Xiting’s Cloud Security Services with focus on IAM
In this blog, we talk about the topic of Identity and Access Management (IAM) for SAP applications with a strong focus on SAPs flagship solutions SAP Cloud Identity Services and SAP Cloud Identity Access Governance.
Let’s start with SAPs cloud strategy and the new challenges that companies face in this ever-changing environment. We will also provide a brief overview of the SAP cloud solutions involved in IAM and our Xiting Cloud Security Services in which we bundle all topics related to SAP IAM consulting for the hybrid SAP world.
Table of Contents
Introduction
Just a few years ago, typical SAP landscapes looked different than they do today. The speed of cloud adoption has increased in the last few years, with a noticeable impact on the SAP market. SAP landscapes nowadays have on-premises and cloud applications that coexist and evolve to complex and integrated hybrid architectures.
Almost every SAP organization is now using software or components running in the cloud. And while some are at the beginning of this transformation process, others are further expanding their SAP application landscape towards the cloud. The implementation of additional business processes leveraging SaaS applications has become a very important topic on the agenda of many organizations this year. Meeting the requirements in this fast-changing cloud space often comes together with the task of refactoring existing on-premises security models and concepts that no longer apply as they exist.
Drivers for cloud adoption
SAPs cloud-first strategy is geared towards SaaS applications and SAP has set the course for this cloud transition over a decade ago and acquired Ariba, SuccessFactors, and Concur. In 2016, S/4HANA or SAP HANA Cloud Platform was established and has been rebranded to SAP Cloud Platform. Since 2021 it is called the SAP Business Technology Platform (SAP BTP) the successor of the SAP Cloud Platform (SCP).
SAP develops new software based on the SAP Business Technology Platform and the ambitious sales targets in the software-as-a-service (SaaS) area are underlying the importance of SAP’s cloud transformation strategy. The further development of SAP NetWeaver products is limited to bug fixing and tools that support the transition towards the cloud.
The support for the SAP core systems as they currently exist will be discontinued in a few years. A migration of the database to HANA and a change to S/4HANA is inevitable. In short, SAP customers need to move to the cloud because only there, the new features and products will be made available. This comes along with many advantages and new challenges that need to be addressed related to the cloud.
The pandemic is another driver for the cloud in general. COVID-19 has made a big impact not only on our everyday life but also on organizations. Where existing business models are no longer working, they had to be shifted to the digital world utilizing the cloud to continue making business. It’s rather important to understand how cloud applications can support or improve business processes. Companies need to develop a cloud concept and decide which processes to benefit from the advantages of the cloud.
When introducing an enterprise resource planning system such as SAP S/4HANA in a cloud edition, or other SAP SaaS solutions that integrate with existing systems like HCM, CRM, or data-analysis solutions, a holistic security concept is required, that must cover multiple aspects while still being in harmony with overall IT security policies and guidelines. Identity and Access Management (IAM) is one important capability that belongs to all those applications and should be handled centrally. Having a simple and straightforward way to manage users in the company’s business applications, regardless of where they are operated.
Specifications and requirements derived from such a concept should result in a clear strategy. One of the essential topics in this context is a proper approach to handle compliant user authentication, identity lifecycle, and authorizations in the cloud, more precisely in the SAP cloud.
Moving to the cloud
We all know, the cloud offers clear advantages in terms of agility, flexibility, scalability. In particular, the security concept behind it should not go unmentioned, security by default is part of the overall concept. Compared to on-premises environments PaaS and SaaS are mostly eliminating efforts for security patches and updates, which have been neglected in previous SAP landscapes since they exist.
An increasing number of business applications and processes are replaced with multi-tenant and subscription-based SaaS solutions. As a result, integration with existing infrastructure and applications from the SAP cloud portfolio is required. One example is the introduction of SuccessFactors replacing the traditional SAP HCM. Now there is the need to have a platform serving as a data hub ensuring integration with on-premises and other SaaS solutions.
In summary, the combination of both PaaS and SaaS provides all the tools SAP has traditionally sold. The new cloud tools allow customization, bring new development models, extension, and integration capabilities but also new challenges to solve – related to security.
The SAP cloud space is constantly evolving and is always on the move, as literally every week new features or updates are made available, and sometimes new issues as well.
New technology, different mindset
What skills will an SAP Basis administrator of the future need to have? Here are a few points:
- Understands the SAP cloud and important new technology standards
- Is familiar with the SAP BTP and the Cloud Connector and thus has a good overview of SAPs SaaS and PaaS offerings
- Understands the central role of the SAP Cloud Identity Services
- Supports onboarding of new SaaS solutions from SAP and ensures proper processes around identity and access management.
- Works together with other business units to comply with specifications and requirements defined in the corporate IT-security strategy.
- Has a basic understanding of identity management-related tasks and standards related to authentication and authorization such as SAML 2.0, OAuth2, and SCIM.
… sounds like a new job profile, right? It is.
As far as the traditional on-premises world is concerned, the architecture of the established systems and the technology often is well known. Also, the common standards behind and the existing business processes. The cloud side shows that the topic is very different. The technology and standards used for authentication and authorization, the interfaces, the processes, and the development tools. All different. Especially the way those cloud applications are configured and integrated.
