This article describes the different integration methods for Fortanix Data Security Manager (DSM) with SAP S/4 HANA and SAP Data Custodian for key management, generation, and cryptographic operations. It also contains the information that a user requires for:
- Generating a key in Fortanix DSM and perform Bring Your Own Key (BYOK) into SAP Data Custodian.
- Generating a key in Fortanix DSM and hold the key in DSM so that SAP Data Custodian will use the key from DSM.
Tokenization and detokenization of fields in SAP S/4 HANA business processes to protect Personally Identifiable Information (PII) and other sensitive data from unauthorized access using Fortanix DSM-Accelerator with optimal performance, high throughput, and minimal latency.
1.1 Fortanix DSM with SAP S/4HANA and Data Custodian
Using Fortanix BYOK with Data Custodian, enterprises can securely import cryptographic keys from Fortanix DSM into the SAP Data Custodian Key Management Service. This gives Data Custodian customers control over their key, ensuring it is only used for its authorized purposes, and protecting the security of the data on the platform.
While most encryption needs can be provisioned securely using the BYOK approach, some customers may have specific use cases where sensitive data can never be shared or transmitted outside their security perimeter. The security for this sensitive content needs to be strictly on-premises, with extremely limited access and sharing. With the Hold Your Own Key (HYOK) approach of key management, the customers generate, manage, and store encryption keys in their own environment. In this scenario, cryptographic key management is provided through Fortanix DSM. SAP Data Custodian Customers can store and protect Key Encryption Keys (KEK) in the cloud or on-premises with Fortanix DSM.
Fortanix has intrinsic capabilities to seamlessly integrate with enterprise solutions to provide encryption and tokenization of sensitive data with optimal performance, high throughput, and minimal latency. SAP S/4 HANA leverages Fortanix for data security use cases with low latency and high throughput requirements.
2.0 BYOK to SAP Data Custodian
Fortanix provides organizations with the ability to generate cryptographic keys in DSM and retain control of those keys while making them available, as required, for use in SAP Data Custodian.
Figure 1: SAP Data Custodian BYOK with Fortanix DSM
Using BYOK with Fortanix DSM, SAP Data Custodian now effectively safeguards its customer’s public cloud and other SAP applications, such as SAP S/4 HANA, using keys generated in Fortanix DSM. You can use a Fortanix DSM Data Custodian Bring Your Own Key (BYOK) Plugin to implement Fortanix BYOK with SAP Data Custodian and import your keys into SAP Data Custodian.
To BYOK into SAP Data Custodian:
- Create a group in SAP Data Custodian to hold your imported Fortanix DSM key for BYOK. For more details, refer to the SAP Data Custodian BYOK Scenarios documentation.
- Create a wrapping key for BYOK in the group created in Step 1 before you can import keys from Fortanix DSM into SAP Data Custodian. For more details, refer to the SAP Data Custodian BYOK Scenarios documentation.
- Create an Application Technical User (APP TU) for BYOK to connect your SAP applications to SAP Data Custodian. You must complete this step to generate the APP TU and the credential file needed to connect to your Fortanix DSM key store. For more details, refer to the SAP Data Custodian BYOK Scenarios documentation.
- Activate the credential created in Step 3 using your selected API platform. For more details, refer to the SAP Data Custodian BYOK Scenarios documentation.
- Download the wrapping key's public key. The public key is provided as a PUB file that contains the wrapping key’s public key, which will be used to wrap keys in Fortanix DSM during the next step.
- Download the plugin from the Fortanix DSM plugin library which also contains all the implementation details.
- The plugin is used to:
- Import a Fortanix DSM key (AES or RSA) into Data Custodian
- Rotate a key in Fortanix DSM and import the new key version of an existing key into Data Custodian
3.0 HYOK to SAP Data Custodian
To manage SAP Data Custodian customers’ most sensitive data within their own security perimeter, Fortanix DSM offers the option of HYOK. In this scenario, cryptographic key management is provided through Fortanix DSM.
