Insights on Configuration and Security Analysis with SAP Cloud ALM

Insights on Configuration and Security Analysis with SAP Cloud ALM
Estimated read time 9 min read

Structure of this blog

This blog is structured to understand the following:

Configuration and Security Analysis OverviewGoal of Configuration & Security AnalysisFeatures of Configuration & Security AnalysisSupported ApplicationsSetup of Configuration and Security AnalysisRoadmap of Configuration and Security Analysis

Configuration and Security Analysis Overview

The Configuration & Security Analysis app collects a set of technical configuration data from SAP Application server ABAP and SAP Cloud based BTP Services supported applications.

The collected data is stored in Config Stores. Config Stores contain security configurations that are already validated by SAP and delivered with a compliance status regarding Security Recommendations.

 

This helps in collaboration with SAP Global Security compliance for delivering coordinated configuration data from all key supported solutions.

Approach of Configuration & Security Analysis

The application relies on:

Recommended Security Configurations.The data collected via different APIs into the Configuration & Change Database in SAP Cloud ALM. Visualization of the compliance either in the UI of the application itself or in an external tool SAC.

 

Goal of Configuration & Security Analysis

Configuration & Security Analysis (CSA) supports the monitoring and analysis of static data.

For on premise and private cloud systems, this relates to technical configurations that are relevant for stable and secure operations of SAP solution landscape.For Cloud Services, where the configuration for stability and performance is in the responsibility of SAP as the cloud provider, the data onboarding has a strong focus on security.

Features of Configuration & Security Analysis

The features of CSA in SAP Cloud ALM are similar to the respective functionality in SAP Solution Manager and SAP Focused Run. We have a central Configuration & Change Database (CCDB) and data collectors that push snapshots of data on a daily basis. CSA provides features for interactive analysis that give access to the collected data.

Regular collection of configuration items and software levels into the configuration stores of the Configuration Change Database utilizes:

Store browser as user interface to visualize content of configuration stores

Change analysis for selected scope and timeframe

Search capability for pattern-based browsing into configuration items of selected scope

Supported Applications

The following services and systems are supported:

 

Setup of Configuration and Security Analysis

If the cloud Alm tenant has not been requested yet, please refer below steps for the setup:

 

 

Pre-requisites:

1.SAP Cloud Services

No prerequisites are required. This monitoring includes data related to custom-developed apps. 

 2.SAP Private Cloud and On-Premise Systems

We must connect our private cloud or on-premise system to start monitoring with Configuration & Security Analysis in SAP Cloud ALM for operations.

ST-A/PI
It is recommended to update ST-A/PI always together with the regular product stack support packages to benefit from latest functionality and patches. For ST-A/PI refer to   SAP Note 69455 Service tools for Applications ST-A/PI (ST14, RTCCTOOL, ST12).Minimum Kernel Release
The kernel patch level of SAP Note 2878815 ‘Incorrect Linebreaks in JSON for Binary Data’ is mandatory as In addition, as there is bug in the older version of kernel preventing to send correct data packages.

Connect the systems:

Setup the system connection in the Landscape Management Service.Adjust the configuration settings for the Configuration & Security Analysis app.Choose Select a Scope to select system/service we want to monitor.

 

Available config stores on SAP Application server ABAP and SAP Cloud based BTP Services supported applications.

Housekeeping

By default, a retention period of 30 days is predefined. To make best use of the change analysis capability, SAP recommends that to use a much higher retention period like 12 months because only a minor set of items changes over the time, there’s no huge data increase expected after the initial load.

We can also switch off housekeeping by setting the retention period to zero, which isn’t recommended.

Administration

Monitoring of Critical Configurations (Red Rating) is switched-on by default.

Monitoring of Warnings is pre-configured and can be quickly activatedMonitoring can easily be enhanced with additional security checksConsistent Monitoring Capabilities across Topics and Key Services (RISE, GROW, Intelligent Enterprise, …)

Roadmap of Configuration and Security Analysis

SAP aims to deliver product readiness for transition from SAP Solution Manager ConfigVal to SAP Cloud ALM Configuration and Security Analysis by End of 2026.

Planned functionality

Configuration validation to compare TO-BE with AS-IS situationEmbedded alerting to notify on critical issuesEmbedded analytics to analyze trends and root causes for discovered problems

Conclusion:

Configuration and Security Analysis enables to:

Browse through the security configurations recommended by SAP and search for configurations that are relevant to their company’s compliance based on text patterns.Search for non-compliant items, selecting the appropriate scope. In addition, analysis of changes within the last reporting period can be done and the results can be downloaded for further processing in tools like MS Excel.SAP Analytics API can be used to load selected data into SAP Analytics Cloud or Grafana.This allows to deliver security status and trend information for the overall landscape or for specific services.Get item-level insight for drill-down or for building custom-tailored validation in external tools.

