SAP Security Audit Log: Configuration, Analysis & Best Practices
Configure and analyse the SAP Security Audit Log systematically.
Read more →SAP Business Technology Platform (BTP) is SAP's strategic cloud platform for extensions, integrations and analytics. As workloads increasingly move to the cloud, the security model changes fundamentally. Classic perimeter security is no longer sufficient – instead, organisations need to understand the shared responsibility model and BTP-specific security mechanisms.
Understanding the Shared Responsibility Model
With SAP BTP, SAP and the customer share responsibility for security. SAP is responsible for physical infrastructure, network security and platform patches. The customer is responsible for: identity management and authentication, authorisation and role assignment, application security, data encryption at application level and audit logging configuration. A common mistake is assuming SAP takes care of everything – in reality, a significant portion of security responsibility lies with the customer.
Configuring Identity Authentication Service (IAS)
The SAP Cloud Identity Authentication Service is the central building block for authentication on BTP. Configure IAS as a proxy to your corporate identity provider (e.g. Azure AD, Okta). Activate multi-factor authentication (MFA) for all users, at minimum for administrative access. Define password policies, session timeouts and IP-based access restrictions. Use risk-based authentication for additional security during unusual access patterns.
Role Collections and Authorisation
BTP uses role collections as its central authorisation concept. A role collection bundles multiple roles and is assigned to users or user groups. Best practices: create granular role collections following the least-privilege principle. Avoid assigning the predefined administrator role collection to too many users. Document the mapping of role collections to business functions. Review assignments regularly – BTP does not offer automatic recertification.
Securing the Cloud Connector
The Cloud Connector bridges BTP and on-premise systems. It opens an encrypted tunnel from the on-premise environment to the cloud – without inbound firewall rules. Nevertheless, it is a critical security point:
- Restrict exposed backend systems and resources to the minimum
- Use system mappings with fictitious virtual hosts to hide internal hostnames
- Activate access control lists for URL paths and RFC function modules
- Operate the Cloud Connector in a DMZ or dedicated network segment
- Keep the Cloud Connector at the latest patch level at all times
API Security and OAuth 2.0
APIs are the backbone of BTP architecture. Secure all APIs with OAuth 2.0 – API keys alone provide insufficient protection. Use the SAP Authorization and Trust Management Service (XSUAA) for token-based authentication. Implement rate limiting and input validation. Monitor API calls for anomalies. Rotate client secrets regularly and never store them in code.
Audit Logging in BTP
BTP offers a dedicated Audit Log Service. Activate audit logging for all security-relevant events: user logons, authorisation changes, data access and configuration modifications. Export audit logs regularly to a central SIEM system, as BTP deletes logs after a defined period. Note the different retention periods depending on the service plan.
Data Protection and Data Residency
When using BTP, you need to know where your data is stored. Choose the region deliberately – for EU customers, the EU region (Frankfurt or Amsterdam) is recommended. Review SAP's subprocessor list regularly. Implement encryption for sensitive data at application level, in addition to transport encryption. Use the SAP Data Custodian Service for increased transparency over data access.
Conclusion
BTP security requires a shift in thinking compared to classic on-premise security. The shared responsibility model, identity-first security and API protection are the key topics. Start with IAS configuration and Cloud Connector hardening – these two measures address the greatest risks.
Related Articles
SAP Security Hardening: The 10 Most Important Measures for 2026
10 concrete measures to protect your SAP systems against current threats.
Read more →SAP Profile Parameters: Security Settings for On-Prem, Cloud & S/4HANA
The most important security parameters compared across all three environments.
Read more →Need support with this topic?
We help you with implementation – from analysis to go-live.
Get in touch