Heard about those big cyber-attacks recently? No names needed, but chances are, your weekly shop has been hit. The interesting thing is that they followed a familiar pattern. Security analysts found that over 52,000 new vulnerabilities were disclosed in 2024, indicating that outdated or misconfigured systems are a growing invitation to attackers (sentinelone.com). Hackers often slip in via a ‘side door’: an unpatched server, an ill-configured cloud service, or a tricked user giving up a password. Another analysis of supply-chain incidents found that about half were driven by stolen or weak credentials (securityinfowatch.com). In plain terms, cybercrooks lean on low-hanging fruit – phishing, reused passwords, forgotten updates , more than any sci-fi-style hack.
Naturally, this has SAP customers asking: “Are our own SAP BTP environments secure? Is our user management tight? Are we following cloud security best practices?” These are great questions, and we’ve been hearing them a lot. So in this blog post we tried to answer these burning questions. We will address everything from locking down user accounts to broader security best practices, and we promise it won’t be a parade of jargon or doom-and-gloom.
What can we learn from the recent cyber-attacks in the UK?
The recent cyber-attacks targeting major UK retailers mark a significant moment in cyber security as these are among the first Distributed Denial-of-Service (DDoS) attacks to penetrate networks that were protected by enterprise-grade firewalls. In many cases, these firewalls are managed by hyper scalars such as AWS, Microsoft Azure, or Google Cloud, who provide the foundational infrastructure.
However, it’s important to recognise that responsibility for security is shared. There’s a fine line between what the hyper scaler secures and what platform providers, like SAP BTP or Microsoft Power Platform, are responsible for. Most organisations today operate across multiple platforms, each with its own security model, tools, and SLAs, which can lead to gaps in the overall defence posture if not carefully managed.
It’s also a reminder of the real-world consequences of cybersecurity failures. When breaches occur, especially those involving customer data, organisations face not just supply chain or reputational damage, but significant financial penalties under regulations like GDPR. We’ve seen this play out repeatedly, including with major social media companies in recent years.
These all point to the importance of a well-coordinated, multi-layered security approach. It’s got to be holistic and span infrastructure, platforms, and application layers, with clear roles and responsibilities.
How secure is SAP BTP out of the box, and what are the most common gaps you see in customer configurations?
So, that’s the approach, but how is this carried out? The Business Technology Platform is designed with security and governance in mind across multiple layers. Out of the box, SAP BTP offers:
Built‑in Identity & Access Management (IAM) & Network Security: Native support for Single Sign On(SSO) /Multi-Factor Authentication (MFA), Role Based Access Control(RBAC), and the SAP Authorisation Management service. Only authorised users and roles can access each sub-account or application.Encryption & Transport Security: All user traffic is TLS-encrypted , and SAP exclusively establishes encrypted communication channels by default.Monitoring & Audit: SAP BTP automatically logs admin and user activities. The Cloud Foundry Audit Log Viewer service lets you review all operations (applications created, users added, etc.), and connect these logs as desired.Secure Development Tools: SAP’s Cloud Application Programming Model (CAP) and other frameworks include built-in security guards (XSRF tokens, JWT checks, etc.), plus tools like the SAP Code Vulnerability Analyser (CVA) that statically scan ABAP code on SAP BTP before deployment.
However, despite this strong foundation, we often see gaps in how customers configure their environments. The most common issues include:
Bypassing SAP BTP Connectivity Guidelines Customers sometimes integrate third-party APIs or services directly, without using the secure connectivity mechanisms provided by SAP BTP. This can create vulnerabilities and reduce visibility over traffic flows.Improper Credential Management Instead of using SAP BTP’s built-in credential stores, credentials are sometimes hardcoded or stored in less secure ways, leaving applications open to compromise.Neglecting Secure App Design Principles Applications are not always developed using the security best practices. This can lead to poor access controls, exposure to common vulnerabilities, or lack of proper authorisation checks.
While SAP BTP provides a secure foundation, maintaining a strong security posture requires careful configuration and adherence to recommended best practices, particularly when it comes to connectivity, credential management, and application architecture.
How to prevent similar attacks when running business-critical workloads on SAP BTP?
