In recent years, many enterprises and businesses have considered migrating applications and systems to the cloud to take advantage of the benefits offered by cloud providers.
As with every coin, the cloud also has another side–the many benefits of cloud hosting also come with challenges. One of the primary concerns is not knowing how secure the applications and data will be in the cloud. Security architects design layers of security control to protect the applications and data in the cloud. However, the million-dollar question still remains: how do cloud architects make sure these controls are working as expected? How can security professionals find out if someone is trying to break through these layers of security?
The answer is in logs.
What Can Logs Do For You?
Logging, and the usefulness of it, is underappreciated. Logs are generally defined as “timestamped history of events or changes, generated automatically, about the applications or systems.” They are generated as a byproduct of using an application or system, and provide a wealth of information–from system performance to threat detection–at no additional cost to the organization.
Logs in SAP S/4HANA
In SAP S/4HANA, various events, such as failed login attempts, accessing particular data, etc. are recorded as logs. These logs are available to users depending on their assigned roles. Access to these logs within SAP S/4HANA is restricted and is governed by these roles. Permissions are associated with roles, and users need to have the right role to view the log data. Roles are specific to the function, task, or activity a user is supposed to perform. Viewing or working with various logs within SAP S/4HANA is governed by the roles.
Logs in SAP S/4HANA Cloud
In SAP S/4HANA Cloud, customers use the application hosted on SAP’s environment. The customer manages access to the application and data, application compliance, application configuration, and application logs, while SAP manages infrastructure, upkeep of the application, and almost everything else. Because of the shared responsibilities between customers and SAP, customers of SAP S/4HANA Cloud have access to application and access management-related logs, such as security audit logs, read access logs, authorization trace logs, change document logs, user change logs, and SAP Support user request logs.
Read access logs, authorization trace logs, and SAP Support user request logs are primarily used for tracking access management. Depending on the scope of the application and features installed for SAP S/4HANA, other logs may be available to customers in public cloud deployment. Otherwise, SAP manages all other logs.
Logs in On-Premise SAP S/4HANA
In the on-premise deployment model of SAP S/4HANA, the customer owns everything from the data center and infrastructure to the application. It is the customer’s responsibility to maintain the infrastructure, along with updating and patching the OS, middleware, and application. In this type of deployment, the customer has the most responsibility, specifically over logging, monitoring, incident response, and security in general. In other words, customers play a major role in the on-premise deployment model.
As for logging in on-premise SAP S/4HANA, customers are responsible for collecting, analyzing, processing, retaining, archiving, and deleting the logs as per the requirements specified by government laws, industry regulations, customers, or internal standards.
Managing and analyzing all these logs could be a daunting task for any security or operations groups. To make this task manageable and effective, it is highly encouraged that users collect and analyze logs using Security Information & Events Management (SIEM)or other sophisticated tools.
System logs, SAP Web Dispatcher logs, ICM logs, security logs, HTTP access logs, gateway logs, business transaction logs, application-specific change logs, change document logs, user change logs, security audit logs, and read access logs are primarily useful for securing on-premise SAP S/4HANA.
Data Protection & Compliance in SAP S/4HANA
Integrating SAP S/4HANA with tools like user interface (UI) data protection logging, SAP Enterprise Threat Detection and SAP Data Custodian can improve security and compliance.
UI data protection logging not only helps with insider threats but also plays a vital role in overall security and compliance of the data. Many industry regulations require that access to certain sensitive data is logged every time, or that forensic analysis be conducted to recreate the access timeline for certain data. UI data protection logging can provide this level of compliance and security very easily.
On the other hand, SAP Enterprise Threat Detection not only enhances the security of SAP applications, but is also a great tool for compliance and auditing SAP applications. Logging and analyzing transactional data such as business transaction logs gives valuable insight into whether the application is compliant or, if not, what is lacking. SAP Enterprise Threat Detection is available as an additional service for on-premise deployment as well as for the public and private cloud.
Transparency and Control Service within SAP Data Custodian, as its name indicates, provides transparency at the infrastructure level in the cloud. SAP S/4HANA primarily integrates with SAP Data Custodian to improve compliancy with little or no manual effort.
Logs are very instrumental for audits and in maintaining compliance. Almost all major compliance standards have included logging in the core requirement in one way or the other. For example, requirement #10 of PCI-DSS (Payment Card Industry-Data Security Standard) says: “track and monitor all access to network resources and cardholder data,” specifically calls for tracking and monitoring logs. The Health Insurance Portability and Accountability Act (HIPAA) specifies the need to track and review the information system activities–in the form of audit logs, activity reports etc.–to protect health information. National Institute of Standards & Technology (NIST) Special Publication 800-53 also describes the requirements of the complete log management lifecycle–collection, analysis, protection, and destruction.
According to the Open Web Application Security Project (OWASP), a lack of effective logging and monitoring is itself a vulnerability. Security logging and monitoring failure vulnerability is listed ninth on OWASP’s top 10 list of 2021 (https://owasp.org/Top10/). In the 2017 version of this list, this vulnerability was listed at number ten as insufficient logging and monitoring. The fact that logging and monitoring made it on the list and moved up on the ranking shows the importance of logging and monitoring in security.