Skip to content
SAP BTP - SecurityBridge

SAP BTP: Why your business platform needs security of the same kind? 

Ivan Mans
CTO
October 9, 2023
4 min read
Chapters

Share Article

The recent global SAP user conferences have revealed one common trending topic: SAP Business Technology Platform (BTP). SAP customers are about to adopt this platform for tailoring standard processes and creating integrations with their supply chains. We have covered this already in this article one year ago. However, SAP users also understand that a technology platform connecting businesses to the world can also potentially increase the surface of cyber-attacks. Therefore, to protect such a platform, security of the same kind is needed, in other words, a security platform.

Why is security for SAP BTP so challenging?

SAP BTP is an all-in-one, multi-cloud platform that masters seamless interfacing to the S/4HANA environment. It offers customers the flexibility they need for tailoring their business processes while minimizing upgrade efforts by decoupling custom development from the SAP Clean Core.

However, for a clean-core approach, SAP customers must share critical business data through the SAP Cloud Connector with SAP BTP Services in the cloud. These services are running in various technical environments, like Neo or Cloud Foundry, and the ABAP environment that ensures data security across all these technologies is quite challenging.

A complex, multi-layered technology stack needs a security concept capable of handling this. The scope of this covers everything from ABAP code vulnerabilities to security audit logs and communication and infrastructure components. Ideally, all relevant information is gathered in one view and based on one coherent security platform.

How the SecurityBridge Platform protects your SAP BTP?

With the SecurityBridge Platform, you can manage the entire security for your SAP landscape, from on-premises systems to the cloud and SAP BTP. You gain insight into user activities and enforce secure configurations, development, and change management processes regardless of whether you use Cloud Foundry, ABAP, or Neo environments.

Securing SAP BTP starts with an updated and configured SAP Cloud Connector, recommended BTP account settings, and user access management that follows the least privilege principle. Only users from trusted domains should have access to your BTP subaccount, and tenant and administrative privileges should be kept to a minimum. SecurityBridge Platform’s Security & Compliance module helps enforce these security measures and notifies you in case of obsolete users who should be deactivated to minimize the attack surface.

SAP BTP S&C SecurityBridge Demo

Ensuring a hardened SAP BTP environment must be complemented by end-to-end security monitoring. The Threat Detection module of the SecurityBridge Platform enables you to accomplish this task by gathering information from the various security audit logs of SAP BTP’s underlying environments and technologies. SAP users receive detailed descriptions of the events and the surrounding context of these activities on an easy-to-investigate timeline. The result is a fast and powerful threat detection process, which is vital for complex environments like SAP BTP.

But the SecurityBridge Threat Detection doesn’t stop on the application layer. It also includes the infrastructure layer by evaluating the SAP-specific IPS logs of your firewall. You can learn more about how SecurityBridge integrates with the FortiGate NextGen Firewall in our previous article here.

For SAP customers running ABAP applications on SAP BTP, we recommend extending their on-premise best practices for custom code development to the cloud and ensuring secure ABAP code with the Code Vulnerability Analyzer, also part of the SecurityBridge Platform. This analyzer supports both static code analysis and dynamic scans at code compilation, enabling development teams to follow SAP’s recommendations for secure ABAP coding. Learn more about the Code Vulnerability Analyzer here.

Summary

For a clean-core approach, SAP customers must share critical business data with SAP BTP Services in the cloud. As these services run in various technical environments, ensuring data security across all these technologies is challenging. A complex, multi-layered technology stack needs a security concept that can handle this, like the SecurityBridge Platform. The Security & Compliance module ensures an updated and configured SAP Cloud Connector, recommended BTP account settings, and user access management that follows the least privilege principle. In addition, it is crucial to monitor the SAP BTP security audit logs. The Threat Detection module of the SecurityBridge Platform gathers information from various security audit logs of SAP BTP’s underlying environments and technologies. SAP users receive detailed descriptions of the events and the surrounding context of these activities on an easy-to-investigate timeline. This allows a quick and powerful threat detection process. SAP customers running ABAP applications on SAP BTP can enable their development teams to follow SAP’s recommendations for secure ABAP coding with the Code Vulnerability Analyzer, also part of the SecurityBridge Platform.