Adapting Your UI Strategy for Security

When implementing a UI strategy for SAP Business Technology Platform (SAP BTP), consider the following key recommendations: 

• Leverage SAP Fiori and SAP Fiori tools to accelerate UI development and streamline the development experience on SAP BTP.  
• Utilize the Cloud Application Programming Model (CAP) as a strategic programming model for SAP BTP that supports serving user interfaces. 
• Implement client isolation to ensure each client accessing your UI has access only to dedicated resources within the failure unit, rather than full capacity. 
• Apply request throttling to monitor and control the number of requests to your UI by implementing strategies such as client quotas, API prioritization, and deferred operations. 
• Consider both vertical and horizontal scaling to handle a greater number of requests, which is crucial for cloud services.  
• Ensure proper monitoring by measuring and monitoring incoming requests to control and scale each failure unit effectively. 
• Secure data in transit by utilizing encrypted communication channels (HTTPS) for secure communication with mobile applications. Implement a security strategy for protecting data stored on mobile devices. 
• Consider authentication flows by implementing proper authentication using components that support OAuth 2.0 and SAML 2.0 standards. 

When developing or using applications on SAP BTP, it's crucial to implement robust security measures.

The figure shows the key security considerations for SAP BTP.

Here are key security considerations: 

1. Leveraging Built-in Security Features 
   • Use SAP BTP's security features to protect applications from web attacks 
   • Configure and deploy application-based security artifacts containing authorizations 
   • Utilize platform roles offered by SAP BTP to ensure segregation of duties between app development and administration 
2. Authentication and Authorization 
   • Implement proper authentication using components that support OAuth 2.0 and SAML 2.0 standards 
   • Create role templates during design time, consisting of scopes and attributes 
   • After deployment, administrators can create roles from these templates and assign them to role collections 
3. Data Protection and Privacy 
   • Consider data protection and privacy implications early in the development process 
   • Implement measures to protect data both in transit and at rest 
   • Utilize encrypted communication channels (HTTPS) for secure communication with mobile applications 
4. Security Monitoring and Logging 
   • Use audit logging for security monitoring 
   • SAP BTP writes logs for security-relevant events and digitally signs the log files to ensure integrity 
   • Implement the SAP Audit Log service for security-relevant auditing and logging functionality 
5. Network and Communication Security 
   • Implement network segmentation and access controls to limit the ability of server-side applications to make unauthorized requests 
   • Use URL allowlisting to restrict application communication to predefined safe and approved external services or domains 
6. Secure Development Practices 
   • Follow Secure Software Development Lifecycle (SSDLC) practices throughout the development process 
   • Conduct regular security assessments to identify and mitigate potential vulnerabilities early in the development process 
   • Ensure development teams are trained in secure coding practices and stay updated with the latest security trends and threats 
7. Testing and Quality Assurance 
   • Perform thorough UI, usability, and unit tests to ensure high-quality applications 
   • Create a release candidate to propagate throughout your landscape for comprehensive testing 

By adhering to these security considerations, developers can create robust and secure applications on SAP BTP that protect data and ensure authorized access. 

When implementing hybrid use cases where users access both SAP BTP resources and on-premise resources, two primary methods are available for securing access to on-premise resources. 

Direct access and tunneled access are two different methods of connecting to SAP systems and applications: 

1. Direct Access: 
   • Access is limited to within the corporate network or via VPN or on-premise; resource must be made available to the Internet in a secure way. 
   • Always used for accessing cloud apps 
   • In the destination configuration on SAP BTP cockpit
   • URL points directly to UI resources on the internal network host 
   • Proxy Type is set to Internet 
   • Can also be used for on-premise apps, but with limitations for dynamic tiles unless the endpoint is open to the Internet  
2. Tunneled Access: 
   • Allows access from both corporate network and Internet using Cloud Connector as a secure tunnel 
   • Primarily used for accessing on-premise apps 
   • In the destination configuration on SAP BTP cockpit
   • URL points to the Virtual Host defined in the Cloud Connector 
   • Proxy Type is set to On Premise 

Key Differences: 

• Network Access: Direct access is limited to corporate network or VPN, while tunneled access allows connections from both corporate network and Internet.
• Security: Tunneled access provides an additional layer of security by using Cloud Connector as a secure tunnel.
• Application Type: Direct access is primarily for cloud apps, while tunneled access is mainly for on-premise apps.
• Destination Configuration: The URL and Proxy Type settings differ between direct and tunneled access in the SAP BTP cockpit.

Tunneled access, utilizing Secure Shell (SSH) tunneling, offers several advantages: 

• Encrypts traffic, ensuring data protection during transmission 
• Allows secure communication between client applications and remote servers 
• Provides a method to connect to remote services without exposing them directly to the Internet 

Choosing Between Direct and Tunneled Access: 

• Direct access is suitable when access to the corporate network or VPN is limited, or if you make the internal resource available to the Internet. 
• Tunneled access is preferred when access from both corporate network and Internet is required. 
• The choice depends on the type of application (cloud or on-premise) and network accessibility requirements.

In conclusion, the requirement to not transfer business data over cloud services does not necessarily dictate the use of direct access. Both direct and tunneled access can be configured securely. The choice between them should be based on the specific network architecture, application type, and accessibility requirements of the organization. 

SAP Task Center is a service that integrates tasks from multiple SAP and non-SAP applications into a centralized solution, providing users with a single-entry point to access and manage their assigned tasks.

The figure shows the key features of the SAP Task Center.

