Security in SAP Integration Suite, Advanced Event Mesh

Advanced event mesh for SAP Integration Suite is secure by default. Our platform has enterprise-grade security built into every level of the platform to ensure that your event-driven architecture and its data remains secure.

Certain deployment operations must be performed by SAP, whereas others may be performed by the customer. In addition, different deployment options refer to infrastructure or other resources belonging to SAP and/or the customer. To prevent confusion, we sometimes explicitly use the terms "SAP" and "the customer" in discussions of infrastructure and installation procedures.

Advanced event mesh provides product and data security in many ways:

Secure Cloud Architecture
Advanced event mesh is designed to be performant, reliable, scalable, and most importantly, secure. When you use advanced event mesh, you can deploy your services to Public Regions, Dedicated Regions, or Customer-Controlled Regions.
  • With Public Regions and Dedicated Regions, you can choose to deploy your customer-dedicated event broker services (non-shared) in a shared region. Applications connect via the public Internet.
  • With Dedicated Regions, event broker services are deployed in a region that's dedicated to a customer. This is best for environments that require isolated infrastructure and where applications connect from a private network rather than over the public Internet.
  • With a Customer-Controlled Region, you can deploy to a Kubernetes cluster in a region that you control. You tune and control all aspects of infrastructure and Kubernetes cluster.
For more information, see Security Architecture for SAP Integration Suite, Advanced Event Mesh.
The deployment option chosen dictates the security aspects that are managed by SAP or managed by the customer. In terms of security responsibilities, your responsibilities increase as you move from Public Regions to Dedicated Regions to Customer-Controlled Regions. For an overview of security responsibilities for the customer as compared to SAP, see Customer Roles and Responsibilities for Security.
VPC/VNet Isolation
You can deploy your event broker services in a Kubernetes cluster within an isolated Virtual Private Cloud or Virtual Network (VPC/VNet). This isolated VPC/VNet gives additional security when you:
  • may not want the event broker services to be accessible from the public Internet
  • need the event broker service in an isolated environment (i.e., you don't want your event broker services in a multi-tenant environment - or shared public infrastructure)
  • have data sovereignty requirements (e.g., you require a kept in VPC/VNet in a particular region of the world)
For more information about how event broker services are deployed in an isolated VPC/VNet, see VPC/VNet Isolation.
Authentication and Authorization of Client Applications
You have well-defined, granular control to how client applications authenticate and are authorized to access event broker services and perform management operations. There are two types of client applications:
  • messaging applications that connect to event broker services to exchange data and events (e.g., publish/subscribe) in advanced event mesh
  • custom management applications that manage and monitor event broker services. These applications are useful for automating the management of event broker services (configuration, monitoring, etc.) that are common for continuous integration and development (CI/CD) workflows.
For more information, see Client Application Connectivity and Security.
Authentication and Authorization of Users in the Cloud Console
Users must be authenticated and authorized to create event broker services, monitor event broker services, and design an event-driven architecture. The advanced event mesh account and user management system allows you to efficiently manage user accounts and assign permissions that allows users to access the different categories of services in the Cloud Console.
For more information about authentication and authorization of users in advanced event mesh, see Authentication and Authorization.
Customer Data Protection
Customer data is always protected in advanced event mesh. The advanced event mesh architecture logically splits the data into a control plane and a messaging plane. The control plane transports data related to management and monitoring, while the messaging plane transports the messaging data between the event broker services and customer applications.
These distinct planes are highly secure and the transport of data is encrypted both in transit and at rest (AES-256 and TLS 1.2) . The different types of data are important in the security architecture for these reasons:
  • it clearly lets you have better control of the data – for instance, you can keep all the messaging data within an isolated VPC/VNet for customer-controlled environments
  • improved reliability and security – impact to one plane doesn't affect the other
For more information about control and messaging planes and data protection, see Data Protection.
Audit Logs and System Logs
Advanced event mesh provides access to full logs and system notifications that includes:
  • audit logs for the Cloud Console regarding security-related access
  • full logs regarding event broker services (you can access these by setting up SysLog Forwarding)
  • a subset of logs from event broker services are sent to our central monitoring service, which can be accessed from Insights and contribute to additional notifications and alerts.
Note that logs and any information collected to monitor the health of the event broker services or and system status do not contain personally identifiable information. For more information, see Using Audit Logs and System Logs.
Compliance with Industry Standards
Advanced event mesh is compliant with many important industry standards for cloud and SaaS, including:
  • ISO/IEC 27001:2013 certification
  • Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) v3.1,
  • Service Organization Control (SOC) 2 Type 2 audit
  • Meets the requirements for executing a Business Associate Agreement (BAA) as required to meet Health Insurance Portability & Accountability Act (HIPAA) compliance for engaging with subcontractors and service providers
  • General Data Protection Regulation (GDPR) compliance for the protection of personal data and privacy of EU subjects

Considerations for Additional Security
Advanced event mesh is secure by default and event broker services are deployed with a secure configuration. Security updates are required and there are additional settings you can configure to further harden security.
The default settings in advanced event mesh balance development ease and production requirements (initial integration) with security. There are some additional recommendations for your environment that can further harden deployments in infrastructure that you control when you require additional security. For more information, see Additional Steps and Best Practices for Security.