I hope this blog helps you find all the required information of Configuration and Security Analysis on Cloud ALM.

 

​ Structure of this blogThis blog is structured to understand the following:Configuration and Security Analysis OverviewGoal of Configuration & Security AnalysisFeatures of Configuration & Security AnalysisSupported ApplicationsSetup of Configuration and Security AnalysisRoadmap of Configuration and Security AnalysisConfiguration and Security Analysis OverviewThe Configuration & Security Analysis app collects a set of technical configuration data from SAP Application server ABAP and SAP Cloud based BTP Services supported applications.The collected data is stored in Config Stores. Config Stores contain security configurations that are already validated by SAP and delivered with a compliance status regarding Security Recommendations. This helps in collaboration with SAP Global Security compliance for delivering coordinated configuration data from all key supported solutions.Approach of Configuration & Security AnalysisThe application relies on:Recommended Security Configurations.The data collected via different APIs into the Configuration & Change Database in SAP Cloud ALM. Visualization of the compliance either in the UI of the application itself or in an external tool SAC. Goal of Configuration & Security AnalysisConfiguration & Security Analysis (CSA) supports the monitoring and analysis of static data.For on premise and private cloud systems, this relates to technical configurations that are relevant for stable and secure operations of SAP solution landscape.For Cloud Services, where the configuration for stability and performance is in the responsibility of SAP as the cloud provider, the data onboarding has a strong focus on security.Features of Configuration & Security AnalysisThe features of CSA in SAP Cloud ALM are similar to the respective functionality in SAP Solution Manager and SAP Focused Run. We have a central Configuration & Change Database (CCDB) and data collectors that push snapshots of data on a daily basis. CSA provides features for interactive analysis that give access to the collected data.Regular collection of configuration items and software levels into the configuration stores of the Configuration Change Database utilizes:Store browser as user interface to visualize content of configuration storesChange analysis for selected scope and timeframeSearch capability for pattern-based browsing into configuration items of selected scopeSupported ApplicationsThe following services and systems are supported:  Setup of Configuration and Security Analysis If the cloud Alm tenant has not been requested yet, please refer below steps for the setup:  Pre-requisites:1.SAP Cloud ServicesNo prerequisites are required. This monitoring includes data related to custom-developed apps.  2.SAP Private Cloud and On-Premise SystemsWe must connect our private cloud or on-premise system to start monitoring with Configuration & Security Analysis in SAP Cloud ALM for operations.ST-A/PIIt is recommended to update ST-A/PI always together with the regular product stack support packages to benefit from latest functionality and patches. For ST-A/PI refer to   SAP Note 69455 Service tools for Applications ST-A/PI (ST14, RTCCTOOL, ST12).Minimum Kernel ReleaseThe kernel patch level of SAP Note 2878815 ‘Incorrect Linebreaks in JSON for Binary Data’ is mandatory as In addition, as there is bug in the older version of kernel preventing to send correct data packages.Connect the systems:Setup the system connection in the Landscape Management Service.Adjust the configuration settings for the Configuration & Security Analysis app.Choose Select a Scope to select system/service we want to monitor. Available config stores on SAP Application server ABAP and SAP Cloud based BTP Services supported applications.HousekeepingBy default, a retention period of 30 days is predefined. To make best use of the change analysis capability, SAP recommends that to use a much higher retention period like 12 months because only a minor set of items changes over the time, there’s no huge data increase expected after the initial load.We can also switch off housekeeping by setting the retention period to zero, which isn’t recommended.AdministrationMonitoring of Critical Configurations (Red Rating) is switched-on by default.Monitoring of Warnings is pre-configured and can be quickly activatedMonitoring can easily be enhanced with additional security checksConsistent Monitoring Capabilities across Topics and Key Services (RISE, GROW, Intelligent Enterprise, …)Roadmap of Configuration and Security Analysis SAP aims to deliver product readiness for transition from SAP Solution Manager ConfigVal to SAP Cloud ALM Configuration and Security Analysis by End of 2026.Planned functionalityConfiguration validation to compare TO-BE with AS-IS situationEmbedded alerting to notify on critical issuesEmbedded analytics to analyze trends and root causes for discovered problemsConclusion:Configuration and Security Analysis enables to:Browse through the security configurations recommended by SAP and search for configurations that are relevant to their company’s compliance based on text patterns.Search for non-compliant items, selecting the appropriate scope. In addition, analysis of changes within the last reporting period can be done and the results can be downloaded for further processing in tools like MS Excel.SAP Analytics API can be used to load selected data into SAP Analytics Cloud or Grafana.This allows to deliver security status and trend information for the overall landscape or for specific services.Get item-level insight for drill-down or for building custom-tailored validation in external tools.I hope this blog helps you find all the required information of Configuration and Security Analysis on Cloud ALM.   Read More Technology Blog Posts by Members articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author