Security Recommendations for SAP BTP Services
Deliverables / More
Contact: m.shea@sap.com
Motivation
Customers have complained that it is difficult to find our recommendations for the secure configuration of our products. In response, SAP Global Security has decided that all cloud-based lines-of-business must provide a list of security recommendations for configuration settings of their products and services. They have enshrined this requirement in the product security standard SEC-377.
For more information about the background of the project, see the Security PMO Security Configurations Guidelines.
Product owners get a separate set of instructions here.
Process
-
You are contacted by a product owner for a particular service about the security recommendations.
-
Together with the product owner and the security responsible for the service, you generate the list of security recommendations for the service.
-
In the Ixiasoft DITA CMS, use the Copy with new LOIO command to create a copy of the object REFCONT: Template Security Recommendations (loiof28d4ae446044a318f1702d69b910190) in the appropriate container:
- In ODS_NEO for CF, Neo, and core services.
- In BTP_TOP for ABAP, Kyma, and other core services.
- In your own container under CP_TOP.
- In CP_TOP if your container is outside the CP_TOP dependency.
-
Follow the instructions in the template. Keep your content profiled with the information_classification internal.
-
Review the content with your team.
-
Your product owner has your content reviewed by the central security recommendations team.
-
When ready, remove the profiling from your content and notify the central security recommendations team.
-
The central team publishes the security recommendations with your content.