Exploring Secure Connectivity in SAP BTP

Objective

After completing this lesson, you will be able to explain the role of SAP’s Connectivity Services for the security of the SAP BTP environment.

Secure Connection

Secure Connection

The figure shows the aspects of a secure connection.

This graphic presents ten aspects of a secure connection: protection of sensitive data, secure communication channels, access control, identity management, compliance with security standards, network security, audit logging, high availability, protection against cyberattacks, and separation of responsibilities.

When connecting SAP Business Technology Platform (BTP) to on-premise systems, security is of paramount importance for several reasons: 

  1. Protection of sensitive data: On-premise systems often contain critical business information that needs to be safeguarded from unauthorized access when exposed to cloud applications. 
  2. Secure communication channels: The Cloud Connector establishes a persistent Transport Layer Security (TLS) tunnel between the on-premise network and SAP BTP subaccounts, ensuring encrypted and secure data transmission. 
  3. Access control: The Cloud Connector provides fine-grained control over which on-premise systems and resources can be accessed by cloud applications, as well as which cloud applications can use the connector. 
  4. Identity management: The Cloud Connector enables secure identity propagation, allowing cloud users' identities to be securely passed to on-premise systems for single sign-on scenarios. 
  5. Compliance with security standards: SAP BTP adheres to various compliance standards and certifications, such as ISO 27001, SOC 1/2/3, and PCI DSS, ensuring that security measures are in place at multiple layers. 
  6. Network security: The Cloud Connector acts as a reverse invoke proxy, eliminating the need to open inbound ports in the on-premise firewall, thus maintaining the integrity of the internal network. 
  7. Audit logging: The Cloud Connector provides audit logging capabilities for inbound traffic and configuration changes, allowing for better monitoring and tracking of security-related events. 
  8. High availability: The Cloud Connector can be configured in a high-availability setup, ensuring continuous secure connectivity even in case of system failures. 
  9. Protection against cyberattacks: By implementing proper security measures, organizations can safeguard their mission-critical systems from potential cyberattacks that could paralyze operations or compromise data integrity. 
  10. Separation of responsibilities: The Cloud Connector helps maintain a clear separation between cloud and on-premise environments, allowing organizations to leverage existing on-premise assets without exposing the entire internal landscape. 

By prioritizing security when connecting SAP BTP to on-premise systems, organizations can ensure the protection of their valuable data, maintain compliance with industry standards, and create a robust foundation for hybrid cloud scenarios.

SAP Cloud Connector

The figure shows that the SAP Cloud Connector links on premise systems and SAP's Cloud Platforms.

This diagram illustrates the connectivity between SAP BTP and on-premise systems via the SAP Cloud Connector, using a secure tunnel. It displays the link between cloud applications and on-premise components, including ERP, non-SAP systems, and SAP Gateway.

Cloud Connector is a component that serves as a crucial link between on-premise systems and SAP's cloud platforms.

The figure shows the key aspects of a cloud connector.

This graphic outlines six key aspects of a cloud connector: purpose and functionality, security features, installation and setup, integration capabilities, configuration and management, and use cases.

Here are the key aspects of Cloud Connector: 

  1. Purpose and Functionality: 
    • Acts as a reverse invoke proxy between on-premise networks and SAP cloud platforms 
    • Enables secure connectivity without firewall configuration changes 
    • Supports multiple back-end SAP systems with a single Cloud Connector instance 
  2. Security Features: 
    • Establishes a TLS-encrypted connection between on-premise systems and the cloud 
    • Provides fine-grained control over accessible on-premise systems and resources 
    • Allows secure connections to isolated on-premise systems without major firewall adjustments 
  3. Installation and Setup: 
    • Can be installed on a machine within the network where back-end systems are running 
    • Requires initial configuration, including password change and installation type definition 
    • Supports high-availability setups with master and slave instances 
  4. Integration Capabilities: 
    • Supports various protocols including HTTP, SOAP, OData, LDAP, and IDoc 
    • Enables hybrid data landscapes by connecting on-premise setups with cloud solutions 
    • Facilitates remote table replication from on-premise to cloud environments 
  5. Configuration and Management: 
    • Offers a web-based administration interface for easy management 
    • Allows pairing with multiple SAP cloud platform accounts 
    • Provides access control configuration for specific backend systems and resources 
  6. Use Cases: 
    • Enables SAP Cloud Integration to connect securely with on-premise systems 
    • Supports integration scenarios in SAP Digital Manufacturing, connecting cloud applications with on-premise systems like SAP S/4HANA and SAP Manufacturing Execution 
    • Facilitates connectivity for Cloud Foundry and Neo environment subaccounts 

By using Cloud Connector, organizations can seamlessly and securely integrate their on-premise systems with cloud-based solutions, enabling hybrid landscapes and facilitating digital transformation initiatives. 

SAP BTP Connectivity Services

SAP BTP Connectivity Services provide a set of capabilities that enable secure connections between cloud applications and external systems, both on-premise and in the cloud.

The figure shows the SAP BTP connectivity services.

This graphic illustrates four components of BTP Connectivity Services: connectivity service, destination service, cloud connector, and transparent proxy.

The key components include: 

  1. Connectivity Service: 
    • Offers a connectivity proxy for accessing on-premise resources 
    • Serves as the backbone for Connectivity Proxy and Cloud Connector instances 
  2. Destination Service: 
    • Manages and stores technical connection configurations (destinations) 
    • Allows retrieval of connection details needed for remote system access 
  3. Cloud Connector: 
    • Links SAP BTP applications to on-premise systems 
    • Provides secure tunneling between on-premise networks and SAP BTP 
    • Offers fine-grained control over exposed systems and resources 
  4. Transparent Proxy: 
    • Enables unified, virtually transparent technical connectivity to destinations 
    • Available as an integrated module in Kyma environment and on Docker Hub 

These services work together to simplify the process of connecting cloud applications to various data sources and systems. They handle the technical complexity of connectivity, allowing developers to focus on business logic while administrators manage outbound connections without affecting the application lifecycle. 

Key benefits of SAP BTP Connectivity Services include as follows: 

  • Secure connections to on-premise systems and cloud services 
  • Support for various connection types including HTTP, RFC, and TCP 
  • Integration with multiple SAP BTP environments (Cloud Foundry, Kyma runtime, ABAP runtime) 
  • Simplified management of connection configurations through destinations 

By leveraging these services, organizations can easily integrate their SAP BTP applications with existing on-premise landscapes and external cloud services, enabling seamless hybrid and multi-cloud scenarios. 

Learning

SAP FacebookSAP YoutubeSAP LinkedIn