To safeguard business-critical workloads on SAP BTP, a few key practices should be followed:
Use SAP Services for All Integrations: Ensure every integration and API call goes through SAP’s connectivity and security layers. Use the SAP Destination Service, API Management, and the Cloud Connector/Connectivity Service, rather than hard‑coding endpoints. This way, TLS is enforced and flows are logged and constrained. (Think of SAP BTP services like a secure gateway that you should not bypass.)Enforce Multi-Factor Authentication Everywhere: Require MFA for all user logins – not just admins. SAP Cloud Identity Service (or your corporate IdP) can enforce MFA policies on every SAP BTP access. SAP’s TechEd guide even walks through configuring MFA for SAP BTP apps. This means stolen passwords alone won’t give attackers an easy in.Harden IAM and Accounts: Follow the principle of least privilege. Regularly audit user roles and prune any unused or generic accounts. Disable any unused features like self-registration or social sign-on. Use roles and groups in your Identity Provider (IdP) to ensure people only get the permissions needed for their job.Monitor and Respond to Logs: Subscribing to the SAP Audit Log Viewer (for Cloud Foundry (CF)) is critical. Review logs periodically for anomalies (e.g. logins from new locations, sudden privilege grants). Configure alerts or integrate these logs into your Security Information & Event Management(SIEM). Quick detection can stop an incident in its tracks.
Even doing just these steps drastically cuts risk. In effect, you’re closing the ‘side doors’: every inbound or outbound connection is tracked by SAP, every user action is logged, and strong authentication blocks the common tricks that took down those retailers.
What role does identity and access management play in defending against modern cyber threats in SAP environments?
Identity and Access Management (IAM) is the keystone of SAP BTP security. SAP BTP supports a full identity lifecycle and fine-grained authorisation model:
Role-Based Access Control (RBAC): You define roles or role collections in your SAP BTP sub-accounts (and business roles in the ABAP environment) that grant only needed permissions. Then you assign these roles to users/groups. This enforces least privilege, so even if a user’s credentials are compromised, the attacker’s access is limited.Trusted Identity Providers: BTP can federate with SAP Cloud Identity (Identity Authentication Service) or any SAML/OAuth IdP. Once trust is set up, employees authenticate with corporate credentials (with MFA, if you’ve enforced it). This ensures a single point of control over user accounts and policies. IAM integrates with identity providers and defines roles and permissions to secure applications and data.Principal Propagation: When a user calls between SAP systems (for example, a CF app calling an ABAP endpoint), their identity and roles “travel” with the request. This maintains security boundaries across services.
IAM practices help organisations enforce strict access boundaries, maintain compliance, and defend against unauthorised access—whether from external attackers or internal misconfigurations.
How can organisations balance innovation on SAP BTP with the need for robust security and compliance?
Innovation and security are not opposing forces—they must evolve together. As applications built on SAP BTP grow in complexity, the security measures surrounding them must also mature. The more advanced and interconnected your solutions become, the greater the need for enhanced controls, monitoring, and governance.
Organisations that fail to innovate risk becoming obsolete. But equally, those that innovate without embedding strong security and compliance practices expose themselves to serious vulnerabilities. Every new capability, integration, or user touchpoint introduces potential risks that must be addressed as part of the innovation lifecycle.
Training is also key. Ensure developers and admins know SAP BTP best practices. Ignorance may be bliss, but it also breeds vulnerabilities, since human error is often the weakest link. If all personal interacting with the platform are aware of the threats, they can help mitigate them but also spot them. Make security part of your culture and process – every innovation needs to come with corresponding security guardrails.
Sustainable innovation on SAP BTP requires a security-first mindset—where governance, compliance, and threat prevention are integrated into every phase of development and deployment.
Securing your innovation on SAP BTP
The recent cyber-attacks serve as a stark reminder that even the most well-defended systems are not immune to evolving and opportunistic threats. For organisations leveraging SAP BTP to drive innovation, the message is clear: security must be treated as a continuous discipline, not a one-time checklist.
While SAP BTP provides a strong out-of-the-box security framework, real resilience comes from how that framework is implemented, monitored, and adapted. From enforcing secure connectivity and managing access intelligently, to following coding best practices and monitoring audit logs—every detail matters.
To conclude, the balance between innovation and security is not a compromise; it’s a partnership. With the right governance, identity management, and adherence to best practices, organisations can confidently build and scale on SAP BTP—without sacrificing trust, compliance, or control.
Please feel free to share your experiences and thoughts on the similar approaches you might have taken securing your applications on SAP BTP in the comments section.
