Placeholder image

Security with SAP S/4HANA Cloud, Public Edition

| Patrick Boch |

Security S/4HANA

YouTube

Anchor

Spotify

Episode #266

Introduction

In episode 266 of our SAP on Azure video podcast we talk about security with SAP S/4HANA Cloud, Public Edition.

Today we continue our story about SAP and Microsoft security. So far we focused on RISE and on-prem SAP environments. But what about the SAP S/4HANA Cloud, Public Edition? Today we switch the focus to Public Cloud and I am really happy to have Martin Pankraz and Patrick Boch from SAP with us here.

Find all the links mentioned here: https://www.saponazurepodcast.de/episode266

Reach out to us for any feedback / questions:

#Microsoft #SAP #Azure #SAPonAzure #Security #S4HANA

Summary created by AI

  • SAP S/4HANA Cloud Public Edition Security Monitoring Integration:
  • Patrick Boch from SAP, Martin Pankratz from Microsoft, Holger, and Goran discussed the integration of SAP S/4HANA Cloud Public Edition security monitoring with Microsoft Sentinel, focusing on the shared responsibility model, available APIs, and how customers can leverage these integrations for enhanced security visibility and compliance.
    • Shared Responsibility Model: Patrick explained that in SAP S/4HANA Cloud Public Edition, security responsibilities are divided: SAP manages infrastructure, network, and database security, while customers are responsible for application and business process security. This model is consistent across public and private cloud deployments.
    • Security Monitoring APIs: Patrick described the security-related APIs provided by SAP, which allow customers to access event logs, configuration monitoring, and user management data. These APIs enable integration with SIEM, SSPM, and CASB solutions, supporting dynamic event-driven monitoring and static configuration checks.
    • Transparency and Compliance: Holger and Martin emphasized that exposing these APIs increases transparency for customers, allowing them to verify security measures and meet audit and compliance requirements. Martin noted that industry standards often require demonstrable integration and data retention for security teams.
    • Customer Demand and Native Connector: Martin highlighted that customer demand drove the development of a native connector for SAP S/4HANA Cloud Public Edition, enabling plug-and-play integration with Microsoft Sentinel for streamlined security log ingestion and monitoring.
  • Microsoft Sentinel Integration and Security Operations:
  • Martin Pankratz demonstrated how SAP S/4HANA Cloud Public Edition security logs are ingested into Microsoft Sentinel, detailing the configuration steps, incident detection, and the use of Sentinel’s analytics and automation capabilities for security operations.
    • Connector Setup and Configuration: Martin walked through the process of configuring the SAP S/4HANA Cloud Public Edition connector in Microsoft Sentinel, which involves setting up a communication arrangement in SAP, providing the API URL, and entering authentication details. The integration supports basic authentication and is designed for ease of deployment.
    • Incident Detection and Analysis: Martin showed how Sentinel detects incidents such as multiple failed logins, which may indicate password spray or brute-force attacks. The system aggregates failed attempts per user and provides detailed logs for further investigation.
    • Custom Reporting and Analytics: Goran and Martin discussed the ability to create custom reports and queries in Sentinel, leveraging built-in detection rules and extending them for SAP S/4HANA Cloud Public Edition. This enables security teams to correlate SAP events with other enterprise signals.
    • Availability and Deployment Status: Martin confirmed that the connector is publicly available for customers to deploy, having passed through a private preview phase. Patrick added that all relevant SAP APIs are generally available, and the solution is ready for production use.
  • Security Incident Response and Automation:
  • The team discussed advanced incident response scenarios, including automated user blocking, blast radius analysis, and the use of Microsoft’s security suite to orchestrate containment actions across SAP and Microsoft environments.
    • Automated User Blocking: Martin explained that, using SAP’s user management API and Microsoft Sentinel playbooks, security teams can automatically disable or block compromised users in SAP S/4HANA Cloud Public Edition as part of incident response workflows.
    • Blast Radius Analysis: Martin demonstrated Sentinel’s blast radius feature, which helps SOC analysts assess the potential impact of a compromised node by visualizing downstream assets and permissions, such as managed identities, key vaults, and storage accounts.
    • Cross-Platform Incident Correlation: The discussion covered how Sentinel correlates SAP security events with signals from Microsoft 365, Entra ID, and other platforms, enabling comprehensive attack path analysis and coordinated response actions.
    • Security Copilot and AI Integration: Martin mentioned that security vendors can leverage Microsoft’s MCP APIs and Security Copilot agents to reason over SAP S/4HANA Cloud Public Edition data, opening possibilities for further AI-driven integration and automation.
  • Technical Parity and Differences Between Public and Private Cloud:
  • Patrick clarified that while the security audit log is technically identical in SAP S/4HANA Cloud Public and Private Editions, not all events are exposed in the public cloud due to the shared responsibility model, with only customer-relevant events made available.
    • Event Exposure Differences: Patrick stated that some security audit log events are withheld in the public cloud because they pertain to SAP’s operational responsibilities, ensuring customers only receive events relevant to their application and business process monitoring.

Video index

Based on and using Hugo Cookbook Theme, Font Awesome Icons and Bulma CSS. | Thanks to Recipes4AJ to get me started. | Contact me via