SAP BTP

Security and compliance

June 2024

Public
SAP BTP is the foundation
Of the intelligent sustainable enterprise

1. Build securely
We build secure-by-design solutions.

2. Run securely
We run cloud operations securely.

3. Act securely
We foster a security-first culture in
everything we do.

Public 2
 Cloud Solutions from SAP

Business Technology Platform SAP S/4HANA Line of Business Solutions

Deliver trusted cloud operations while helping protect customers’ SAP applications and data

Software Development Security Solutions and Features Cloud Environments Data Security to
Build Secure software development help protect
Securely Solutions & features to Secure-by-design environments
and operations lifecycle confidentiality and
help ensure security (SAP and cloud service providers)
integrity of data

Business Process
Security to support
Automated Integrated Transparent compliance with
Run Preventive and Intelligence, operations and Attestations and reports into our regulatory
Securely detective controls response orchestration security processes and controls requirements

Risk
Mitigation with
continuous
Employees Customers Partners improvement across
Act Security is part of our DNA in Feedback loop for continuous Vast partner ecosystem to operations
Securely how we organize, train and improvement enhance security
protect people and assets

Zero Trust Architecture Shared Fate Frameworks (NIST / ISO)

Public 3
Three pillars of SAP BTP security: Build securely

SAP BTP Security

Build Securely Run Securely Act Securely

Development Solutions Cloud Automated Integrated Transparent Employees Customers Partners

Software Development Security Solutions and Features Cloud Environments

Secure software development Solutions & features to Secure-by-design environments
and operations lifecycle help ensure security (SAP and cloud service providers)

Public 4
Secure software development for SAP BTP

SAP’s secure development Threat modeling Security assessment

and operations lifecycle and testing

Public 5
SAP’s secure development and operations lifecycle
Continuous improvement and development

PRERELEASE

Plan Develop Test (Pre-)Release

Planned security Secure Security

Training Risk assessment Security testing
measures development validation

Public 6
Threat modeling
Evaluating threats in the early stages

• Mandatory since 2018

• Required for each line of business
• Part of SAP’s secure software
development and operations lifecycle
• Mitigation steps required depending on
risk

Identifying Architecture Decomposing Identifying and Risk from Mitigating

assets overview application documenting threats risks
threats

Public 7
Security assessment and testing
Internal and external security assessments including penetration tests

Penetration tests
• Internal and external
• Web applications (SAP BTP, SAPUI5, Web Dynpro, and others)

Code scans SAP BTP

Security testing
• Static application security testing (SAST)
• Dynamic application security testing (DAST)

Other application security testing

• Code scan
• Authorization tests end to end
• Virus scans for documents
• Other test methods

Public 8
Build securely – security, data protection, and privacy features

Secure user access Security audit logs

and permissions

Secure connectivity Secure communication

and encryption

Public 9
SAP BTP – application layer security

SAP BTP user interfaces Simplified

End User authentication and
SAP Launchpad, Work Zone, Task Center authorization
SAP-managed security
configuration, secure by
SAP BTP applications
default
CF env, Kyma, ABAP env Detection of attacks with
Application Clients application, security, and
Mobile or Desktop
audit logs
SAP BTP persistence services
Data protection and
HANA DB, Redis, PostgreSQL, ObjectStore as a privacy tools
Service
Secure communication
by encryption in transit
Encryption of data at
Authenticate
rest
Secure APIs

SAP Cloud Identity

3rd party identity provider / Services
Identity management

Public 10
 Secure user access and permissions

SAP Cloud Identity Services

End User
SAP Business Applications

Authentication and
Identity Single Sign-on
Authentication IBP

Mobile or Desktop Management of identities

Identity
Provisioning and authorizations
Delegated
Authentication Identity Lifecycle
Management

Two usage options for IAS:

• As the landscape-
wide identity provider • Simple and agile
• As identity provider onboarding of users
(IdP) proxy for a and applications
smooth, flexible
Corporate • Dedicated connectors
Corporate IdP integration with
for third-party cloud
User Store customers’ existing
platforms
identity and access
management (IAM)
infrastructure

Public 11
SAP audit log service

Customer can review security-relevant

activities in the audit log with
• Timestamp Subaccount
Business Multi-Cloud
• Terminal ID User/
Customer
• Audit log event

Security-relevant activities include Write

Customer BTP
Application

• User logins Application Clients Audit Log

Mobile or Desktop
Service
• Permission assignments or removals SAP BTP
Application

• Change of trust setups

• Subscription updates
• Change of monitoring checks

Public 12
SAP BTP connectivity

SAP Connectivity service lets you Subaccount

establish connectivity between your Multi-Cloud

cloud applications and on-premise End User

systems running in isolated networks.
Web-Apps

Features: Destination
• Access on-premise systems Application Clients
Mobile or Desktop
Connectivity
• Secure tunnel Service

• Multiple supported protocols

• Access cloud databases via JDBC/ODBC
Secure tunnel
• Propagate cloud user identity
Cloud
Connector

SAP On-Premise
Solutions
SAP S/4HANA

Public 13
Secure communication and encryption

SAP BTP
• Communication protocols of
SAP BTP support encryption,
such as HTTPS with up to TLS1.3 SAP BTP user interfaces
and AES-256 SAP Launchpad, Work Zone,
Task Center
• Data at rest encryption is Secure communication
provided by the storage (up to TLS 1.3/HTTPS)
SAP BTP applications
encryption of the persistence
CF env, Kyma, ABAP env
services
Encryption of data
• They use SAP HANA or the IaaS at rest using SAP
SAP BTP persistence services
HANA capabilities
layer underlying the SAP BTP.
HANA DB, Redis, PostgreSQL,
This is configured in the ObjectStore as a Service
respective IaaS accounts used
by SAP BTP Secure communication
Self-encrypting drives, (HTTPS)
• Storage-level encryption is Software encryption, Infrastructure and Storage
supported on hardware level by Data at rest encryption
On hardware level
SAP BTP and SAP HANA

Public 14
SAP BTP – APIs to develop secure software

SAP BTP offers various APIs to develop secure software

applications

SAP Cloud Identity Services – A suite of services for user

authentication and lifecycle management
Applications
SAP Authorization and Trust Management Service – Manage
application authorizations and trust for SAP BTP

Platform Authorization Management API – Functionality for

APIs
subaccount members managing

SAP Connectivity Service – Manage destinations and securely

connect to on-premise systems Your Services

SAP Credential Store Service – Managing passwords and keys

…
Audit Log Retrieval API – Functionality for retrieving audit logs Connectivity Authorization Audit Log
Service and Trust Service
SAP Malware Scanning Service – Scan business documents Management
uploaded by your custom-developed applications for malware

Public 15
Additional solutions from SAP for securing applications and data

Identity and access Privacy governance

management solutions

Focus on risk management

Threat detection for SAP across the portfolio of SAP
applications solutions

Visit sap.com/grc for more information

Public 16
Secure-by-design cloud environments

Global Benefit from

coverage local
regulations
(select region of
data storage)
Low latency
speeds-up
access
Physical
security and
Data network
center security
security

Data center
Compliance,
on tier-level
confidentiality,
III or IV
and integrity

Public 17
Three pillars of SAP BTP security: Run securely

SAP BTP Security

Build Securely Run Securely Act Securely

Development Solutions Cloud Automated Integrated Transparent Employees Customers Partners

Automated Integrated Transparent

Software Development Security solutions and features Cloud Environments
Preventive and Intelligence, operations and Attestations and reports into our
Secure software development Solutions & features to Secure-by-design environments
detective controls response orchestration security processes and controls
and operations lifecycle help ensure security (SAP and cloud service providers)

Public 18
Automation enables a scalable approach to security

Governance

Serve Scan Report

Thousands millions On alerts
Of accounts Of assets and scan
results Act on reports
With the engagement of
hundreds of developer
teams
Automated tools, patching, and security checks

Public 19
Security monitoring: Detection, protection, and response

Customer security
Cloud provider security monitoring
monitoring

Access and
Host Network Infrastructure Authentication
application

EVENTS

Security incident and event

Custom SIEM
management (SIEM)
External threat
Data enrichment ALERTS
intelligence
Security orchestration,
automation, and response

CASES

Incident response

Public 20
SAP’s secure development and operations lifecycle
Continuous security monitoring and operations

PRERELEASE

Prevent Detect Respond and adapt

Security Vulnerability Security Incident

Defense in depth Analysis
validation management monitoring management

Public 21
SAP’s Cyber Fusion Center

Our Cyber Fusion Center integrates cyberthreat intelligence with security

and technology operations and response. This integration drives the
proactive, defensive actions that protect critical technology and data assets.

Security engineering Red team operations

Cybersecurity incident response team Project management office

Attack surface reduction Cyberthreat intelligence

Public 22
Comprehensive contracts and independent audits

Service-level Independent audits, Security framework Applicable local

Agreements certifications, and description regulations globally
attestations

Public 23
Security, data protection, and privacy safeguards

Authentication Authorizations Data separation

Standard authentication capabilities Standard authorization concepts fine-tuned Purpose-based personal data separation

Change control
Physical access control Ability to document all changes to personal data
Preventing unauthorized persons from gaining with standard change logging
access to data processing systems

Encryption
Technical and
Standard encryption of personal data during transit
Disclosure control Organizational and at rest
Ability to document all access to personal data
with logging features
Measures (TOMs)

Availability control
Procedures such as backup, disaster recovery,
and business continuity
Pseudonymization
Changing the data in a way that the data subject is
not identifiable without using secret key or
information Transmission control
Job control Transmission control of personal data such as
Data controller required to ensure that the data processor is through encryption
following their instructions and guidelines; this organizational
task has some technical aspects such as system audit

