Best Practice 8.2 – Encrypt data in
transit
Using encryption of data in transit makes it harder for your data to be intercepted, accessed, or tampered with while it’s moving from one point to another. Ensure that there are secure protocols and network-level encryption in place to minimize potential threats and provide the level of protection aligned with your requirements.
Well-Architected Framework [Security]: Protecting Data in Transit
Suggestion 8.2.1 – Encrypt application traffic based on SAP and database protocols
For application traffic using SAP Protocols (SAPGUI Dialog, RFC, and CPIC) use SAP SNC to enforce Transport Layer Security.
-
SAP Documentation: SNC-Protected Communication Paths in SAP Systems
For database traffic, use a secure connection between the client and database, where available.
| Database | Guidance |
|---|---|
| SAP HANA | SAP Documentation: SAP HANA: Securing Data Communication |
| SAP ASE | SAP Documentation: SSL in SAP ASE |
| IBM Db2 | SAP Note: 2385640 - DB6: database
connection using SSL encryption |
| Oracle | SAP Note: 973450 - Oracle Database
network encryption and data integrity |
| Microsoft SQL Server | SAP Note: 1570930 - SQL Server
network encryption with SAP |
| SAP MaxDB | SAP Documentation: MaxDB Network and Communication |
Suggestion 8.2.2 – Encrypt SAP application traffic based on internet protocols
For application traffic based on internet protocols (HTTP, P4 (RMI), LDAP) use SSL/TLS to enforce Transport Layer Security.
-
SAP Documentation: Transport Layer Security
Suggestion 8.2.3 – Encrypt data exchange based on file transfer or message transfer protocols
For file-based transfers, AWS provides AWS Transfer Family for secure file exchange over SFTP or FTPS. AWS Transfer Family supports the transfer of data to and from Amazon S3 and Amazon EFS.
-
AWS Documentation: AWS Transfer Family
Using message-level data integrity checks helps ensure that data is not being tampered with while being transferred. Consider the use of one or more of the message level security standards supported by SAP to sign and verify the integrity of the data in messages.
-
SAP Documentation: SAP ABAP Web Services Message-Level Security
-
SAP Documentation: SAP NetWeaver Process Integration Security Guide
-
SAP Documentation: SAP Cloud Integration Message-Level Security
For IDOC based messages use SNC to secure the RFC connection used by ALE.
-
SAP Documentation: Handling Sensitive Data in IDocs
Suggestion 8.2.4 – Encrypt administrative access
It is common to use both Windows and SSH-based tools for the administration of SAP. In addition to security controls such as Bastian Hosts consider if it is possible to Encrypt this traffic.
Alternatively, AWS Systems Manager Session Manager provides a secure mechanism to access the operating system via the AWS Management Console using TLS for encryption.
-
AWS Documentation: Amazon EC2 Windows Guide - Encryption in Transit
-
AWS Documentation: Amazon EC2 Linux Guide - Encryption in Transit
-
AWS Documentation: Data protection in AWS Systems Manager – Data Encryption
Suggestion 8.2.5 – Evaluate the features of AWS services that enable encryption in transit
In addition to application-based encryption, many AWS services provide encryption in transit capabilities. Evaluate your corporate standards, the implementation effort and associated benefits for each service. The following are some examples that are relevant for SAP workloads.
-
AWS Documentation: Amazon S3 - Encryption in Transit - On by default and recommended for backups to Amazon S3.
-
AWS Documentation: Amazon EFS - Encryption in Transit / Amazon FSx - May be required for shared filesystems.
-
AWS Documentation: Elastic Load Balancing - Review your encryption requirements and whether end-to-end TLS with pass-through is required as this feature may not be available for all Load Balancer types.
-
AWS Documentation: Amazon EC2 - Encryption in Transit - Only later generation instance types have this feature.
Suggestion 8.2.6 – Implement network level encryption
SAP customers will typically use either Direct Connect or a combination of Direct Connect and VPN, to provide reliable connectivity to their resources on AWS.
AWS Direct Connect does not encrypt your traffic in transit. If encryption is required, transport level encryption should be implemented, for example, using a VPN over Direct Connect.
AWS provides Site-to-Site VPN that can be used for network channel encryption. You can also choose to deploy third-party VPN solutions like OpenVPN from AWS Marketplace or with a bring your own license.
Alternatively, consider AWS PrivateLink for supported AWS services and solutions, including AWS Partners offering SaaS services. AWS PrivateLink provides private connectivity without exposing your traffic to the internet.
-
AWS Documentation: AWS Managed VPN
-
AWS Documentation: AWS Client VPN
-
AWS Documentation: AWS Direct Connect + VPN
-
AWS Documentation: Software Site-to-Site VPN
-
AWS Documentation: AWS PrivateLink
