Managing APIs Securely in SAP BTP

SAP Business Technology Platform (BTP) offers a comprehensive suite of integration technologies to connect applications, processes, and data across diverse IT landscapes.

The figure shows the aspects of integration technologies for SAP solutions.

Here's an overview of the key integration capabilities: 

1. SAP Integration Suite: 
   • Cloud-native integration platform as a service (iPaaS) 
   • Enables seamless integration of on-premise and cloud-based applications 
   • Provides tools and pre-built content managed by SAP 
2. Core Capabilities of SAP Integration Suite: 
   • Cloud Integration: Supports hybrid and cloud application integration with built-in templates for A2A and B2B/B2G scenarios 
   • API Management: Design, develop, protect, and monitor APIs based on open standards 
   • Open Connectors: Out-of-the-box connectors to 170+ non-SAP applications 
   • Integration Advisor: AI-powered service for creating and maintaining integration interfaces and mappings 
3. Key Features: 
   • AI-powered development and recommendations 
   • Cloud-native environment managed by SAP for trust and security 
   • API-led integration for flexible process composition 
   • Real-time processing for faster response to stakeholders 
   • Pre-built integrations and connectors for streamlined connectivity 
4. Integration Scenarios: 
   • SAP to SAP processes 
   • Non-SAP to SAP processes 
   • Commercialization and management of APIs 
5. Benefits: 
   • Reduces complexity in integration development 
   • Enables seamless business processes at scale 
   • Accelerates connectivity of business processes 
   • Supports DevOps and simplifies lifecycle management of integration artifacts 
6. Deployment Flexibility: Multi-cloud service that allows running the same integration artifacts across multiple environments 

By using these integration technologies, organizations can create connected end-to-end business processes across SAP and third-party applications, supporting the vision of an Intelligent Enterprise. 

Ensure you are familiar with the following best practices to use SAP Integration Site securely:

1. Apply the highest security standards: 
   • Remove sensitive content before logging or forwarding 
   • Switch off resolving of external entities 
   • Encode dynamic parameters 
   • Use (Cross-Site Request Forgery (CSRF) protection 
   • Apply message-level security 
   • Protect data integrity
2. Use secure authentication methods: 
   • Avoid using no authentication or basic authentication when possible 
   • Prefer more secure options like OAuth, client certificates, or public key authentication
3. Implement secure communication: 
   • Use Transport Layer Security (TLS) protocol
   • Enable Secure Network Communication (SNC)
   • Implement firewalls and Remote Function Calls (RFCs)
4. Manage access control: 
   • Develop role-based groups to limit access privileges 
   • Implement provisioning to monitor data access 
   • Use Single-Sign-On (SSO) functionality
   • Apply segregation of duties
5. Keep the system updated: Apply security patches promptly, especially those released by SAP on the second Tuesday of each month
6. Monitor and manage vulnerabilities: 
   • Regularly examine internal security protocols
   • Constantly monitor systems for potential issues
7. Secure data transfer: Use SAP Cloud Connector to secure inbound data transfer from SAP Integration Suite to on-premise SAP ERP systems
8. Comply with security standards: Ensure development, maintenance, and operations comply with SAP's security standards and certifications

By implementing these measures, you can significantly enhance the security of your SAP Integration Suite deployment and protect your business-critical applications and data.

SAP Edge Integration Cell is an optional hybrid integration runtime offered as part of SAP Integration Suite. It enables customers to manage APIs and run integration scenarios within their private landscapes. Key features include: 

• Design and monitor integration content in the cloud 
• Deploy and run integration content in your private landscape 
• Flexible deployment options in customer-managed private Kubernetes environments (Azure AKS, Amazon EKS, SUSE Rancher, Red Hat OpenShift) 

Main use cases for SAP Edge Integration Cell: 

• Security and compliance scenarios where sensitive data must be managed within the enterprise firewall 
• Migration path for SAP Process Integration/SAP Process Orchestration customers to move to SAP Integration Suite while retaining on-premise scenario execution 

SAP Edge Integration Cell components: 

• Edge lifecycle management software lifecycle management 
• Runtime and operations components for executing integration scenarios and API proxies 
• Backing services like PostgreSQL and Redis for persistence and policies 

Key benefits: 

• Supports data compliance and governance by processing data locally 
• Enables API-led and event-driven integrations in private landscapes 
• Provides high availability setup for backup with multiple SAP Edge Integration Cell

The figure shows the strategies for securing the SAP Edge Integration Cell.

To secure SAP Edge Integration Cell, consider the following key measures: 

1. Encrypted Communication: 
   • Edge Integration Cell uses only encrypted communication 
   • Internal communication is secured using mutual Transport Layer Security (mTLS) enabled  
   • Follows a zero-trust paradigm for enhanced security 
2. Secure Authentication and Authorization: 
   • Implement Edge Local Authentication and Authorization for inbound requests 
   • Use service keys of type Certificate/External Certificate for local authentication 
   • Rotate service keys regularly to maintain connectivity to cloud services 
3. Network Security: 
   • Utilize Cloud Connector to establish a secure tunnel between cloud and edge environments 
   • Employ a Load Balancer to expose Edge Integration Cell endpoints and balance traffic across Kubernetes nodes and services 
4. Data Protection: 
   • Keep sensitive data within your private landscape by running integration flows and API proxies in Edge Integration Cell 
   • Utilize the option to prevent log records from leaving the local network (planned feature) 
5. Access Control: 
   • Use Access Policies to restrict who can view sensitive payloads 
   • Configure and manage multiple Edge Integration Cells with one SAP Integration Suite instance for better control 
6. Monitoring and Logging: 
   • Implement optional monitoring and logging stack for central system monitoring 
   • Use single sign-on with Identity Authentication Service (IAS) tenant for secure access to monitoring 
7. Regular Updates: 
   • Keep the Edge Integration Cell software up-to-date by applying regular updates 
   • Ensure timely rotation of service keys to maintain connectivity and functionality 
8. Secure Deployment: 
   • Deploy Edge Integration Cell in customer-managed private Kubernetes environments (for example, Azure AKS, Amazon EKS, SUSE Rancher) 
   • Use dedicated Kubernetes clusters for Edge Integration Cell deployments 

By implementing these security measures, you can significantly enhance the protection of your SAP Edge Integration Cell deployment and ensure the safety of your business-critical data and integrations. 

For more information, see Security for SAP Edge Integration Cell.