How to securely deploy SAP S/4HANA on AWS

Did you know that a cyber attack can cause more damage than a natural disaster? Faced with the escalation of attacks against security, we have addressed in a webinar the keys to implement SAP S/4HANA securely on Amazon Web Services (AWS) for all those companies that are driving their digital transformation processes and have chosen to take their SAP systems to the public cloud platform.

The security of systems, data and applications is a concern shared by companies around the world, and is already a priority for senior management, which is not surprising because cyber incidents have increased in the last year and a security breach can cause serious damage to the business. Moreover, a cyberattack that paralyses the activity of a provider serving hundreds of customers in critical fields could generate more losses than a natural disaster, according to the study ‘The Economic Cost of Cyberrisk’, conducted by the Foundation for Defense of Democracies (FDD) and the insurance group Intangic. Their analysis suggests that, in the first case, the economic damage would be almost 80 billion dollars, while that caused by Hurricane Sandy in 2012 was 65 billion.

Because of data like this, and given the certainty that this issue is vital for all organisations, we wanted to focus one of our sessions (link in spanish) at the Thematic Day that AUSAPE (the Association of SAP Users Spain) dedicated to SAP S/4HANA, on how to securely deploy this solution on AWS. 

In his speech, Mario de Felipe, Director of Business Development, stressed that hyperscale platforms, a space led by AWS, have worked to ensure a secure environment for each system and applications. Similarly, leading IT providers have entered the cloud world. A good example of this is the strategy that SAP has launched, Rise with SAP, which enables it to address digital transformation as a service to achieve what the company calls ‘Intelligent Enterprise’.

As our expert explained, both SAP and AWS have the resources and tools in place to provide the levels of security that keep workloads safe, while ensuring performance and agility in processes.

For SAP users, the cloud platform offers a number of services divided into different domains that help make SAP systems more secure in a public cloud environment. Following SAP best practices, these are Identity, Discovery Controls, Infrastructure Protection, Data Protection, Incident Response and SAP Application Protection.

On the one hand, Amazon provides a number of services that integrate seamlessly with SAP infrastructures, and that allow you to define, enforce and audit permissions on AWS services and resources. These include solutions such as AWS Identity and Access Management, for identity and access control; AWS Organisations, for policy-based management of multiple accounts on AWS; AWS Cognito, for authentication, authorisation and user management for your applications; and AWS Cognito, for authentication, authorisation and user administration for your applications.

AWS Secrets Manager, to easily toggle, manage and retrieve database credentials, API keys and other sensitive data throughout its lifecycle; AWS Single Sign-On, to centrally manage access to multiple AWS accounts; and AWS Control Tower, an orchestration service that combines and integrates the capabilities of other platform services and facilitates the configuration and governance of a multi-account AWS environment.

On the other hand, there are services that provide the visibility needed to detect problems before they impact the business, improve the security posture and reduce the risk profile of the SAP environment.

These include AWS CloudTrail, a service that enables you to perform governance, compliance, operational and risk audits on your AWS account; AWS Config, which constantly monitors and logs AWS resource configurations and automates the evaluation of logged configurations against desired configurations; or AWS CloudWatch, which provides actionable data and information to monitor your applications, respond to system-wide performance changes, optimise resource usage and achieve a unified view of the state of operations; AWS GuardDuty, which facilitates intelligent threat detection, and Amazon Virtual Private Cloud (VPC) VPC Flow Logs, which is a feature that allows you to capture information about IP traffic entering and exiting network interfaces in the VPC, and the log data is stored in Amazon CloudWatch Logs.

For Mario de Felipe, the area of infrastructure security is “one of the most complex, it’s the one where there is probably the most information and the one that has the least to do with the SAP environment”. When an SAP user company entrusts its systems to the AWS cloud, a secure environment must be created, using the platform’s protection resources to prevent external attacks.

The responsibility for the SAP security layer in any cloud rests with the customer and, therefore, its IT team is responsible for shielding access to the environment, both at the network and VPC level, as well as access to the application and operating system. Services such as AWS Systems Manager, AWS Shield, AWS WAF (Web Application Firewall), AWS Firewall Manager, Amazon Inspector and Amazon VPC help in this area.

With regard to data protection, the specialist focused on SAP’s integration into AWS on the closely related levels of data protection and application protection. As far as data protection is concerned, this occurs in the transfer and in the generated data, and in order to make these processes secure, AWS has various tools for generating SSL certificates that integrate with SAP. In addition, you can integrate the SAP system with tools such as Amazon Macie using SAP Enterprise Threat Detection and, at the same time, communicate with SIEM solutions, such as Splunk. It is this combination that allows companies to identify and understand where the breach has occurred within the SAP system in order to respond to incidents.

Follow this link to download the webinar we organised with SAP and AWS on how to secure your SAP data in the AWS cloud.