SAP S/4HANA Cloud Security and Compliance: What Enterprises Need to Know

An Illinois-based mid-sized healthcare provider successfully adopted a cloud ERP system, deployed with no glitches, and cleared their IT internal audit. After eight months, an external review discovered that 47 users had been granted unauthorized permissions, such as accessing administrator-level accounts, and among these users, three were already out of service. No one knew about it. Those users were able to access sensitive data such as customer invoices. 

Such news can be seen very often, since enterprise cloud ERP migration helps solve some issues while creating others. This situation takes place in all industries: health care, financial operations, manufacturing, and even retail. 
 

SAP S/4HANA Cloud ERP is an extremely efficient enterprise solution with high security. However, having a good platform in place doesn’t mean keeping your business safe and protected. And it’s this difference you need to understand. 
 

What are the Biggest Security Risks in SAP S/4HANA Cloud Environments? 
 

Risks are rarely exceptional; rather, they come from mundane problems that build up through time, normally during any transitions into new systems, and only become apparent through an audit or security breach. Zero days and foreign intrusions tend not to pose as much of a threat. 

Why do so many SAP Security Breaches come from inside the System? 
 

Most SAP security issues arise because of the organization’s own members rather than cyber-attacks perpetrated by outside hackers. 

This can happen through a series of simple events. During an SAP S/4HANA migration, access roles are rapidly granted to get the project completed on time. Temporary permissions are given without being revoked once no longer necessary. The worker transfers to a new department while retaining his system authorization privileges. The consultant completes his job but remains within the system for an additional six months. 

None of these scenarios involves any malicious acts. They simply represent the facts of a huge, complex project under pressure to deliver results. 

In this case, the problem is that SAP S/4HANA stores sensitive information across finance, purchasing, human resource management, and supply chain management. The individual accessing the account payables application, which also allows him/her to maintain vendor master information, might be able to create a dummy vendor and approve payments to that vendor. This combination is known as the Segregation of Duties conflict. 

What Does Data Residency Mean for Enterprises Running SAP on the Cloud? 
 

Your data’s physical location makes a difference. 

Your SAP S/4HANA cloud implementations will be built on hyperscale infrastructure via collaboration agreements with Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. These providers have data center regions spread across several continents. However, the word "cloud" doesn’t necessarily mean that your data stays in your specified geographies unless this is set up and agreed upon. 
 

If you are working in an environment with GDPR requirements, sectoral data protection laws, or national sovereignty laws, three basic questions must be answered before implementation: Where is our data hosted? Who has access to it from SAP and/or the cloud provider? What does our contract cover regarding data protection and breach? 
 

It should be clear by now how important your implementation partner’s ability to answer these questions really is. 

How Do Enterprises Actually Maintain Compliance on SAP S/4HANA Cloud? 
 

It is not the case that compliance in SAP is simply a one-off activity that is implemented only during initial implementation to ensure that systems work properly at go-live. On the contrary, it is something that must be maintained constantly on a day-to-day basis. 

What Built-In Security Controls Does SAP S/4HANA Cloud Actually Provide? 
 

Security in SAP S/4HANA Cloud is already robustly embedded within it. However, you must understand which security measures work automatically and which must be installed and configured. It will help you have an honest discussion on compliance requirements. 

Identity & Access Management: SAP comes with an inherent RBAC system. The product easily integrates with enterprise authentication providers via SAML and OAuth. 2FA is available but has to be enabled for all users, including the administrators. Typically, companies activate 2FA for their administrators upon launch, but delay activating 2FA for the rest of their users for quite some time. 

Audit Logs: SAP S/4HANA Cloud records extensive audit logs of who logged in, what they did, and when. These logs can be used for internal auditing purposes as well as externally. The audit logs exist. The big issue here is that most companies don’t take a look until they are asked to provide information on six months' worth of activity by their auditor. 

Data Encryption: Your data will automatically be encrypted both at rest and in transit within the cloud environment of SAP S/4HANA. This is expected and should not be viewed as a differentiator. The true test is your ability to meet your regulatory standards through key management. 

Compliance Check Mechanisms: AI in SAP S/4HANA Cloud allows for automated mechanisms that are able to detect potential SOD conflicts, spot anomalies in access patterns, and identify configuration drifts. However, such tools can be effective only if there is somebody taking action based on their results. Such people do not exist in most companies. 

How Should Enterprises Prepare for a Compliance Audit on SAP S/4HANA Cloud? 
 

Smooth audits are not achieved through last-minute preparations. Smooth audits require audit preparedness as a continuous state within your organization. 

Here’s what needs to be done: 

1. Periodically perform access reviews: quarterly, monthly in the case of personnel with high privilege access. 

2. Review SAP access for any person whose role changes or who leaves the organization in the same week he or she does this. 

Change logs need to be neat and updated. All changes to the system should be logged, approved, and recorded. That is because an audit may be needed. Recreating a history of changes based on email or personal recall can be dangerous. 

Access to systems by third-party vendors is another aspect altogether. External vendors or implementation partners having access to the system are typical areas of concern. The external access accounts should always have an expiry date, a defined scope of access, and an internal sponsor. 

But how you react to any problem, such as a configuration mistake, unauthorized access, or breach of control, is just as vital. Regulators will review how fast you identified the problem, what actions were taken to deal with the matter, and if your SAP S/4HANA support services have sufficient personnel for dealing with the matter. 

This problem of access for 47 users had nothing to do with hacking. This problem didn’t even have anything to do with technology failing. This was purely a problem of governance, which occurs when there is no one who takes ownership of managing the ongoing hygiene of the system. SAP S/4HANA Cloud manages its share. The problem almost always arises in how you configure, govern, and manage the software once deployed. If you get those three components right, then compliance comes automatically.