ES Cybersecurity Architect

Overview

Design and implement secure SAP S/4HANA and cloud security architecture.

Key Responsibilities

• incident response
• cloud architecture
• logging
• network security
• identity management
• secure sdlc

Tasks

-Develop an incident response plan for SAP security incidents. Work with the cybersecurity operations team to ensure they understand SAP logs and have playbooks for SAP incidents (e.g., detecting and managing a compromised SAP account or a suspicious ABAP program). -Cloud Security Architecture: Work with enterprise cloud architects to secure the RISE Private Cloud environment: -Logging, Monitoring & Incident Response: Establish robust security monitoring and be prepared to respond to incidents -Create cloud security reference architectures for use at TC -Create end to end BTP security reference architecture for use at the Company. -Designing network security architectures (VPC/VNet, subnetting, NACLs/security groups, VPN/ExpressRoute connectivity). -Integrate S/4HANA and SAP Fiori with corporate Single Sign-On solutions using SAML 2.0 and/or OpenID Connect. Leverage Identity Provider (IdP) platforms like Okta or Azure AD to achieve central authentication (potentially using SAP Cloud Identity services as a bridge). -Verify that cloud-native security controls (in Azure/AWS) are leveraged: e.g., cloud security groups, network ACLs, Azure Private Link or AWS PrivateLink for BTP integration, DDoS protection, etc. Collaborate on a defense-in-depth design where multiple layers (network, application, identity) each enforce security. -Conduct periodic access reviews and audit support – while this is more GRC-oriented, the architect will ensure that reviews of high-privilege accounts, SOD conflict reports, and compliance audits (SOX, etc.) can be supported by the technical controls in place. -Data Protection: Develop and enforce policies for data encryption and key management -Establish a Secure Software Development Life Cycle (SDLC) for any SAP custom development (enhancements, Fiori apps, interfaces). This includes setting requirements for code security scans (ABAP code scans for vulnerabilities, static analysis), performing threat modeling for critical extensions, and ensuring penetration testing is done on new interfaces or apps. -Advise on tenant configurations, roles, and entitlements in BTP to enforce least privilege for service accounts and APIs. -Coordinate with cloud providers and SAP Basis teams on a secure Key Management System (KMS) or key vault. Make sure cryptographic keys (for database encryption, SSL certificates, etc.) are managed with proper segregation of duties and rotation policies -Review the cloud network architecture (VPC/VNet design, subnets, security groups) for the SAP systems. Ensure proper network segmentation and firewalls to isolate SAP application tiers and restrict access. For example, confirm internet-facing points (if any, like SAP Web Dispatcher or Fiori) are appropriately protected (WAF, IP restrictions, etc.). -Design and implement centralized logging for SAP systems – ensure all relevant security logs (e.g., SAP security audit log, OS logs, firewall logs, cloud logs) are aggregated into the enterprise SIEM platform. Define use-cases for monitoring (e.g., alert on multiple failed login attempts, changes to privileged roles, unusual data downloads). -Design and implement Privileged Access Management (PAM) controls for SAP administrative accounts, ensuring time-bound, monitored, and least-privilege access. Emergency access management (e.g., firefighter IDs) falls under the scope of SAP GRC and is not part of this role . -Incorporate BTP’s Identity Authentication and Provisioning services in the overall IAM architecture, so that user access and SSO are consistent between S/4HANA and BTP apps. -Ensure logging of critical actions in applications (e.g., changes to sensitive data, use of privileged functions) is enabled and integrated into monitoring. -Ensure that any custom applications or integrations built on BTP follow secure development guidelines and that trust is established between BTP and S/4 (e.g. using secure connectors, principle propagation, or SAP Private Link where applicable). -Define security requirements for interfaces between SAP and other systems (e.g., use of secure protocols, API gateways, certificate-based authentication for integrations, data validation to prevent injection attacks). -Embed Secure-By-Design in the Program: Work closely with SAP project teams from the planning phase onward to embed security into solution designs. Review project designs (extensions, integrations, migrations) and ensure they follow secure-by-design principles (least privilege, defense in depth, secure defaults, etc.). Influence solution architects and developers to make design choices that reduce risk (for example, using secure APIs, avoiding hard-coding secrets, etc.). -Application & Interface Security: Work with development teams to ensure secure application development: -Coordinate identity and access between SAP cloud and corporate cloud environments. If using SAP’s cloud services (IAS/IPS), ensure integration with corporate directories. If using Azure or AWS services alongside SAP, design a unified approach to identity and logging. -Collaborate with GRC and audit teams to ensure that implemented architectures satisfy frameworks like SOX, TSA pipeline security directives, FERC standards, and applicable data privacy. -Develop Security reference architectures & patterns: Design comprehensive cyber security architecture for the S/4HANA landscape (including ERP, databases, interfaces, cloud infrastructure, and SAP BTP components). Produce reference architecture and security design patterns that address how all components interact securely, ensuring consistency across projects. This includes network zone segmentation, secure integration patterns, and data flow diagrams delineating trust boundaries. -Ensure all sensitive data in the S/4HANA landscape is encrypted at rest and in transit. Verify that the SAP HANA databases, application servers, and backups use strong encryption (AES-256 or as provided by SAP) and that TLS 1.2+ is enforced for all data in transit.

