We probably aren’t the first to tell you that SAP Fiori provides many benefits to organizations. You might have even heard other organizations rave about Fiori’s new user-friendly interface or the ability to use SAP from any device and location. We agree that there are many benefits.
But like any data that is exposed to the Internet, security is an important consideration. Don’t let this be a deterrent! With the help of this guide, you will gain important insights into tightening up your own security practices and preparing to bring a better user experience to your users with SAP Fiori.
With SAP Fiori, users are presented with a modern user interface (UI) with access to the data that they need in the backend systems. Here is a diagram of the high-level architecture diagram of a typical Fiori implementation.
This diagram illustrates the connectivity between devices in a scenario where Fiori users can connect from anywhere (including mobile devices!), the steps below describe how it works.
While your users are busy appreciating the intuitive and straightforward Fiori interface, your organization can rest easy knowing that the system is secure.
In order to secure Fiori properly, we must make sure we are considering each layer that is involved. These layers include:
SSL communications: All the communications must be configured using SSL with proper certificates. This is a key and mandatory action. Especially since failing to use SSL will expose your confidential data.
Proxies / Load Balancers: Reverse proxies/load balancers on the DMZ act as a barrier from the external world to the internal network. These servers forward the Fiori traffic to the appropriate internal servers and provide an extra layer of security.
Firewalls: Firewalls need to be used to allow only the traffic that we want and call ports are closed except the ones used by Fiori. This can vary depending on the organization, but at least an external and internal firewall is recommended.
Single Sign-On: Make sure all users connect to a central repository database that can be easily monitored and maintained. With the proper configuration, the Fiori environment can be configured to only allow single sign on (SSO) connections (and correspondingly disabling the less secure “basic” login to the Fiori Launchpad).
Two-Factor Authentication: When integrating sign on with Azure (for example) two-factor authentications can be enabled to provide another layer of security. This secondary verification of users greatly increases the overall security.
SAP Gateway Security: It is also important to properly secure the SAP Gateway. This means understanding and properly configuring the system parameters to disable different threats from the outside. In addition, it means creating proper roles with specific functionality and always following the SAP best practices for user security.
SAP Backend Security: In combination with the Gateway, the backend needs to be properly designed for user security. You need to make sure you properly design all of the roles so the different types of users have only the roles necessary to access their data.
Monitoring Network: Enabling monitoring tools for network interfaces. It is important to have tools that monitor all the incoming traffic and detect treats and configure them to automatically notify you when threats are detected.
SAP Fiori is an evolution for SAP. Why can we say this? It allows you to access your data in real-time from your mobile devices and with a proper security setup, careful monitoring, and abiding by the best practices that we outlined in this post, you can feel safe knowing that your data is secure.
To learn more about how SAP Fiori can be tailored to your business’ needs, check out how Halton Region used SAP Fiori to transform their purchasing process.