Heard about those big cyber-attacks recently? No names needed, but chances are, your weekly shop has been hit. The interesting thing is that they followed a familiar pattern. Security analysts found that over 52,000 new vulnerabilities were disclosed in 2024, indicating that outdated or misconfigured systems are a growing invitation to attackers (sentinelone.com). Hackers often slip in via a ‘side door’: an unpatched server, an ill-configured cloud service, or a tricked user giving up a password. Another analysis of supply-chain incidents found that about half were driven by stolen or weak credentials (securityinfowatch.com). In plain terms, cybercrooks lean on low-hanging fruit – phishing, reused passwords, forgotten updates , more than any sci-fi-style hack.Naturally, this has SAP customers asking: “Are our own SAP BTP environments secure? Is our user management tight? Are we following cloud security best practices?” These are great questions, and we’ve been hearing them a lot. So in this blog post we tried to answer these burning questions. We will address everything from locking down user accounts to broader security best practices, and we promise it won’t be a parade of jargon or doom-and-gloom. What can we learn from the recent cyber-attacks in the UK?The recent cyber-attacks targeting major UK retailers mark a significant moment in cyber security as these are among the first Distributed Denial-of-Service (DDoS) attacks to penetrate networks that were protected by enterprise-grade firewalls. In many cases, these firewalls are managed by hyper scalars such as AWS, Microsoft Azure, or Google Cloud, who provide the foundational infrastructure.However, it’s important to recognise that responsibility for security is shared. There’s a fine line between what the hyper scaler secures and what platform providers, like SAP BTP or Microsoft Power Platform, are responsible for. Most organisations today operate across multiple platforms, each with its own security model, tools, and SLAs, which can lead to gaps in the overall defence posture if not carefully managed.It’s also a reminder of the real-world consequences of cybersecurity failures. When breaches occur, especially those involving customer data, organisations face not just supply chain or reputational damage, but significant financial penalties under regulations like GDPR. We’ve seen this play out repeatedly, including with major social media companies in recent years.These all point to the importance of a well-coordinated, multi-layered security approach. It’s got to be holistic and span infrastructure, platforms, and application layers, with clear roles and responsibilities.How secure is SAP BTP out of the box, and what are the most common gaps you see in customer configurations?So, that’s the approach, but how is this carried out? The Business Technology Platform is designed with security and governance in mind across multiple layers. Out of the box, SAP BTP offers:Built‑in Identity & Access Management (IAM) & Network Security: Native support for Single Sign On(SSO) /Multi-Factor Authentication (MFA), Role Based Access Control(RBAC), and the SAP Authorisation Management service. Only authorised users and roles can access each sub-account or application.Encryption & Transport Security: All user traffic is TLS-encrypted , and SAP exclusively establishes encrypted communication channels by default.Monitoring & Audit: SAP BTP automatically logs admin and user activities. The Cloud Foundry Audit Log Viewer service lets you review all operations (applications created, users added, etc.), and connect these logs as desired.Secure Development Tools: SAP’s Cloud Application Programming Model (CAP) and other frameworks include built-in security guards (XSRF tokens, JWT checks, etc.), plus tools like the SAP Code Vulnerability Analyser (CVA) that statically scan ABAP code on SAP BTP before deployment.However, despite this strong foundation, we often see gaps in how customers configure their environments. The most common issues include:Bypassing SAP BTP Connectivity Guidelines Customers sometimes integrate third-party APIs or services directly, without using the secure connectivity mechanisms provided by SAP BTP. This can create vulnerabilities and reduce visibility over traffic flows.Improper Credential Management Instead of using SAP BTP’s built-in credential stores, credentials are sometimes hardcoded or stored in less secure ways, leaving applications open to compromise.Neglecting Secure App Design Principles Applications are not always developed using the security best practices. This can lead to poor access controls, exposure to common vulnerabilities, or lack of proper authorisation checks.While SAP BTP provides a secure foundation, maintaining a strong security posture requires careful configuration and adherence to recommended best practices, particularly when it comes to connectivity, credential management, and application architecture.How to prevent similar attacks when running business-critical workloads on SAP BTP?To safeguard business-critical workloads on SAP BTP, a few key practices should be followed:Use SAP Services for All Integrations: Ensure every integration and API call goes through SAP’s connectivity and security layers. Use the SAP Destination Service, API Management, and the Cloud Connector/Connectivity Service, rather than