Securing the SAP Business Technology Platform (BTP)
SAP Business Technology Platform (BTP), formerly SAP Cloud Platform (SCP), is a platform-as-a-service (PaaS) developed by SAP for creating new applications or extending existing applications in a secure cloud computing environment managed by the company.
The SAP Business Technology Platform integrates data and business processes and includes the in-memory SAP HANA database management system. SAP Business Technology Platform helps leverage cloud-native technologies and extends on-premise software. The cloud-based platform requires security measures from the platform provider (SAP), as well as the customer (the user of the platform).
SAP Business Technology Platform provides tools and security architecture to ensure the security and privacy of the cloud and the user (e.g., their personal information).
Table of Contents
On-Premise Security vs. Cloud Security
Securing SAP systems is an increasingly vital aspect of business operations. If your SAP systems aren’t secure, you risk your data being stolen or held for ransom. So it’s important to address the cybersecurity aspects of a move from on-premise to cloud systems.
The main difference between on-premise security and cloud security is the fact that in the on-prem world, the servers and data are physically stored on your property. This means you have full control, but also full responsibility.
In the cloud world, a third-party provider (such as SAP) hosts your servers and data and is responsible for securing the platform. This shift of responsibility requires a mindset change on the customer side, as you have to trust the cloud provider and put security controls into place that the cloud provider must adhere to.
Data Centers and Physical Security
SAP Business Technology Platform runs on SAP-owned data centers, as well as infrastructure-as-a-service (IaaS) cloud providers stationed around the world. These relationships are the foundation for the rapid growth of SAP’s global reach, as the company can leverage the existing infrastructure of trusted partners rather than creating its own infrastructure from scratch.
The data centers meet Level 3 of the SAP data center level rating system. SAP data centers are subject to high industry security standards and are ISO 27001 certified. ISO 27001 is the best-known standard for an information security management system (ISMS).
The data centers also meet a number of additional security standards:
- SAP does not transfer customer data outside the predefined range and does not communicate any information to unauthorized third parties.
- The colocation provider does not have administrative access to the SAP cloud servers.
- The cloud provider’s services focus only on providing premises, cooling and energy.
- All SAP data centers are monitored around the clock via video and security personnel.
SAP has 60+ data centers around the world in 16+ countries with 30+ locations from various regional data centers from major infrastructure-as-a-service (IaaS) cloud providers. SAP’s customers can choose the region of data storage (for example, EU-only operations are available), which means that customers can benefit from local regulations (e.g., strong German and EU regulations). Plus, low latency speeds up access.
Cornerstones of the Security Architecture
Many organizations do not realize the threat posed by vulnerabilities in SAP applications. Because of the number of moving pieces and the volume of affected areas and processes — including applications, infrastructure and operations — it’s critical that SAP maintains a rock-solid security strategy that’s focused on its three security “cornerstones,” as described below.
- Secure Products: Security incorporated into all applications to deliver the ultimate protection of content and transactions.
- Secure Operations: End-to-end secure cloud operations to defend customer data and business operations.
- Secure Company: Security-aware staff, end-to-end physical security of SAPs assets, and a comprehensive business continuity framework.
These cornerstones are the foundation of secure SAP.
Furthermore, the platform’s security architecture aims to isolate customer data and customer systems from the services that utilize it.
This is achieved by sandboxing the application and network:
- Application sandboxing: Restrict and manage the functionality of an application only within the container in which the application is running.
- Network sandboxing: Restrict and manage the application’s access to other system landscapes.
Without sandboxing, an application or other system processes could gain unlimited access to all the customer data and system resources on the platform. This segregation is mainly required because SAP Business Technology Platform allows the execution of custom code.
SAP Business Technology Platform Security Services
The SAP Business Technology Platform offers three security services to authenticate and provision users and privileges across the SAP cloud applications, as well as to manage them from a governance perspective.
SAP Cloud Identity Authentication Service (IAS)
The SAP Cloud Identity Authentication service enables organizations to provide their employees, customers, and partners with cloud-based access to the enterprise processes, applications, and data they need. Authentication mechanisms such as single sign-on functionality, on-premise integration, and self-service options are built-in features for SAP cloud applications.
OAuth is an open security protocol that replaces a person’s username and password with a token. As a result, OAuth clients provide secure delegated access to server resources on behalf of a resource owner. The SAP Business Technology Platform supports the OAuth 2.0 protocol as a method of protecting application APIs and resources.
Learn more about IAS here.
SAP Cloud Identity Provisioning Service (IPS)
SAP Cloud Identity Provisioning automates identity lifecycle processes. It enables you to provision identities and their authorizations to various cloud and on-premise business applications. Identity provisioning software improves IT security and reduces compliance costs. User accounts and permissions can be automated. Existing identity stores, such as enterprise-based Active Directory, can be used to provide support for heterogeneous landscapes.
In addition to deploying on-premise or third-party cloud users to SAP cloud applications, customers can also provide the appropriate user permissions for each SAP cloud application during the deployment process. This is done by defining the access policies before the deployment process and by mapping the user groups to the user roles in the cloud. In addition, the SAP Business Technology Platform supports dynamic role assignments.
SAP Cloud Identity Access Governance (IAG)
SAP Cloud Identity Access Governance service offers a range of identity and access management capabilities, including (among others) self-service access requests for on-premise and cloud applications, access risk analysis, and role design. Each of the services that come with SAP Cloud IAG can work independently or in combination with one another.
Learn more about IAG here.
The SAP Business Technology Platform is not based on an SAP NetWeaver ABAP. However, with the SAP Business Technology Platform ABAP environment, you can develop ABAP code in the cloud.
The SAP Business Technology Platform (BTP) is a platform-as-a-service (PaaS) offering from SAP that cannot be hosted elsewhere. You can, however, host your on-premise SAP S/4HANA system on Microsoft Azure and connect to BTP.
The responsibility in BTP is shared between the service provider of the cloud (SAP) and the customer’s SAP security team. That’s why it’s important that contracts are put in place that clearly defines the responsibilities and liabilities of all parties involved.
Identity management can be achieved by using the IPS as your identity provider.
SAP Business Technology Platform (BTP) is a PaaS (platform-as-a-service) offering from SAP that provides services for the development, integration, and deployment of modern cloud applications, as well as for customer-specific expansion of cloud and on-premise landscapes.
Securing the cloud platform is a mixed responsibility between the provider (SAP) and the customer. While the platform security is handled by SAP, customers are still responsible for taking care of the users of the cloud solutions.
With the SAP Business Technology Platform security services, you can authenticate and provision your end-users to SAP’s cloud services and applications. An access governance structure, similar to what SAP Access Control (GRC) offers on-premise, can be achieved with the IAG service.
Learn more about SAP Cloud Security: