Wild West BTP - and where is SAP security?
As a new development environment for SAP customers, the Business Technology Platform (BTP) offers unimagined variation possibilities and stands out thanks to its strong integration with the SAP product. The adaptation of the new technology platform in customer companies is rapid and there is a kind of Wild West spirit of optimism.
There is still little evidence of governance, fixed structures and best practices, which is dangerous from an information security perspective. There are customers who decide overnight, without first checking - who is allowed to do what? Is this necessary? Et cetera - find numerous BTP tenants connected to their productive system. It is often not at all clear where the responsibilities lie, whether all tenants are being used productively and what the individual technical requirements behind them are. This is the first hurdle.
The second hurdle arises once governance guidelines have been defined. Once it has been clarified who is responsible for BTP tenants, who is authorized to create them and who approves a tenant and when, it must then be freely defined where the tenant is to be connected.
There is no existing staging concept to fall back on here, as the best practices established in SAP in the past only work to a limited extent in the BTP world.
Apart from new challenges in the identity and access area (i.e. clarifying how users access the systems, how and where they are provisioned and authorized), it is also important to ask the established BTP processes whether they are being adhered to and are effective in the long term.
This is done by means of an internal control system (ICS), which continuously puts the new process to the test and validates, for example, whether only a certain number of administrators exist for the global BTP account. The fact that SAP takes the issue of security for BTP seriously is demonstrated not least by the 103 security recommendations that have already been published.
BTP guidelines
After clarifying the authorizations and the secure configuration, it is finally a matter of what happens in the BTP in terms of content. Pure abap/steampunk programming is no longer a must there; you can develop in Python, for example. There are also Fiori developments - here, too, the Wild West in a positive sense, i.e. possibilities for realization without limits.
BTP's strengths are its connection and integration with SAP's flagship product S/4 Hana. In principle, however, it is a free development platform - with the challenges that apply to such platforms: You need a process, a set of rules and guidelines for secure coding. Testing mechanisms must be developed to detect deviations. The first step is to define responsibilities and establish processes for how monitoring and governance reviews are to be structured in detail, regardless of a security platform such as SecurityBridge. This is the main task when it comes to ensuring SAP security on the BTP. The next step is to set up the BTP tenant and check whether there are any settings there that represent potential gateways. This is where a security solution can support monitoring by creating transparency and helping to identify critical activities and react immediately in the business process.
As forward-looking as the technology is, the (security-related) challenges associated with its use are just as great. This first requires new rules and processes - then SAP security is also guaranteed in the Business Technology Platform. This will become all the more important if the current ten percent of SAP users (according to current surveys) soon become 50 or more percent who build extensions on the new platform and use them productively.