Transcript
there's three key areas of focus, as you can see. BTP security recommendations, I keep hopping on about that, but I just think it really is a really important thing. It's a great bit of work that SAP has done to ensure, A, they're just clearly communicating, this security is something that's a shared responsibility between SAP and their customers. So making sure that their customer's aware of, not only that they have a responsibility, but what types of actions should they take place in order to ensure they're meeting their part of that model. Identity and access management for users, for applications, for systems that are interacting with and through BTP, kind of challenging understanding who they are, what do they need to be able to do ensuring they just have that access as things are decommissioned, ensuring that access goes away, that needs to be done kind of through a more kind of enterprise automated process. So having IAM is really important. And then as I've said, BTP is something for you to build on top of. So making sure you're doing that in a secure way is critical. You could do a lot with the recommendations and others to ensure that the foundations of BTP are all secure. If what you build on top is adding risk, then you're kind of not doing yourself any favors. So ensuring that you're coming in and building secure applications, doing secure development on top of BTP is critical. And on that part, Alex, I think it's, even though it's a simple slide, it really helps us understand what are the drivers or what are the strategies that we should pursue when we start addressing security on BTP, right? On one hand, it's all of those settings, integrations, the configurations around BTP, which are highlighted by SAP on the security recommendations, which is the link that Alex mentioned. It has hundreds of different settings and things that we need to ensure that are properly set. The other is how do we enable access, right? Do we use SAP, a default identity provider? Do we use our own IDP? Do we combine, do we enable rules? Do we use identity and access service, which changed name and it's Cloud Identity Services, I think from SAP. How do we provision on different sub-accounts? How do we grant permissions access, platform users versus users of the cockpit? So there are many different concepts. Again, for me, the key is complexity, right? So when these type of technologies come into play, it's important to understand the building blocks. So we understand how do we do to secure this. And last but not least, are we scanning the code, the security of the code of the applications that we develop on top of BTP? Whereas it's ABAP or JavaScript or any other language, it's important to integrate a secure development lifecycle for the applications, which are gonna be business applications that we develop on top of this platform. Perfect, thanks JP. So in terms of the recommendations, the kind of, again, beating this drum really hard, like pay attention to SAP's recommendations, make sure you kind of review that or the appropriate team within your enterprise is reviewing that. And you have a plan for how you're gonna address, as JP said, it's a very long document. How are you gonna manage and address ensuring which of those parameters are appropriate for you and what's the right value for you to apply those parameters. And then that ongoing practice of ensuring you're still meeting what you've defined as kind of minimum acceptable security for you and your enterprise. It's available, there's a link, as Sean said, the slides will be shared. Kind of, this is the look and feel when you go in. So you can come in and kind of see the types of pieces. There's a lot of content to go through. JP, I know we talked about doing a demo, but I'm not sure we have the time to go through that. How do you feel? I think we can, if I may share a screen. Let me, one second. There we go. So can you see? I see it. Perfect, all right. So this is the SAP documentation, right? So we have different elements of a security guide. This is one example of documentation from SAP. If we go and, for example, search. It's very simple, BTP security recommendations. We can see the content, we can browse it, we can download it. If we go to the bottom of it, we can see that it's 235. So we're talking about hundreds of different recommendations with different criticalities. We can filter. So I would say if security for BTP is something that you're pursuing, then this is the place to start with. This is your guidance in terms of deploying security on a BTP, how it's set up, how it's configured. The starting point is to start with BTP security. The starting point, right? And we can see different examples, logging on different categories. Well, a lot around logging, identity and authentication. And I can select for looking at the 235, but just wanted to give you a look and feel. Everything comes with a recommended value and the value that it has by default. Many of these are settings. So there's a default value, but there's also, we can change that, right? That's the issue with configurations and settings is that even though we can configure them into a secure state, if we don't properly manage who has access to admin to change settings, those settings could go back to insecure state and expose the entire instance. So secure recommendations from SAP, it's a live document. You can see, you can navigate, you can download. This is the starting point.
