SAP BTP Security and Compliance

Overview
May 2023
 SAP BTP is the
foundation

Create personalized experiences Build faster with business context Run with confidence on a trusted,
that instantly work with SAP applications to meet change with agility enterprise-grade platform

App Dev Automation Integration Data and Analytics AI

Build and innovate Optimize and automate Connect and simplify Give data purpose Infuse intelligence

PUBLIC 3
Agenda

01 05
Security and Compliance Incident Response and
Disaster Recovery
02
Access Control and 06
Authentication Best Practices for Secure
Application Development
03
Data Protection and 07
Encryption Security Monitoring and
Threat Detection
04
Compliance with Industry
Standards and Regulations
PUBLIC 4
Security and Compliance Overview

• Access Control

• Encryption

• Identity Management

• Vulnerability Scanning and Penetration Testing

• Logging and Monitoring

• Compliance Management

• Disaster Recovery and Business Continuity

• Incident Response

PUBLIC 5
Access Control and Authentication

SAP Cloud Identity Services SAP Business Applications

Central User Identity Lifecycle Authorization

Authentication Token Service
Store Management Management

Identity Manage
SCIM APIs Policies
Federation Groups & Roles

Corporate Identity Provider On-Premise User Store

Microsoft
3rd party IdP AS ABAP MS Active Directory LDAP
ADFS / Azure

You can find more information about Identity Authentication here:

SAP Community | SAP Discovery Center IAS | SAP Discovery Center IPS | SAP Discovery Center AMS |

PUBLIC 6
Data Protection and Encryption

SAP BTP Service Stack

SAP BTP uses encrypted communication channels
based on HTTPS/TLS, supporting TLS version 1.2 or Applications
Scope of service providing
SAP or other
higher. It is possible to opt-in for the use of TLS 1.3 in organisation
the Custom Domain Manager. This allows the use of
Scope of SAP certifications
TLS1.3 with Applications running on SAP BTP. App services
and attestations

DB services • Service Fabrik with

Blog: SAP BTP Transport Layer Security (TLS) services MongoDB,
PostgreSQL, SAP
Connectivity Support
OS management RabbitMQ, Redis
• Object Store service
SAP BTP Services use the storage encryption of Orchestration and
persistence services. They often use the IaaS layer account configuration
underlying the SAP BTP. This is configured in the Scope of IaaS provider
Administration platform
respective IaaS accounts used by SAP BTP. Encrypted & API management certifications & attestations
backups are stored in a persistence using a strong • Block Store
encryption algorithm. All these keys are stored in a key Provide HW incl. setup
• Blob Store
IaaS Provider
management service provided by the underlying IaaS
on AWS, Azure, GCP
layer. Provide DC facility

Data Encryption Strategy (SAP Help Portal)

PUBLIC 7
Compliance with Industry Standards and
Regulations

SAP BTP services and the underlying infrastructure Certifications & Attestations
hold various certifications and attestations. The BTP
services attestations and certifications can be found under • ISO 27001, ISO 27017, ISO
the naming of "SAP Business Technologie Platform" in the 27018 - Information Security
SAP Trust Center
Management System
SAP BTP runs in secure and certified environments • ISO 22301 - Business Continuity
• World-class data centers Management System
• Advanced network security
• SOC 1 Type 2, SOC 2 Type 2
• Reliable data backup
• Built-in compliance, integrity, and confidentiality • C5 Type 2 (BSI Germany)
• EU Cloud Code of Conduct
Cloud Services with 99.7% availability
• CSA STAR
For more details, see
• TISAX (Trusted Information
• SAP Data Center
Security Assessment Exchange)
• SAP Trust Center
• Cloud Availability section in SAP for Me

PUBLIC 8
Incident Response and Disaster Recovery

▪ High Availability : Multi-AZ enabled ▪ Reduced planned downtimes

Platform Services ▪ Harmonized maintenance windows across
▪ Standard DR: Restore from offsite backups SAP Cloud products
Zero
Resilient Downtime
Maintenance
(ZDM)

▪ Canary approach: ‘Eat your own dog food’.

▪ Meaningful outage communication Ensure Quality &
Success Operations ▪ Pro-active & re-active monitoring
▪ Real time status reporting
▪ 24/7 Operations & Incident Management,
RCA & Improvements

PUBLIC * SAP Document Management, Launchpad Service and Cloud Portal 9

Best Practices for Secure Application Development

• SAP Cloud Application Programming Model (CAP)

which includes build-in security functionalities

• SAP BTP offers various services and APIs to develop

secure software applications. See SAP BTP on SAP API
Business Hub

• SAP BTP Security Recommendations for a securely

configured platform

PUBLIC 10
 Act securely

Security recommendations
Our customers
Setting up SAP S/4HANA cloud securely

https://help.sap.com/docs/SAP_S4HANA_CLOUD/55a7cb346519450cb9e6d21c1ecd6ec1/fafa6639cf7b4265b68da63efbc8fb96.html?locale=en-US

PUBLIC 11
 Act securely

Protect your SAP S/4HANA Cloud

Our customers
Setting up SAP S/4HANA Cloud securely

https://help.sap.com/docs/SAP_S4HANA_CLOUD/55a7cb346519450cb9e6d21c1ecd6ec1/484053beaaa3455590cbf90ca99d541f.html?locale=en-US

PUBLIC 12
Security Monitoring and Threat Detection

• Threat Intelligence Program

• Continuous monitoring of system and application logs

• Network traffic analysis

• Intrusion detection systems

• Proactive monitoring and response to potential threats

• Event, incident, threat, and vulnerability management

• Security information and event management (SIEM)

• 24/7 general security monitoring, including escalation procedures

• Security incident tracking and resolution by security specialists

See: Cloud Services: Reference Guide
PUBLIC 13
Conclusion

I. The SAP Business Technology Platform provides a

comprehensive set of security and compliance features to
ensure the security of customer applications and data.

II. Secure application development on the platform is supported

through best practices for securing application user accounts
and data.

III. Customers can review the platform's security features and

controls and use the recommended best practices in
configuring their applications for optimal security.

More Information on: My Trust Center & SAP for Me

PUBLIC 14
Thank you.
Contact information:

Jürgen Adolf
juergen.adolf@sap.com

PUBLIC
© 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to SAP Materials for general audiences. 15