SAP BTP Security to Secure Data/Access
The Buzz of SAP Business Technology Platform is everywhere now, Customers are more inclined towards SAP BTP and Looking forward to use SAP BTP not only from Integration perspective but as well as they are taking interest in Extension and Intelligent Enterprise as well.
SAP BTP is working as a CenterPoint/mediator. And BTP Ask everyone (SAP and Non SAP Products) guys you have to come via me. If you want to interact with your colleagues(Other SAP, Non-SAP Products) please take my help. your journey will be awesome. ya of course for sometime i am free for Trial where you can utilized my services but you have to pay for production, but their also we have good option take what you need or take me fully, consume and pay 🙂
BTP Saying why to go here and there when i am here 🙂
Major benefits for the customers they can use BTP for their selected Hyper-Scalar AWS, Azure, GCP, Alibaba Cloud.
Integration Suite has the capabilities to integrate SAP as well as Non-SAP systems and even SAP provided multiple Artifacts and Packages to be utilized. ABAP Environment for ABAP Cloud Development with embedded steampunk. No restriction on language you can bring your own Language and many more. SAP Build App, Low Code/No Code Platform, Conversational AI, Process Automation, DevOps, Cloud Foundry , Kyma runtime and Agile capabilities are awesome and each services in SAP BTP has their on duty and they are performing very well.
I am with BTP Neo and BTP CF since long time and using SAP BTP CF more frequently now a days hence i can say BTP CF is more organized now. 🙂
Sorry i was diverted and talking about whole BTP actually i am writing this blog is mainly for Security of BTP.
We always do best to make our home more secure with CCTV, Security Guards, fire extinguisher, Earthquake Resistant Buildings and we try all possible ways to secure our home/families right? correct me if i am wrong 🙂
In same line security is always a major concern for customers like how they can secure infrastructure because they do not want to compromise with security. as we know Applications on SAP BTP are exposed to the Internet and should therefore fulfill the highest possible security requirements to prevent unauthorized access.
In order to avoid security related threats for Data, infra SAP BTP has already provided the different ways to secure Customers data, unauthorized access etc.
I am not talking about all security related topics here but most commonly used which help us to secure Our/Customers Data, access, infra. If you want to know more please refer SAP provided good content (Help Docs).
General SAP BTP and Network Security Aspects –
The SAP BTP landscape runs in an isolated network that is protected from the outside by firewalls, a DMZ, and communication proxies for all inbound and outbound communication. All user access is protected with transport layer security (TLS) .
What is DMZ?
In computer networks, a DMZ, or demilitarized zone, is a physical or logical subnet that separates a local area network (LAN) from other untrusted networks — usually, the public internet.
What is Firewalls?
Firewalls is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
What is TLS?
Transport Layer Security (TLS) encrypts data sent over the Internet to ensure that eavesdroppers and hackers are unable to see what you transmit which is particularly useful for private and sensitive information such as passwords and personal correspondence.
SAP BTP Connectivity Service-
SAP BTP Connectivity is used to enable your SAP BTP applications to access remote services on the Internet or in your on-premise systems. for connecting to Internet services, SAP recommend that APIs are used with destinations and for cloud-to-on-premise scenarios, SAP recommend to you use destinations and the Cloud Connector.
In the destination you can create destinations, import destinations, Certificates , Download trust , Download IDP Metadata, and you can also renew the trust from here.
Benefits of Destination –
If we use destinations, we will achieve a separation between the application and the configuration, which means it’s easier to make configuration changes. And we can use the destinations to store credentials and certificates.
What is Cloud Connecter?
The Cloud Connector is a lightweight on-premise agent that establishes a tunnel for connecting your cloud applications to on-premise systems. The Cloud Connector acts as a reverse invoke between the on-premise network and SAP BTP. That means you don’t need to open in-bound ports in the firewall for external access from the cloud. The Cloud Connector provides a fine-granular access control mechanism, supports multiple protocols, such as RFC and HTTP, and can forward the cloud user identity using principal propagation. It enables users to log on to on-premise systems without logging in again by forwarding their current identity from the cloud. we can configure the Cloud Connector directly from the subaccount in the SAP BTP cockpit
It’s available as a free and can be downloaded from below location.
https://tools.eu1.hana.ondemand.com/ Cloud connecter is very famous now for connecting the On-premise system with BTP , we are using it since long time and we will have to use.
Identity Management and Authorization Management-
Restrict access to any endpoint of your application through authentication and authorization. Identity and authorization management ensures that only the intended target group, such as your company’s employees, can access your application.
SAP recommend that we use SAML or OpenID Connect single sign-on protocol for user access and principal propagation for back-end access.
If only access for technical users is needed, however, principal propagation isn’t necessary. Once a user is authenticated, single sign-on propagates the credentials to the back-end system without requiring the user to reauthenticate. Subaccounts get their users from identity providers. Administrators ensure that users can access only their subaccounts by establishing a dedicated trust relationship between the identity providers and the respective subaccounts.
The preconfigured default identity provider for SAP BTP is SAP ID service. If you have an SAP Universal ID, you can log on with that service. You can also connect your own identity provider, which means you have full control over your user base.
SAP Cloud Identity Services
Recommendation from SAP
For developing and administrating your own applications on SAP BTP, we recommend that you use SAP Cloud Identity Services – Identity Authentication as a hub, especially if your business users are stored in multiple corporate identity providers. Identity Authentication is SAP’s cloud solution for identity lifecycle management for SAP BTP applications, and optionally for on-premise applications.
What Is the SAP Authorization and Trust Management Service?
The SAP Authorization and Trust Management service lets you manage user authorizations and trust to identity providers. Identity providers are the user base for applications. We recommend that you use an IAS identity authentication tenant, an SAP on-premise system, or a custom corporate identity provider. User authorizations are managed using technical roles at the application level, which can be aggregated into business-level role collections for large-scale cloud scenarios.
SAP Authorization and Trust Management Service and SAP Cloud Identity Services together
Security Considerations for Applications
When building applications, use the security features of SAP BTP, such as protection from web attacks. developers should configure and deploy application-based security artifacts containing
authorizations, and administrators assign these authorizations using the cockpit. SAP BTP offers platform roles that help us ensure a segregation of duties, such as between app development and administration.
Here in this blog i was focusing more on Security part of BTP like how we can secure our Data and unauthorized access in BTP.
Thanks to @sap for providing very good documentation which helping us to write some technical blogs. and we always enjoy reading SAP provided help docs.
Technical Blogger/SAP BTP/Fullstack/FIori/S/4Hana
Good one Naveen..