IT department (normally very technical) to talk to the business. With the aim of simplifying communication between the actors involved and improving the control of the systems.
We have supported several of the largest Italian companies in the transition to HANA and S/4HANA following the aspects of compliance with regulations and security of the systems involved, as well as the technical aspects of migration.
Suggested Post from our SAP Security Blog
S/4HANA Security: 2 nuove funzionalità che non conosci
- Stai valutando la migrazione a SAP S/4HANA?
- Sei già in fase di migrazione?
- Hai già migrato?
Nuove funzionalità, anche nella parte security, e la revisione dell'utilizzo di alcune transazioni importanti, non sono da sottovalutare.
SAP HANA Security, HANA o S/4HANA migrazione o installazione
Dal 2025 (SAP ha spostato ad inizio 2020 la data del termine del supporto di SAP ECC al 2027 anzichè 2025) terminerà il supporto da parte di SAP per il prodotto SAP ECC (ERP Central Component).
Ma cosa sono HANA ed S/4HANA e che impatti ci sono con la security SAP?