Best Practice 8.2 – Encrypt data in transit - SAP Lens

Best Practice 8.2 – Encrypt data in transit

Using encryption of data in transit makes it harder for your data to be intercepted, accessed, or tampered with while it’s moving from one point to another. Ensure that there are secure protocols and network-level encryption in place to minimize potential threats and provide the level of protection aligned with your requirements.

Well-Architected Framework [Security]: Protecting Data in Transit

Suggestion 8.2.1 – Encrypt application traffic based on SAP and database protocols

For application traffic using SAP Protocols (SAPGUI Dialog, RFC, and CPIC) use SAP SNC to enforce Transport Layer Security.

For database traffic, use a secure connection between the client and database, where available.

Database Guidance
SAP HANA SAP Documentation: SAP HANA: Securing Data Communication
SAP ASE SAP Documentation: SSL in SAP ASE
IBM Db2 SAP Note: 2385640 - DB6: database connection using SSL encryption [Requires SAP Portal Access]
Oracle SAP Note: 973450 - Oracle Database network encryption and data integrity [Requires SAP Portal Access]
Microsoft SQL Server SAP Note: 1570930 - SQL Server network encryption with SAP [Requires SAP Portal Access]
SAP MaxDB SAP Documentation: MaxDB Network and Communication

Suggestion 8.2.2 – Encrypt SAP application traffic based on internet protocols

For application traffic based on internet protocols (HTTP, P4 (RMI), LDAP) use SSL/TLS to enforce Transport Layer Security.

Suggestion 8.2.3 – Encrypt data exchange based on file transfer or message transfer protocols

For file-based transfers, AWS provides AWS Transfer Family for secure file exchange over SFTP or FTPS. AWS Transfer Family supports the transfer of data to and from Amazon S3 and Amazon EFS.

Using message-level data integrity checks helps ensure that data is not being tampered with while being transferred. Consider the use of one or more of the message level security standards supported by SAP to sign and verify the integrity of the data in messages.

For IDOC based messages use SNC to secure the RFC connection used by ALE.

Suggestion 8.2.4 – Encrypt administrative access

It is common to use both Windows and SSH-based tools for the administration of SAP. In addition to security controls such as Bastian Hosts consider if it is possible to Encrypt this traffic.

Alternatively, AWS Systems Manager Session Manager provides a secure mechanism to access the operating system via the AWS Management Console using TLS for encryption.

Suggestion 8.2.5 – Evaluate the features of AWS services that enable encryption in transit

In addition to application-based encryption, many AWS services provide encryption in transit capabilities. Evaluate your corporate standards, the implementation effort and associated benefits for each service. The following are some examples that are relevant for SAP workloads.

Suggestion 8.2.6 – Implement network level encryption

SAP customers will typically use either Direct Connect or a combination of Direct Connect and VPN, to provide reliable connectivity to their resources on AWS.

AWS Direct Connect does not encrypt your traffic in transit. If encryption is required, transport level encryption should be implemented, for example, using a VPN over Direct Connect.

AWS provides Site-to-Site VPN that can be used for network channel encryption. You can also choose to deploy third-party VPN solutions like OpenVPN from AWS Marketplace or with a bring your own license.

Alternatively, consider AWS PrivateLink for supported AWS services and solutions, including AWS Partners offering SaaS services. AWS PrivateLink provides private connectivity without exposing your traffic to the internet.