The global and independent platform for the SAP community.

Wild West BTP - and where is SAP security?

Many SAP customers are currently in the early adopter phase of individual production scenarios with the Business Technology Platform. Beyond established SAP processes, it is important to get governance and therefore the issue of SAP security under control.
Christoph Nagy, SecurityBridge
January 25, 2024
avatar
This text has been automatically translated from German to English.

As a new development environment for SAP customers, the Business Technology Platform (BTP) offers unimagined variation possibilities and stands out thanks to its strong integration with the SAP product. The adaptation of the new technology platform in customer companies is rapid and there is a kind of Wild West spirit of optimism.

There is still little evidence of governance, fixed structures and best practices, which is dangerous from an information security perspective. There are customers who decide overnight, without first checking - who is allowed to do what? Is this necessary? Et cetera - find numerous BTP tenants connected to their productive system. It is often not at all clear where the responsibilities lie, whether all tenants are being used productively and what the individual technical requirements behind them are. This is the first hurdle.

The second hurdle arises once governance guidelines have been defined. Once it has been clarified who is responsible for BTP tenants, who is authorized to create them and who approves a tenant and when, it must then be freely defined where the tenant is to be connected.

There is no existing staging concept to fall back on here, as the best practices established in SAP in the past only work to a limited extent in the BTP world.

Apart from new challenges in the identity and access area (i.e. clarifying how users access the systems, how and where they are provisioned and authorized), it is also important to ask the established BTP processes whether they are being adhered to and are effective in the long term.

This is done by means of an internal control system (ICS), which continuously puts the new process to the test and validates, for example, whether only a certain number of administrators exist for the global BTP account. The fact that SAP takes the issue of security for BTP seriously is demonstrated not least by the 103 security recommendations that have already been published.

BTP guidelines

After clarifying the authorizations and the secure configuration, it is finally a matter of what happens in the BTP in terms of content. Pure abap/steampunk programming is no longer a must there; you can develop in Python, for example. There are also Fiori developments - here, too, the Wild West in a positive sense, i.e. possibilities for realization without limits.

BTP's strengths are its connection and integration with SAP's flagship product S/4 Hana. In principle, however, it is a free development platform - with the challenges that apply to such platforms: You need a process, a set of rules and guidelines for secure coding. Testing mechanisms must be developed to detect deviations. The first step is to define responsibilities and establish processes for how monitoring and governance reviews are to be structured in detail, regardless of a security platform such as SecurityBridge. This is the main task when it comes to ensuring SAP security on the BTP. The next step is to set up the BTP tenant and check whether there are any settings there that represent potential gateways. This is where a security solution can support monitoring by creating transparency and helping to identify critical activities and react immediately in the business process. 

As forward-looking as the technology is, the (security-related) challenges associated with its use are just as great. This first requires new rules and processes - then SAP security is also guaranteed in the Business Technology Platform. This will become all the more important if the current ten percent of SAP users (according to current surveys) soon become 50 or more percent who build extensions on the new platform and use them productively.

securitybridge.com

avatar
Christoph Nagy, SecurityBridge

Christoph Nagy is Managing Director at SecurityBridge


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.