Requirements

• security architecture
• iam
• cissp
• cloud security
• cyberark
• zero trust

What You Bring

-Enterprise Security Architecture Experience: 5+ years (as a guideline) in IT security, with at least 3 years in a security architecture role. Proven experience designing secure software solutions and enterprise security architectures – not just implementing controls, but developing strategy and blueprints. -Identity & Access Management: Strong grasp of enterprise IAM concepts: -Security certifications like CISSP, CISM, or cloud security certs (CCSP, Azure Security Engineer, AWS Security Specialty) are highly desirable, as they indicate a solid foundation -Understanding of Privileged Access Management tools (such as CyberArk, BeyondTrust, or even SAP’ -Cloud Security Knowledge: Demonstrated experience securing solutions on cloud platforms (preferably Azure and AWS). For example: -Knowledge of industry controls and key regulatory bodies (e.g., CER, TSA, FERC, SOX) -Virtuosic diagramming skills and modelling skills -Hands-on experience with SSO/Federation protocols (SAML 2.0, OAuth 2.0/OIDC). Should be capable of configuring or guiding SSO integration between SAP and IdPs (e.g., setting up trust between SAP NetWeaver and Azure AD/Okta using SAML). -Understanding the shared responsibility model for cloud, especially in a managed service like RISE Private Cloud. Knowing what aspects of security SAP manages vs the customer is important to focus efforts appropriately (e.g., SAP handles infrastructure patching in RISE, but customer must secure integrations). -Familiarity with cloud native security services – e.g., AWS Security Hub/GuardDuty, Azure Security Center, KMS for key management, cloud monitoring tools. Ability to incorporate these into the SAP landscape (for instance, using an Azure Key Vault for SAP encryption keys, or using AWS CloudWatch for infrastructure logs). -Bachelor’s degree in Computer Science -Knowledge of Cloud security, Hosted Services security, SaaS/PaaS security models, and Cloud-based security frameworks. -Experience with security assessments, penetration testing methodologies, and threat modelling. -Demonstrated track record as a prolific security architect, with multiple successful security architecture designs delivered for complex enterprise environments -Knowledge of authentication technologies like MFA (Multi-factor Authentication), digital certificates, and how to enforce them in an SAP context (for example, using SAML assertions for MFA or certificate-based logins for certain admin users). -The candidate should be able to translate high-level security frameworks (NIST CSF, ISO 27001, etc.) into specific architecture decisions for an enterprise system -Experience in Zero Trust Architecture (ZTA), Identity and Access Management (IAM), encryption, and data protection. -SAP BTP Security: Guide secure use of SAP Business Technology Platform services (for extensions, integrations, or analytics):

People Also Searched For

About Raise

-Born from the 65-year legacy of Ian Martin Group, this company rethinks staffing with tech-first, self-managed operations. -Operates globally with offices in the US, Canada, Ghana, India, and the Philippines, offering permanent placement, contract recruitment, payroll/EOR, RPO, and total talent management. -Skilled trades, technical, and industry-specific teams support clients across IT, energy, manufacturing, healthcare, transportation, and more. -Tech platform uses AI-driven insights and real-time scheduling to enhance hiring speed and candidate experience. -Employs a Teal-operating, self-managed model, empowering employees to drive agility and innovation.

Sector Specialisms