Essential Data Privacy and Security Controls in SAP Business Technology Platform
SAP Business Technology Platform has come a long way evolving into a full-fledged business technology platform with a breadth of capabilities which includes business process workflow, integration suite, application extension, API Management, cloud application development, database management, analytics and supports hybrid scenarios encompassing on-premise and cloud landscape.
Data Privacy and Security controls are of paramount importance to protect personal data in SAP BTP services and the related controls apply to all layers of the solution landscape, including in secure integration scenarios. In this blog, we will analyze comprehensive essential security and privacy controls that are available with SAP Business Technology Platform for our customers. For the sake of clarity and simplicity, we will keep the discussion at a high level without going into the configuration steps.
Data Protection and Privacy – Who is involved
Customers and SAP have a shared responsibility for the security and data privacy. While SAP acts as a data processor on behalf of customers, processing personal data as per the written instruction (contract) from the data controller/customer, the obligation of data controller is much broader and deeper for the collection and processing, compliance, regulatory notifications for protection of the personal data. The table below provides high level view of roles played by each of the entities.
SAP customers, being a data controller, decide “why (purpose)” and “how (means)” the personal data is processed. Hence customer need greater control on how and why this personal data is collected. It is essential for customers to manage consents, provide capability to get details on what changes have been made to personal data and who has accessed sensitive personal data.
SAP Business Technology Platform has built in capability for privacy controls that can be configured by customer administrator. The platform provides transparent collection of user data and privacy configuration options. SAP BTP provides data privacy setting for our customers to use for the following key functions:
- Consent Management
- Change Logging and Audit Logging
- Information Report
Please refer to this link for SAP BTP consent management capability.
Change Logging and Read-Access Logging
A distinction must be made between change logging and read-access logging. While any changes made to personal data is recorded through change logging, read-access logging records anyone accessing “sensitive” personal data.
SAP BTP provides Audit Log Retrieval API and is protected by OAuth 2.0. The audit logs are generally stored for 90 days after which it is deleted. Additionally, audit logs can be ingested into customer SIEM or SAP Enterprise Threat Detection Systems.
SAP BTP Tenant Administrator can view detailed information related to users.
SAP Data Retention Manager
For applications that are built on SAP Business Technology Platform, SAP Data Retention Manager is an excellent tool for data protection and privacy (DPP) personnel to block personal data when the end of purpose is reached and be able to delete the data when the end of retention is reached. Further, it also allows setting up retention and residence rules to block or destroy personal data and related transactional data for applications that are built on SAP BTP, irrespective of the data model being used. You can refer to SAP Data Retention Manager for more details.
SAP Data Privacy Integrator
This is one of the service capabilities with SAP BTP that will help generate information about personal data which includes stored personal data; export, correct, and delete data. More importantly this service helps to maintain rules and trigger for deletion of data that have reach end purpose of their processing. Lastly, data controllers can define the business context for storage and processing of data with purpose.
Please refer to the link to know more about this service
SAP Business Technology Platform – Shared Security Responsibility
SAP Business Technology Platform is offered as a “Platform as a Service (PaaS)”and security responsibility is shared between SAP and our customers. SAP manages the underlying business technology platform encompassing virtual images, containers, design, and deployment virtual platform in Hyperscaler, regular security operations, security incident management. On the other hand, customers take responsibility for configuring integrations and extensions, modernizing and developing new cloud native applications, managing secure connectivity, roles, authentication, and authorizations. The diagram below shows the shared security responsibility at a high level between SAP, being the platform provider, Hyperscaler who are leveraged as IaaS provider and customers who consume services in SAP Business Technology Platform.
SAP BTP Security Control:
SAP BTP provides a comprehensive security mechanism at the transport layer and at the message level. The platform supports secure encrypted transport layer communications via HTTPS/TLS1.2 and messages exchanged are protected with digital signature. Customer data is isolated, and applications are sandboxed with secure run time environments. The platform supports management of identities, authentications, authorization, identity federations, principal propagations, distributed application logging for compliance and extensive monitoring capabilities. The table below gives some of the most common security services that are used by our customers.
The diagram below provides more commonly used security services with SAP BTP.
In the following section, we will look at a high-level common authentication scenario with SAP BTP.
Microsoft Azure Active Directory single sign-on (SSO) integration with SAP BTP Identity Authentication
A more common scenario that we often encounter is that Azure AD being is used as an IDP by customers. It is fairly easy to integrate SAP BTP Identity Authentication with Azure Active Directory (Azure AD).The BTP Identity Authentication and Active Directory Federation Services helps to implement SSO across applications or services that are protected by Azure AD as an Identity Provider with SAP applications and services that are protected by SAP BTP Identity Authentication. The Identity Authentication Service (IAS) can also act as IDP Proxy delegating authentication to customer owned ADFS (IDP) or Azure AD. Trust settings must be maintained between SAP BTP and the Azure AD.
A simple architecture on the how IAS can delegate authentication to Azure AD is depicted in this diagram below. For more details on this, you can refer to MS Azure link.
User Authentication via User Store in the SAP BTP Identity Authentication Tenant
A common and a simple authentication scenario is SAP BTP acts as a Service Provider and IAS will acts as an Identity provider. A trust will have to be established so that authentication request from application is redirected to login web page.
User Authentication with Corporate User Store
We often encounter a customer scenario wherein customer maintain their own Active Directory/User Data Store with their Enterprise Network and customer wants to keep users in their AD. In this case, SAP BTP can act as a IDP proxy and authentication requests can be proxied to customer use data store via SAP BTP connectivity service.
SAP runs industry applications and cloud-based analytics applications (SAP Analytics Cloud) as a SaaS leveraging SAP Business Technology Platform. The platform applications and services have been architected with security by design and security by default principles. SAP BTP also supports tenant segregation, secure connectivity, data encryption at rest and in transit, risk-based authentication, integration with on-premise and cloud-based application with rich set of API security, making this truly an enterprise grade business technology platform. For full list of SAP BTP services, you can refer to the link for SAP Business Technology Platform Service Description Guide and Agreement and download latest SAP BTP service description document.
A must read for all BTP customer, Partner and SAP Employee!
This is very informative from the SAP Platform upward to the Customer, is there any documentation on what controls SAP employs with the HyperScalers (Azure for instance)?
Does Azure HyperScaler admins have any ability to access servers or DB's/Storage?
Azure Admins have no access to Servers/DB or Storage. We use Azure as IaaS provider and Azure operate only upto hypervisor layer. SAP admin manages customer subscription with entire infrastructure stacks including Servers/DB, Storage and other VNET security controls.
I'm working on a threat model of Cloud Integration on BTP Cloud Foundry, do you know if the platform DB's are encrypted by SAP? And I would assume CI just leverages BTP's Hana on-demand in memory DB's?
Thanks for any insight.
Does BTP provides protection against cyber attacks, such as DoS or DDoS, or BTP relies on the hyperscaler to do so?