Key features of SAP Task Center include:

Unified Task Management: 

• Aggregates tasks from various SAP solutions into one list 
• Enables processing of tasks from connected systems without switching between different inboxes 

Multiple Access Points: Tasks can be accessed through the SAP Task Center Web app, SAP Mobile Start app, and SAP Start 

Task Federation: 

• Federates tasks from provider applications via a unified REST interface 
• Stores tasks in a cache for resilience and quick access 

Task Processing Capabilities: 

• Allows users to search, sort, and filter tasks based on predefined criteria 
• Provides task details and enables certain actions directly within the SAP Task Center Web app 
• Offers navigation to native task applications for full task details and actions 

Integration with SAP Solutions: 

• Supports integration with various SAP applications, including SAP S/4HANA, SAP SuccessFactors, and SAP Fieldglass 
• Enables approval scenarios for different business processes across connected systems 

Environment: Runs in the SAP BTP, Cloud Foundry environment

Administration and Monitoring: 

• Provides a Task Center Administration app for monitoring service status and active destinations 
• Offers Connector Status API and Service Status API for monitoring purposes 

SAP Task Center streamlines task management across the enterprise, improving efficiency and reducing the time spent navigating through various systems to find and process tasks.

When implementing or using SAP Task Center, several key security considerations should be considered: 

1. Access Control: 
   • Utilize SAP Authorization and Trust Management service to manage user authorizations and trust relationships with identity providers. 
   • Implement authentication and authorization to restrict access to application endpoints. 
   • Use SAML or OpenID Connect single sign-on protocols for user access. 
2. Data Protection: 
   • Ensure that all user access is protected with transport layer security (TLS) to encrypt data transmitted over the Internet. 
   • Leverage the SAP BTP landscape's isolated network, which is protected by firewalls and a DMZ. 
3. Connectivity: 
   • For cloud-to-on-premise scenarios, use destinations and the Cloud Connector to establish secure connections. 
   • The Cloud Connector acts as a reverse invoke agent, eliminating the need to open inbound ports in the firewall for external access from the cloud. 
4. Identity Management: Consider using SAP Cloud Identity Services - Identity Authentication as a hub for identity lifecycle management, especially if business users are stored in multiple corporate identity providers. 
5. Application Security: 
   • Utilize security features of SAP BTP to protect applications from web attacks. 
   • Configure and deploy application-based security artifacts containing authorizations. 
6. Segregation of Duties: Leverage platform roles provided by SAP BTP to ensure proper segregation of duties between app development and administration. 
7. Network Security: Be aware that applications on SAP BTP are exposed to the Internet and should fulfill the highest possible security requirements. 

The figure shows the security considerations for the SAP Task Center.

By addressing these security considerations, organizations can help ensure the safe and secure implementation and use of SAP Task Center within their SAP BTP environment. 

When accessing on-premise resources from SAP BTP, the recommended approach for network separation and security is to use the SAP Cloud Connector placed into and outbound demilitarized zone (DMZ).  

This solution offers several advantages over alternative methods (that is using a reverse proxy): 

1. Secure Tunnel: The Cloud Connector establishes a TLS tunnel to SAP BTP using a reverse invoke approach, eliminating the need to configure the DMZ or external firewall for inbound traffic. 
2. Protection from Internet Attacks: By using the Cloud Connector, on-premise systems are not exposed to the internet, preventing potential attacks and vulnerabilities. 
3. Fine-grained Access Control: Cloud Connector allows for precise control over which cloud applications can access specific on-premise resources, enhancing security. 
4. Multiple Protocol Support: It supports various application protocols, including HTTP and RFC, providing flexibility for different integration scenarios. 
5. Simple Setup: Cloud Connector offers a straightforward setup process, enabling faster implementation of hybrid cloud/on-premise applications. 
6. Principal Propagation: Unlike reverse proxy solutions, the Cloud Connector easily supports principal propagation authentication, allowing the forwarding of cloud user identities to on-premise systems. 
7. Line of Business Implementation: With Cloud Connector, projects can be implemented closer to the line of business, providing greater flexibility and agility. 

By contrast, using a reverse proxy approach has several disadvantages: 

• Exposure to Internet: On-premise services become generally accessible via the Internet, increasing vulnerability to attacks. 
• Complex Implementation: It typically requires significant involvement from the customer's IT department and a longer implementation period. 
• Limited Filtering: If IP address filtering is used, only one IP address can be set for all SAP BTP outbound communications. 
• Protocol Limitations: The SAP-proprietary RFC protocol is only supported for newer systems (S/4HANA release 1909 and later) when using WebSocket RFC. 

In conclusion, SAP Cloud Connector provides a more secure, flexible, and efficient solution for separating and protecting on-premise networks when integrating with SAP BTP, compared to alternative methods like reverse proxies. 

The figure shows the methods for securing inbound traffic from SAP BTP.

When accessing on-premise resources through SAP BTP, inbound connections are secured using the following methods: 

1. Cloud Connector: SAP recommends using the Cloud Connector to establish a secure connection between SAP BTP and on-premise systems. 
2. Encrypted Communication: 
   • The route from the application VM in the cloud to the Cloud Connector is always encrypted. 
   • The route from the Cloud Connector to the on-premise system should be encrypted using TLS (for HTTPS) or SNC (for RFC). 
3. Trust Establishment: Trust between the Cloud Connector and the connected on-premise systems should be established to ensure secure communication. 
4. Access Control: 
   • Physical host names are mapped to virtual host names in the Cloud Connector to prevent exposure of internal system information to the cloud. 
   • Access to on-premise systems is restricted to only the resources required by cloud applications. 
5. Trusted Applications: The Cloud Connector can be configured to allow access only for trusted applications from your SAP BTP subaccount to on-premise systems. 
6. Separation of Environments: It's recommended to use different Cloud Connector instances to separate productive and non-productive scenarios, enhancing security. 

By implementing these measures, SAP BTP ensures that inbound connections to on-premise resources are secured, protecting sensitive data and systems from unauthorized access.