Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security Configuration APIs for major Cloud Products

MichaelVogel
Product and Topic Expert
Product and Topic Expert
‎02-02-2024 7:22 AM

According to the cloud shared responsibility model, customers shall be aware of security-related settings they are responsible for. To enable e.g., a compliance expert or a cloud security administrator to monitor the adherence of the security-related settings to the expected values, key services and applications are required to send this data to SAP Cloud ALM. Here, an external API is provided to enable a central consumption of the aggregated data. For this, Cloud ALM Next Generation – Data Collection Infrastructure (NG-DCI) is leveraged. It provides a standardized way to collect data using OpenTelemetry. Performance Monitoring, Integration Monitoring and Exception monitoring from Managed-Cloud services are some examples of the various use cases of OpenTelemetry within SAP Cloud ALM.
As shown in Figure 1, services and applications push their security configuration data to a Central Data Receiver (Data Collection Runtime). SAP Cloud ALM collects the data using its Central Data Receiver and persists it in a Configuration & Change Database (aka CCDB) in the SAP Cloud ALM tenant of the customer. From there, it can be visualized through a list view in SAP Cloud ALM UI.
Configuration data can also be consumed externally via the API Framework of SAP Cloud ALM (cf. Figure 1). The API framework supports delivery of aggregated data for analytics, metrics for alerting and a log format for raw data (i.e., customer settings on the service side).

 

michael_vogel2_1-1706776162944.png

Figure 1: High-level architecture.

Services and applications send their prevalidated customer managed security configuration settings to SAP Cloud ALM. There, it is routed to the customer’s SAP Cloud ALM tenant and persisted in its Configuration and Change Database (CCDB). By default, services and applications will not send the security configuration data before a customer has turned this feature on in their SAP Cloud ALM tenant. Once it is turned on, data is synchronized daily.

The SAP Cloud ALM Analytics API can be used to retrieve this data for external consumption. This blog post gives an example how to connect to and call the API. More information can be found on the official help pages and the API hub.
A security configuration dashboard template based on SAP Analytics Cloud is available to complement the visualization, as described in this blog post.

First BTP services successfully implemented this integration with SAP Cloud ALM and are now publicly available. Further BTP services as well as other SAP cloud solutions are planned to provide their data in the future. You can check the progress on the SAP Cloud ALM release note page.

2 Comments
Labels in this area
Popular Blog Posts