Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP Cloud Connector - API Management Security

Cristian
Participant

on ‎2021 Apr 28 4:43 PM

0 Likes
933

Hi experts,

From just a security standpoint, what additional benefits SAP API Management brings on top of SAP Cloud Connector for exposing on premise backend SAP Gateway services for further consumption by UI5 apps deployed in SAP BTP?

I am just interested in security topics (SAP APIM brings other benefits as for example API Discovery, Caching, or Analytics but these are out of the scope for this discussion). The idea is trying to understand if there is any additional benefit in the security space if we the service calls go UI5 --> API M --> SAP CC --> SAP GW instead of UI5 --> SAP CC --> SAP GW.

SAP Cloud Connector creates a TLS tunnel between SAP BTP and the on-premise landscape and given that in the data exchanges the host of the SAP Cloud Connector is not used, no DDoS can occur. So we are wondering what additional security can be added in SAP APIM that is not already provided in SAP Cloud Connector.

Many thanks!

C.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (3)

Answers (3)

Elijah_Martinez1
Product and Topic Expert
Product and Topic Expert
‎2021 May 13 9:57 PM
0 Likes

A bit of a late comment but I suppose there are any number of reasons to interject SAP API Management between App and Provider, that will depend on constraints of the scenario involved.

You might suggest "well I am building a UI5 App on BTP, available only to internal users with constrained user input" which would itself provide a lot of security details but similarly you might implement in other ways as well.

The OWASP Top 10 is usually a good starting point for security considerations of WebApps; https://owasp.org/www-project-top-ten/ which may or may not arise depending on how you built your App(s).

APIM can address for each API (rather than each App) these concerns, such as input validation polciies (separated from the App itself so no longer under User control) against injection, Granular app-level access control (Rather than SCC service level) for data exposure, and so on.

Regards,
Elijah

Show replies
Show replies
gregorw
SAP Mentor
SAP Mentor
‎2021 May 01 3:12 PM
0 Likes

Dear Charles,

I would not add the API Managment in between the UI and the service you consume from the backend via the Cloud Connector as long as the UI can only be accessed by authenticated users. With API managment inbetween you add another layer of complexity and latency in the loop.

But if you have a e.g. public registration form that uses a backend service, you have to protect this API from DoS attacks.

Best regards
Gregor

Show replies
Show replies
Sriprasadsbhat
Active Contributor
‎2021 Apr 28 6:01 PM
0 Likes

Hello Charles,

Below might help you to get more details on usage of SAP API management.

https://blogs.sap.com/2020/06/28/sap-cloud-platform-api-management-mini-security-series/

Regards,

Sriprasad Shivaram Bhat

Show replies
Show replies
Cristian
Participant
‎2021 Apr 28 6:37 PM
0 Likes

Many thanks @Sriprasad Shivaram Bhat

I am already aware of those blogs and how API Management works but that still does not give me the information I am after. The blogs perfectly define how implement different security scenarios in API Management but do not tell me about what extended security features I would get for exposing on premise SAP GW services in API Management in addition to the security provided by the Cloud Connector. More than the how I am more interested in the why.

Anyway, many thanks again for your reply.

Regards,

C.

Ask a Question