In this white paper, we will examine some of the key topics that ERP enterprise Information Security leaders should consider when setting up the security and controls for their SAP BTP Cloud integration with S/4 HANA and cloud applications.

Based on my S/4 HANA and Cloud experience, my goal is to provide key security design aspects and process insights within SAP Business Technology Platform (BTP) Cloud and “Best practices“ to keep in mind from Security, Compliance and Controls perspective w.r.t SAP S/4 HANA and Cloud.

Key Sections –

• Overview – SAP BTP Cockpit – Cloud Foundry
• Security Strategy & key integration requirements
• SAP Cloud Environment Model 
• SAP BTP Cockpit Management Console
• 3^rd Party Cloud application (to be integrated)
• Governance & Compliance Model
• Security & Controls Model – Best Practices
• Cloud BTP Cockpit & Identity Authentication Services (IAS) – Controls Framework
• End To End Integration process Flow
• Conclusion

Overview – SAP BTP Cockpit

Commonly known as SAP Business Technology Platform – BTP. (Source – BTP – SAP Help) and provides hosting capabilities for web-based user interface to manage the various cloud applications. It is also said as “central point” of entry to the cloud platform, where one can create and access your accounts, sub-accounts, applications and manage all activities associated with them.

Image 1 – Architecture and Users overview – SAP BTP Cockpit 

Strategy & Key Integration Requirements

In similarity with any particular ERP solution, for SAP Cloud Foundry (aka BTP Cockpit) below listed are some of the key things to be considered –

To assess and baseline an optimal strategy for developing these integrations, one should leverage the security design keeping the below 3 categorizations

1. Governance Model
2. Cloud Connector Model
3. Security & Authorization Model

Image 2 – Approach & Integration Model Diagram 

SAP Cloud Environment Model

Few key pointers – will help understand the difference between SAP Cloud Foundry (versus) Neo

Recommended based on the use case data and my implementation experience, will be – SAP Cloud Foundry. Key elements are –

1. Cloud Connector – Identity Authentication Services (IAS)
2. BTP Cockpit Connector

Image 3 – Difference between SAP – Cloud Foundry and Neo 

SAP BTP Cockpit Management Console

If you want to create a trial account, below is the link for reference:

https://cockpit.hanatrial.ondemand.com/trial/#/home/trial

(Note – You will need an active SAP S* user id or your SAP linked account profile for the below)

Image 4 – SAP BTP Console (Real Time-View) 

Once you are inside the SAP BTP Cockpit (Console), in order to further navigate and access key elements, you need to browse under –

Go To Your Trial Account

In order to have the above network flow diagram established, one will need to do the following:

1. Start from the (root) account – Global Account
2. Default (trial) version will be provided by SAP
3. Create Sub-Accounts (as needed)
4. Create Directory
5. Within Directory – create sub-accounts

The advantage of having “Directories” is to manage and structure your “so called systems” accordingly and segregate between Development, Quality and Production landscape.

Image 5 – Account, Sub-Account & Directories (Real Time-View)  

Integration of (Cloud application)

Depending on whether you would like to integrate 3rd party cloud application or SAP cloud application, define the strategy that is best suited for your business need. Here, I will be taking an example of external cloud application –

Trading Platform is an external cloud application that interacts through SAP BTP Cockpit (Cloud Foundry) with SAP S/4 HANA – Treasury management module as the backend.

• Platform users will access via SAP BTP – Cloud Cockpit (Cloud Foundry and Cloud Connector)
• Business users will login through the backend (SAP S/4 HANA system)

Governance & Compliance Model

Define goals and understand the key essential elements pertaining to business requirements between On-Premise versus Cloud applications and lay out strategy that will be cost and operational effective.

Image 6 – Key Attributes – Governance, Risk & Compliance Model 

Security & Controls Model – Best Practices

Listed below are key elements that one can consider to fulfil the best practice criteria –

1. A secured, efficient design framework – S/4 HANA v2020 (On-Premise) and Cloud Foundry
2. Leverages Identity Authentication mechanism
3. Security Access controls perspective
4. Integrate Fiori apps (TPI cloud) with S/4 HANA
5. Segregation Of Duties (SOD)
6. Risk & Controls framework
7. Centralized User management
8. Security Event Monitoring and Logging
9. Operational effectiveness – process improvements, consider delegations and remediate gaps
10. Controls Automation

Image 7 – Security and Controls Process Model (Best Practices) 

 Cloud Cockpit & IAS – Risk & Controls Framework

Listed below are key controls to be considered while deploying risk & controls framework for –

1. Cloud Foundry – SAP BTP Cockpit
2. S/4 HANA application
3. 3rd party (cloud application)

Image 8 – RC Framework 

Process working – Real Time Scenario 

Complete working picture after the various integration scenarios considered in the above section –

Image 9 – Technical aspects of the process integration 

Conclusion

As a recap, before I conclude this blog would like to summarize the key factors that one needs to be keep in mind while implementing this scenario:

• Keep in mind key Security and access controls and how they can be applied to your scenario
• Baseline the various governance and risk controls frameworks (incorporates business reqs)
• Cloud environment – that will work best per your structure
• On Cloud and On Premise applications
• Boundary & Trusted (Systems, applications) to be integrated
• Risk & Controls framework – (Both, cloud and on-premise)
• Aim towards secured and SOD risk free role
• Have a monitoring and logging tool in place – alerting, auditing logs & reporting

Please do provide your feedback and inputs in “Comments” section below. And, encourage you to follow my profile for any help related to the content. And, do share this blog if you feel it will help other fellow practitioners.

Key Tutorial Links

To help you get started, listing below SAP provided tutorials to help get familiarized and deep-dive with the various components of BTP Cockpit, Cloud Foundry, and ABAP, S/4 HANA elements from integration point of view:

Get Started with SAP Business Technology Platform SAP HANA Service

Develop Your First SAPUI5 Web App on Cloud Foundry

Connect to SAP S/4HANA Cloud with SAP BTP, ABAP Environment

Extend SAP S/4HANA Cloud on SAP BTP, Cloud Foundry Environment

Extend SAP SuccessFactors on SAP BTP, Cloud Foundry Environment