Blog da Zscaler
Receba as últimas atualizações do blog da Zscaler na sua caixa de entrada
How Siemens Healthineers Secured a Complex RISE with SAP Migration with Zero Trust
Modernizing enterprise applications is a monumental undertaking. Doing so in the midst of a corporate divestiture raises the stakes exponentially. For Siemens Healthineers (SHS), migrating to SAP S/4HANA via RISE with SAP was not just a technical upgrade; it was a foundational step in establishing its independent IT infrastructure, separate from its former parent company, Siemens AG.
The Challenge: Securing a Diverse and Constrained Ecosystem
Migrating to SAP S/4HANA involved moving to a fully managed subscription hosted by SAP in Microsoft Azure. While this simplified management, the "black box" nature of the environment created unique constraints. Conventional security models couldn't provide the granular control and flexible access SHS required.
SHS faced three primary challenges in securing this new environment:
1. Securing Internet-Bound Traffic
By default, traffic from SAP S/4HANA exits directly to the internet. As a security-conscious enterprise, SHS required all egress traffic to be inspected according to corporate policy—a capability not natively offered within the managed SAP environment.
2. Enabling Hybrid Cloud Workflows
As a global organization with numerous remote offices, SHS relies on SAP for critical business processes, including generating print jobs. They needed a secure way to connect their cloud-based SAP applications to physical printers and other devices located on-premises around the world.
3. Providing Secure Third-Party Access
SHS collaborates with a network of business partners and solution providers across the globe. Granting these third parties secure, least-privileged access to the new SAP environment was a mandatory requirement, but doing so without introducing legacy network complexities or security risks was crucial.
The Architectural Blueprint: A Zero Trust Control Plane in Azure
Following SAP's official recommendation for customers with advanced security requirements, SHS engineered an innovative solution using the Zscaler Zero Trust Exchange.
First, they established their own Azure tenant to act as a secure "landing zone" and created a VNet peering connection to their RISE with SAP subscription. Then, they made a critical change: instead of allowing traffic from the SAP environment to go directly to the internet, they redirected it through their Azure tenant for inspection.
This architecture provided a central point of control for all traffic, effectively creating a security control plane for their critical applications and laying the foundation for a true Zero Trust model.
The Zero Trust Solution in Action: A Multi-Faceted Approach
With the foundation in place, SHS deployed the Zscaler platform to address each of their unique access challenges.
1. Securing Egress Traffic from SAP RISE
Deployed within the SHS tenant, Zscaler Zero Trust Cloud Connectors solve the egress traffic challenge. They intercept all internet-bound requests from the SAP RISE workloads, routing them through the Zscaler Zero Trust Exchange for full content inspection and policy enforcement. This ensures that all app-to-internet traffic is secure and compliant, creating a unified security posture for both user-to-app and app-to-web communications.
2. Bridging the Gap for Healthineers Business Partners
Migrating Healthineers business partners to a new connectivity model was not an option. Instead, SHS created a brilliant hybrid solution. They established a dedicated "Business Partner Access" area in another Azure subscription with a new VPN concentrator. Partners simply repointed their existing IPsec tunnels to this new cluster, requiring no changes on their end.
Once a partner’s traffic arrives at the VPN concentrator, it is immediately handed off to Zscaler Private Access (ZPA). App Connectors deployed in the Azure tenant then broker a secure, inside-out connection to the specific SAP application—never the network.
This innovative approach allowed SHS to:
- Maintain existing partner connectivity without disruption.
- Segment and isolate partner traffic completely.
- Provide granular, least-privileged access to applications, not the network.
3. Solving the Physical Edge: The Printer Problem
The solution’s flexibility extends all the way to the physical edge. To solve the challenge of printing from a cloud application to an on-premises device, SHS deployed Zscaler Branch Connectors in their remote locations. When a user initiates a print job from the cloud-based SAP RISE environment, ZPA securely routes the request through the Zero Trust Exchange to the Branch Connector, which then delivers it to the physical printer. This elegant solution bridges the hybrid cloud gap without requiring complex legacy networking or firewall rules.
Conclusion: From a Daunting Migration to a Modern Security Showcase
Through its strategic partnership with Zscaler, Siemens Healthineers transformed a daunting migration and divestiture project into a showcase for modern IT security. By embracing Zero Trust Cloud for their SAP cloud migration project, SHS not only secured its mission-critical environment but also established a flexible, scalable, and future-proof foundation for its newly independent infrastructure. The result is a more agile, secure, and efficient enterprise, ready to innovate and grow.
To learn more about Zscaler Zero Trust Cloud, click here.
Esta postagem foi útil??
Aviso legal: este post no blog foi criado pela Zscaler apenas para fins informativos e é fornecido "no estado em que se encontra", sem quaisquer garantias de exatidão, integridade ou confiabilidade. A Zscaler não se responsabiliza por quaisquer erros, omissões ou por quaisquer ações tomadas com base nas informações fornecidas. Quaisquer sites ou recursos de terceiros vinculados neste post são fornecidos apenas para sua conveniência, e a Zscaler não se responsabiliza por seu conteúdo ou práticas. Todo o conteúdo está sujeito a alterações sem aviso prévio. Ao acessar este blog, você concorda com estes termos e reconhece que é de sua exclusiva responsabilidade verificar e utilizar as informações conforme apropriado para suas necessidades.
Explore mais blogs da Zscaler
Zero Trust for Cloud Architects: Turning Spring4Shell Lessons into Resilient Workload Design
Enhancing AWS Workload Security with Zscaler Zero Trust Cloud
Zscaler Zero Trust Cloud -New Zero Trust Gateway Service
Receba as últimas atualizações do blog da Zscaler na sua caixa de entrada
Ao enviar o formulário, você concorda com nossa política de privacidade.