Security Logging and Alerting for SAP BTP

SAP BTP is a cloud platform that is intended to decouple SAP customizations required by customers from underlying SAP solutions. As part of SAP’s drive for a clean core and to promote a modular architecture, BTP enables organizations to enhance and extend the capabilities of their SAP solutions by deploying custom code, integrations and other enhancements to a separate platform, without modifying standard SAP solutions. This is intended to realize more flexibility, easier scalability, faster upgrades, improved security, and, crucially, lower maintenance. Lower maintenance costs are especially important for SAP in the context of SAP RISE. Heavily customized environments increase the burden on SAP managed services for RISE customers. Therefore, RISE customers are provided with consumption credits for BTP by SAP.

On-premise customers can also benefit from BTP. They can access services for development, automation, integration, analytics, and artificial intelligence offered by both SAP and partners in BTP. For example, SAP Build Apps enables customers to rapidly develop and deploy applications with no-code or low-code using a drag-and-drop interface. This can dramatically lower development efforts for simple applications, More complex applications can be created using the SAP Business Application Studio cloud development environment together with the Cloud Application Programming Model and ABAP RESTful application model frameworks. The frameworks simplify application development by, for example, automatically generating required OData services based on data models. Developers can also leverage generative AI services in BTP to automatically generate ABAP code based on prompts.

Once developed, the applications can be deployed directly in BTP. Therefore, BTP supports both application development and application hosting for runtime services. Applications deployed to BTP can be integrated with on-premise solutions using the SAP Cloud Connector.

SAP BTP has a shared model of responsibility for security. Since BTP is a Platform-as-Service (PaaS), SAP is responsible for managing the infrastructure. Customers are responsible for application-level security including managing user authentication and role assignments, application maintenance and changes, and maintaining global account and sub-account settings. Sub-accounts are similar to environments in on-premise landscapes. They are used to separate development scenarios and projects. Each sub-account is a sandboxed environment. Users and roles are managed for each sub-account.

The Identity Authentication service authenticates BTP users using a federated model that separates authentication mechanisms from applications. The service supports Single Sign-On (SSO) via SAML 2.0 and two-factor authentication.

BTP services and applications record security-related events to a central Audit Log. Events are categorized by data access, data modification, security events, and configuration changes. Logged events include actions such as user logons and logoffs, changes to user permissions, groups and trust relationships, transports, and application creation, deletion and crashes. Log records include details such as the log event ID, description, timestamp, terminal ID, and application details for each event. The default retention period is 90 days for events in the Audit Log. A subscription to the premium edition of the Audit Log service is required to change the retention period and to log events from custom applications in BTP to the Audit Log.

The Audit Log can be analyzed using the Audit Log Viewer. The Viewer enables customers to query log data based on user, time, category, message content, and other fields. However, it returns a maximum of 500 records per query request. Records can be exported for offline analysis. A subscription to the Audit Log Viewer service is required to use the Viewer.

The Auditlog Management service can be activated for global accounts and/or subaccounts to integrate the BTP Audit Log with external systems using the Audit Log Retrieval API. The API is region-specific and secured by OAuth. Therefore, access tokens must be configured for external systems to consume the service. Request rates are throttled based on the region, ranging between 4-8 requests per second for each token and tenant. Log records are retrieved by HTTP GET requests from external systems to the BTP service.

The SAP Alert Notification Service provides an alternative method for monitoring and integrating BTP events with external systems. The service sends real-time notifications for events in BTP applications and services. It includes APIs to both create and consume alerts. Unlike the Audit Log Retrieval API, it supports native integration with incident management solutions such as ServiceNow, messaging channels such as email, and messaging platforms such as Slack and Microsoft Teams. It also supports feeds from cloud providers including Amazon CloudWatch, Microsoft Azure Monitor, and Google Cloud Platform Operations. Another benefit of the SAP Alert Notification Service over the Audit Log Retrieval API is built-in integration with the SAP Cloud Transport Management Service and SAP Automation Pilot. The latter is a BTP service that supports automated response handling for alerts.

The Cybersecurity Extension for SAP supports both the Audit Log Retrieval API and the SAP Alert Notification Service to monitor and alert for security events in SAP BTP. Security alerts for BTP are combined with alerts for other SAP applications, databases, hosts and services for end-to-end monitoring of SAP cloud and on-premise landscapes. Events and alerts for all SAP solutions including BTP are integrated by the Cybersecurity Extension for SAP with SIEM systems including Splunk, QRadar, LogRhythm, Sentinel and many more.

Leave a Reply

Your email address will not be published. Required fields are marked *