hard‑coding endpoints. This way, TLS is enforced and flows are logged and constrained. (Think of SAP BTP services like a secure gateway that you should not bypass.)Enforce Multi-Factor Authentication Everywhere: Require MFA for all user logins – not just admins. SAP Cloud Identity Service (or your corporate IdP) can enforce MFA policies on every SAP BTP access. SAP’s TechEd guide even walks through configuring MFA for SAP BTP apps. This means stolen passwords alone won’t give attackers an easy in.Harden IAM and Accounts: Follow the principle of least privilege. Regularly audit user roles and prune any unused or generic accounts. Disable any unused features like self-registration or social sign-on. Use roles and groups in your Identity Provider (IdP) to ensure people only get the permissions needed for their job.Monitor and Respond to Logs: Subscribing to the SAP Audit Log Viewer (for Cloud Foundry (CF)) is critical. Review logs periodically for anomalies (e.g. logins from new locations, sudden privilege grants). Configure alerts or integrate these logs into your Security Information & Event Management(SIEM). Quick detection can stop an incident in its tracks.Even doing just these steps drastically cuts risk. In effect, you’re closing the ‘side doors’: every inbound or outbound connection is tracked by SAP, every user action is logged, and strong authentication blocks the common tricks that took down those retailers.What role does identity and access management play in defending against modern cyber threats in SAP environments?Identity and Access Management (IAM) is the keystone of SAP BTP security. SAP BTP supports a full identity lifecycle and fine-grained authorisation model:Role-Based Access Control (RBAC): You define roles or role collections in your SAP BTP sub-accounts (and business roles in the ABAP environment) that grant only needed permissions. Then you assign these roles to users/groups. This enforces least privilege, so even if a user’s credentials are compromised, the attacker’s access is limited.Trusted Identity Providers: BTP can federate with SAP Cloud Identity (Identity Authentication Service) or any SAML/OAuth IdP. Once trust is set up, employees authenticate with corporate credentials (with MFA, if you’ve enforced it). This ensures a single point of control over user accounts and policies. IAM integrates with identity providers and defines roles and permissions to secure applications and data.Principal Propagation: When a user calls between SAP systems (for example, a CF app calling an ABAP endpoint), their identity and roles “travel” with the request. This maintains security boundaries across services.IAM practices help organisations enforce strict access boundaries, maintain compliance, and defend against unauthorised access—whether from external attackers or internal misconfigurations.How can organisations balance innovation on SAP BTP with the need for robust security and compliance?Innovation and security are not opposing forces—they must evolve together. As applications built on SAP BTP grow in complexity, the security measures surrounding them must also mature. The more advanced and interconnected your solutions become, the greater the need for enhanced controls, monitoring, and governance.Organisations that fail to innovate risk becoming obsolete. But equally, those that innovate without embedding strong security and compliance practices expose themselves to serious vulnerabilities. Every new capability, integration, or user touchpoint introduces potential risks that must be addressed as part of the innovation lifecycle.Training is also key. Ensure developers and admins know SAP BTP best practices. Ignorance may be bliss, but it also breeds vulnerabilities, since human error is often the weakest link. If all personal interacting with the platform are aware of the threats, they can help mitigate them but also spot them. Make security part of your culture and process – every innovation needs to come with corresponding security guardrails.Sustainable innovation on SAP BTP requires a security-first mindset—where governance, compliance, and threat prevention are integrated into every phase of development and deployment.Securing your innovation on SAP BTPThe recent cyber-attacks serve as a stark reminder that even the most well-defended systems are not immune to evolving and opportunistic threats. For organisations leveraging SAP BTP to drive innovation, the message is clear: security must be treated as a continuous discipline, not a one-time checklist.While SAP BTP provides a strong out-of-the-box security framework, real resilience comes from how that framework is implemented, monitored, and adapted. From enforcing secure connectivity and managing access intelligently, to following coding best practices and monitoring audit logs—every detail matters.To conclude, the balance between innovation and security is not a compromise; it’s a partnership. With the right governance, identity management, and adherence to best practices, organisations can confidently build and scale on SAP BTP—without sacrificing trust, compliance, or control.Please feel free to share your experiences and thoughts on the similar approaches you might have taken securing your applications on SAP BTP in the comments section. Read More Technology Blog Posts by Members articles
#SAP
#SAPTechnologyblog
