Skip to Content
Technical Articles
Author's profile photo Morten Wittrock

Keeping sensitive data on-premise with Edge Integration Cell

Regardless of how you build and run your integrations, it always takes careful consideration when sensitive data flows through them. Payloads containing social security numbers, medical records, payroll information etc. must be vigilantly protected. The advent of the cloud and the industry’s shift towards Integration Platform as a Service (iPaaS) solutions adds another layer of complexity to this already complicated area.

Data residency requirements, for instance, limit the data centers in which certain data can be hosted. And in some cases, the data cannot be hosted in the cloud at all. This restriction can be due to statutory or regulatory requirements or it can be imposed by individual customer contracts.

In this blog post, I will discuss how to solve the problem of keeping certain sensitive integrations on-premise, even as customers migrate to SAP Integration Suite in the cloud.

The story so far

For SAP customers, up until now the answer to the question of how to keep certain sensitive integrations on-premise has been straightforward: SAP Process Orchestration.

SAP Process Orchestration is an integration platform installed and operated by the customer on the customer’s own network. This architecture enables us by default to keep certain payloads completely out of the cloud.

The platform has been around in different versions for more than 20 years. However, this venerable and much-loved product is now approaching its end-of-life in 2027 (or 2030 with extended support).

The gap left by SAP Process Orchestration will be filled by a new product called Edge Integration Cell, which I will introduce you to next.

What is Edge Integration Cell?

Edge Integration Cell is one of the hottest topics in the SAP integration world at the moment. It is a locally installed SAP Integration Suite runtime, which is currently slated for release in Q4 of this year. With Edge Integration Cell, you design your integration flows in the cloud and can then choose to deploy them to a runtime on your own network rather than your tenant’s runtime in the cloud. This approach is also known as hybrid deployment.


Edge Integration Cell architecture (© 2023 SAP SE)

Like SAP Process Orchestration, you can install and operate Edge Integration Cell entirely within your local network. Edge Integration Cell runs on Kubernetes and supports SUSE’s Rancher platform at launch, with support for Red Hat OpenShift planned for the end of this year.

The number one use case for a local SAP Integration Suite runtime is, of course, ground-to-ground integrations. This makes Edge Integration Cell an essential component for many customers in the coming years, as they migrate their ground-to-ground integrations from SAP Process Orchestration to SAP Integration Suite.

However, Edge Integration Cell will also be able to solve the problem of keeping certain sensitive integrations on-premise, even as the customer migrates to SAP Integration Suite in the cloud. I’ll cover the solution later, but let’s first take a look at how sensitive payloads are handled in SAP Cloud Integration.

Sensitive payloads in SAP Cloud Integration

Integration flows that are deployed to the cloud (which is, at the time of writing, still the only option) are also monitored in the cloud. When tracing an integration flow (that is, setting its log level to “Trace”), its payloads will be stored in your tenant’s database in the cloud. For non-sensitive payloads, this is what we want in, for instance, a debugging situation.

For sensitive payloads, we have the option of restricting who can view them via Access Policies. In many cases, this is probably good enough. But if the requirement is that certain sensitive payloads can not be stored in the cloud at all, deploying those integrations in the SAP Integration Suite tenant is currently not an option.

Before going into how this will be solved with Edge Integration Cell, let’s examine how monitoring integration flows running in Edge Integration Cell works.

Monitoring in Edge Integration Cell

When an integration flow executes in Edge Integration Cell, its log records are stored in a local database. You will still be able to monitor that integration flow in the cloud, though. The difference is, that you have to actively pull log records from the Edge Integration Cell. They are, in other words, not continuously pushed from your local network to the tenant in the cloud. This makes sense; avoiding having to move large amounts of data over the Internet is, after all, one of the main purposes of the Edge Integration Cell.

When you go to Monitor → Integrations in the SAP Integration Suite UI after installing at least one Edge Integration Cell, you will be able to choose which runtime, you want to monitor: a local Edge Integration Cell runtime or the tenant’s runtime in the cloud. Only when you choose an Edge Integration Cell, will its log records be requested and displayed.


Choosing which runtime to monitor (© 2023 SAP SE)

This means that sensitive payloads of a locally running integration flow can still end up in the cloud. You can restrict access to those payloads with Access Policies, but you cannot prevent them entirely from entering the cloud. Or more precisely: You cannot do that yet.

Sensitive payloads in Edge Integration Cell

This brings us, finally, to how the problem I’ve outlined in the above will be solved in Edge Integration Cell. And fortunately, the solution is already on its way. Specifically, SAP is planning an option to not allow any log records to leave the local network. When this option is enabled, it will no longer be possible to monitor that particular Edge Integration Cell in the cloud. As a consequence, sensitive payloads will stay on-premise at all times.

Please note that this option will be for the entire Edge Integration Cell installation, not per integration flow. This means that you must dedicate a separate Edge Integration Cell installation to these particularly sensitive integrations. This is probably not an issue, though, since you are likely already required to apply stricter security safeguards around these integrations.

So once this option becomes available, customers who need to keep certain sensitive integrations and their payloads out of the cloud can safely choose to deploy them to Edge Integration Cell.



Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Antonio Maradiaga
      Antonio Maradiaga

      Make sure to check out the 🔴 SAP Integration Suite - Hybrid Integration session part of Devtoberfest 2023 if you want to learn more about Edge Integration Cell 🙂

      Author's profile photo Krishna Nagendra
      Krishna Nagendra

      Thanks Morten.  Good blog to know new capabilities in message monitoring with Edge Integration Cell coming in.

      Many Customers have good amount of file based interfaces, whether Edge will solve them in complete, I don't see not much information about this topic.

      Author's profile photo Morten Wittrock
      Morten Wittrock
      Blog Post Author

      Hi Krishna

      The file adapter for Edge Integration Cell will not be available at launch. At the moment, it is planned for Q2 of next year.



      Author's profile photo Daniel Graversen
      Daniel Graversen

      Why not convert those scenarios of SFTP/FTPS. Most systems would enable to exposure and endpoint via this protocol.

      The only thing I can see would be about running scripts on the file. But that is not really optimal as I see It.