It becomes clear, the change to the cloud means rethinking and getting involved with new technology. The facade of silo thinking from the past is crumbling, and cooperation with other areas of corporate IT is inevitable. A lot of coordination is required and integration with existing infrastructure components is often required.
The operation of SAP cloud-based systems and applications goes hand in hand with new challenges and complexity. On the other hand, the time required for test and deployment of applications is drastically reduced which in turn increases agility.
The need arises for a different skill-set a modern SAP administrator has to cover. It is an ongoing process of establishing new positions and cloud strategies that we currently face at various SAP organizations.
SAP Cloud solutions for IAM
Depending on the size and legal requirements of SAP companies, there are different SAP cloud solutions available that are ready to be used.
The SAP Cloud Identity Authentication Service (IAS) is considered as the SAP standard service for authentication and provision of business users in the cloud as part of the intelligent enterprise strategy.
SAP Cloud Identity Provisioning Service (IPS) is a cloud service that makes use of the SCIM standard. IPS allows automation of the user lifecycle processes by utilizing standardized SCIM-APIs that are available in most SAP SaaS applications. It comes bundled with many SAP SaaS solutions and supports policy-based assignments, mapping and filtering capabilities, a flexible JSON-transformation framework, job logs, and notifications and support for different source/target systems including existing on-premises and cloud user stores.
IAS and IPS are both are considered as the SAP Cloud Identity Services which are delivered in a preconfigured manner with all major cloud solutions from SAP and serve as the standard authority to access the cloud landscape for business users from SAP. Both services IAS and IPS typically can be used with no additional costs for usage related to SAP hybrid landscapes.
They both are running on the same technology stack and are seen as the core services for authentication and user provisioning in the SAP Business Technology Platform. IAS in this scenario represents the central user store and serves as a source system allowing IPS for SCIM-based automated user provisioning and distribution of authorization roles/groups towards connected SAP SaaS applications.
SAP Cloud Identity Access Governance (IAG) provides enterprise capabilities and premium functionality on top of that such as SoD, workflows, business role management, and privilege access management. From a strategic direction, IAG is meant to enrich Cloud Identity Services. As of now, some of SAP’s SaaS applications support user and role management and provisioning only via IAG.
Covering the whole topic of Identity and Access Management (IAM) by following the SAP recommendations means to deal with those three SAP security solutions (cloud services).
Xiting Cloud Security Services (XCSS) – A short overview
With our cloud security services, we aim to support our customers in this transformative time. Choosing the right strategy to manage identities and authentication processes is one of the first things a business needs to do when it comes to running its SAP applications in the cloud. Here customers are confronted with the same issues that exist with on-premises – they don’t want to have another user ID with a separate set of credentials to access each application.
But there is more than just authentication and depending on the customer requirements and needs we always try to take a holistic view on that and cover all areas related to SAP IAM in a hybrid landscape. In particular, everything related to identity management and user ID lifecycle, secure authentication, and compliance management around access authorization risks, and roles. At the end of the day, all SAP companies are faced with the same major challenges associated with the use of on-prem and cloud-based applications:
1. User provisioning and compliant identity management – How do users get into the cloud application and how to do that in an automated and secure way supported by workflows? How to manage the lifecycle of your users centrally and automatically? How to integrate with existing IDM systems or user stores?
2. User authorization and access governance – How are the users correctly authorized while taking compliance requirements into account? How to extensively manage access governance in hybrid landscapes?
3. User authentication and single sign-on – How to securely cover this very important aspect? How to implement risk-based and MFA? How to integrate into existing identity providers for identity federation? How to provide a seamless SSO experience?
One of the most important tasks is to establish an effective approach to the provision and maintain user access efficiently across the entire hybrid landscape. With a higher degree of automation, the efforts for administrating security, handling the user lifecycle as well as assignment of related authorizations can be reduced. Authentication should be handled centrally. User and role provisioning and the definition and management of business roles are centrally managed by an IDM tool or the SAP IAG. The latter even allows avoiding access risks in such hybrid SAP landscapes. Integration with cloud solutions allows for the workflow-based assignment of required roles or role collection mappings.
Our consulting approach is based on the strategic direction of SAP combined with up-to-date best practices. In every cloud project, we learn new things and extend our experience. With our proven approaches, we see ourselves as trusted advisors supporting our customers in transforming their IAM requirements into the cloud. The many years of experience in the areas of SAP GRC, SAP IDM, and SAP SSO, and the numerous successful implementations we have carried out – serve as a basis for our consultants.
In many cases, we come along once the cloud applications are available and the basics have been configured. Now our customers want to provide their users with the applications or integrate with their IDM and existing lifecycle processes. Mostly they want to introduce user and group provisioning – in some cases based on workflows. Also, integrating with other IDM solutions in the market becomes a topic more often in this context.
The overall security implementation related to an SAP hybrid identity and access management (IAM) typically spans across different systems, the SAP Business Technology Platform and various SaaS applications, and on-premises SAP systems. This goes along with existing user stores, SAML identity providers, and identity management systems that need to be integrated.
In summary, our Xiting Cloud Security Services offering incorporates experts in the three areas of identity management, compliance, and access governance and authentication together with SSO. With our proven workshop methodology and holistic approach, it is our motivation to find the best solution for the customer, based on his specific environment and requirements.
We wish all of our customers and business partners a successful and, above all, healthy New Year 2022!