Public 24
Management system, regulation and best practices1

Certification Financial controls Operations and compliance Cloud computing

ISO 270012,ISO 270172,
ISO SOC 1 SOC 2 compliance controls catalog
270182, ISO 223012, ISO 90012, (SSAE18 / ISAE 3402) (AT 101 / ISAE 3000) BSI-C5
Transparency BS10012, CSA STAR (ISAE 3000)

Data protection Data privacy

BS10012 EU General Data Protection Regulation,
Privacy EU Cloud Code of Conduct (Art. 40 GDPR)

Market Region
TISAX, PCI DSS3 KRITIS, HDS, ISMAP3, ECC/CCC3
Regulation

Quality Service Business Application Hardening Destruction of Incident

Security best management delivery continuity security guidelines media management
practice ISO 9000 ISO 20000 ISO 22300 ISO 27034 SANs, ISO ISO 27040 ISO 27035
(extract) ISO 25010 OWASP CERT, NIST

Management system
ISO 27000, ISO 22300, NIST CSF
Foundation
SAP BTP Cloud standards and best practices
1. The management systems are used across all SAP Cloud Secure services, execution of independent certification, and audit depend on service and organizational unit respectively.
Details are available at www.sap.com/about/trust-center/certification-compliance.html.
2. Component of the Integrated Information Security Management System (IISMS) of SAP.
3. Limited product scope.
Public 25
Three pillars of SAP BTP security: Act securely

SAP BTP Security

Build Securely Run Securely Act Securely

Development Solutions Cloud Automated Integrated Transparent Employees Customers Partners

Our Employees
Automated Our Customers
Integrated Our Partners
Transparent
Software Development Security solutions and features Cloud Environments
Security is partand
Preventive of our DNA in Feedback loopoperations
Intelligence, for continuous
and Vast partner ecosystem
Attestations and reportstointo our
Secure
how we software
organize, development
train and Solutions &
improvement features to Secure-by-design
enhance security environments
detective controls response orchestration security processes and controls
and operations lifecycle
protect people and assets help ensure security (SAP and cloud service providers)

Public 26
Security is part of our DNA

SAP CEO,
SAP executive board

Protection of people
Employee preparation:
and assets:
• Global awareness SAP chief security officer • Threat modeling training
• Role-based training • Interconnected physical
and cybersecurity

SAP Global Security team

Public 27
SAP BTP shared responsibility model
Customer Account Management Customer application access

Application Creation, Evolution and Change

Customer Management

Or SAP SAP HANA Service Management Cloud operations from SAP and Customers

Runtime and Services Management

SAP Resource and Account Provisioning

Cloud operations from SAP
Operation System (OS) Maintenance

Database and Storage Management

Infrastructure Maintenance IaaS orchestration

SAP or
Network Storage Compute
Hyperscaler
Physical fabric
Data Center and Hardware

Public Shared Responsibility Model Between You and SAP 28

Security recommendations
Configuring security settings in SAP BTP

Help Portal: SAP BTP Security Recommendations

Public 29
Security recommendations
Security Dashboard

Blog posts:

• Secure Configuration Monitoring of SAP Cloud

Services
• SAP Security Configuration Recommendations
• Security Configuration APIs for major Cloud
Products
• SAP Security Configuration Dashboard using
SAP Analytics Cloud (Template)
• SAP Analytics Cloud Security Configuration
Dashboard Template Community Content

Public 30
Report security incidents
Proven way for SAP customers and security researchers

www.sap.com/about/trust-center/security/incident-management.html
Public 31
Partnership with customers supports
Continuous feedback and improvement

Our focus on
Customers your security SAP
requirements

Customer advisory board SAP Customer Connection program SAP Continuous Influence program

Public 32
Ecosystem partnerships for enhanced security

Security
Cloud service researchers
providers Collaborate to improve
Optimized environments security posture and
with multiple deployment readiness
options

We
partner with:

Private / Public System

partnerships integrators
Bridging the cyber Vast network of
skills gap security advisors

Software
Technology vendors
partners + 500 partner
Leverage leading solutions available on
technologies to enhance SAP store
security

Public 33
Three key messages to take away

Security and compliance are key capabilities of SAP BTP,

approached holistically and from end to end.

SAP BTP is developed securely with built-in state-of-the-art

security features and privacy capabilities.

SAP BTP Cloud operations adhere to and go

beyond leading industry standards in technology, operative,
and legal measures.

Public 34
Further information

SAP Help Portal

SAP BTP documentation including security

SAP Community
SAP Business Technology Platform Security

Secure software development

The Secure Software Development Lifecycle at SAP

Shared responsibility
Shared Responsibility Model Between You and SAP

SAP Trust Center

SAP Compliance Offerings – Explore Certificates,
Reports, and Attestations

SAP Road Map Explorer

SAP BTP Security Road Map

Security related customer content

Cloud Services: Reference Guide
Guide to Customer Content

Public 35
Thank you
Contact information:

Juergen Adolf
[email protected]

© 2024 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to this material.