Figure 2: SAP Data Custodian HYOK with Fortanix DSM
SAP Data Custodian restricts HYOK configuration activities to the Key Administrator user role to maintain system integrity. SAP Data Custodian customers must also ensure that their Fortanix key store is enabled in the same region as the consuming SAP service and their SAP Data Custodian Key Management Service tenant. SAP Data Custodian uses JSON Web Token (JWT) based authentication and leverages Fortanix DSM Restful APIs for key management operations. The master key for wrapping and unwrapping the data encryption key in SAP Data Custodian resides in Fortanix DSM to ensure the customer maintains control over their keys from their key store.
To HYOK into SAP Data Custodian:
- Create a group in SAP Data Custodian to hold your registered Fortanix DSM keys for HYOK. If you are creating a key group for Fortanix DSM on-premises key store, refer to the Create a Key Group for HYOK: Fortanix DSM . or
- Create a group in SAP Data Custodian to hold your registered Fortanix DSM SaaS keys for HYOK. For more details, refer to the Create a Key Group for HYOK: Fortanix DSM SaaS.
- Generate a key in your external Fortanix DSM key store that will be used for HYOK scenarios.
- Create a Fortanix DSM account.
- Enable the Fortanix DSM key store.
- Create an RSA key with the following requirements:
- Key Type: RSA
- Key Size: 3072, 4096
- Required Key Operations: Encrypt, Decrypt
- Optional Key Operations: Sign, Verify, Wrap, Unwrap
- Register keys from your Fortanix DSM key store in SAP Data Custodian for HYOK. Tenants with Connect Service workflows will be required to register a Master Key. For more details, refer to the SAP Data Custodian HYOK Scenarios documentation.
4.0 Using Tokenization and DSM-Accelerator with SAP S/4HANA
SAP S/4HANA leverages Fortanix for data security use cases with low latency and high throughput requirements. Fortanix DSM Tokenization can now secure SAP S/4HANA and SAP Enterprise Resource Planning (ERP) Central Component (ECC) data using SAP Data Custodian. The proposed solution explores two prominent features of Fortanix Data Security Manager, namely:
- Fortanix DSM – Accelerator – Refer to Fortanix DSM-Accelerator Concepts Guide to learn more.
- Tokenization/Format Preserving Encryption (FPE) – Refer to Fortanix DSM – Tokenization Guide to learn more.
Figure 3: Fortanix Tokenization with DSM-Accelerator
In Figure 3 above, DSM-Accelerator is used directly with SAP ERP and is deployed and managed by SAP S/4 HANA customers through SAP Data Custodian. Through the SAP Data Custodian portal, SAP customers can determine and configure specific fields to be tokenized and assign policies that identify which users have access to sensitive data. The Customer’s Cloud Administrators can configure these access policies. When a user inputs sensitive data into the SAP ERP application, the application initiates a security check against the predefined policies set in SAP Data Custodian. These policies serve as guidelines for data protection and governance. If the security policies within SAP Data Custodian validate the data input, the Fortanix tokenization service is called through the REST API integration. Fortanix tokenization replaces the sensitive data with a token. The SAP ERP application then utilizes the generated token instead of the sensitive data for its processing and operations. This token is securely stored in the database, effectively substituting the original sensitive information. This solution enhances data security and confidentiality while allowing the SAP ERP application to continue its necessary functions without compromising the privacy and integrity of sensitive data.
SAP facilitates the integration through the Bring Your Own Provider (BYOP) mechanism that enables customers to bring their own tokenization provider and use it with SAP S/4 HANA.
When SAP DSM Provider makes a call into DSM Accelerator, DSM Accelerator will use provided credentials to authenticate to DSM and export the required tokenization security object, cache it, and perform tokenization locally.
The following are the deployment steps:
- Create an account in Fortanix DSM (On-premises on SaaS) and complete the setup and configuration by creating the appropriate tokenization security objects and applications.
For more details on how to create a Fortanix DSM account, refer to the Fortanix DSM Getting Started Guide.
For more details on how to create a tokenization security object and application, refer to the Using Fortanix DSM to create tokenization secret guide.
- Obtain a DSM Accelerator container from Fortanix and deploys it locally in your infrastructure.
- Configure DSM Provider in SAP S/4 HANA to point to DSM Accelerator service deployed in your infrastructure.
- Configure DSM Accelerator to point to the appropriate DSM cluster.
For a detailed guide on how Fortanix DSM integrates with SAP S/4 HANA for Tokenization, please see the guide: Using Fortanix DSM with SAP S/4 HANA for Tokenization.