Customer Roles and Responsibilities for Security

The following table summarizes the security responsibilities based on the deployment architecture chosen. The exact responsibilities differ based on the environment that the customer (you) has chosen for the deployment environment. For more information about deployment architectures, see Security Architecture for SAP Integration Suite, Advanced Event Mesh.

In particular, the responsibilities are different between:

SAP-controlled environments. This includes Public Regions (shared infrastructure) and Dedicated Regions (not shared; reserved for a single customer).
Customer-Controlled Regions. This includes customer-owned cloud regions and on-premises customer-owned networks, such as Kubernetes clusters.

The following tables summarize the responsibilities of the customer and SAP for security-related tasks.

Infrastructure and Networking Security Responsibilities

The following table describes the security responsibilities of various aspects of a deployment and components in the security architecture.

Task Description	Ownership	Responsibility		Notes
Task Description	Ownership	SAP	Customer	Notes
Security updates for the Home Cloud and Cloud Console.	Public Regions and Dedicated Regions			The Home Cloud and Cloud Console are in SAP-controlled infrastructure and therefore security updates and upgrades are managed by SAP.
Security updates for the Home Cloud and Cloud Console.	Customer-Controlled Regions
Coordination with Datadog (third-party service) to maintain and update the central monitoring service.	Public Regions and Dedicated Regions			The central monitoring service (Datadog) collects logs, metrics, and statistics from Event Broker Service. SAP handles all interactions with Datadog that are related to advanced event mesh for SAP Integration Suite .
	Customer-Controlled Regions
Deploying and upgrading the Mission Control Agents	Public Regions and Dedicated Regions			SAP manages upgrades to the Mission Control Agent for event broker services in Public Regions and Dedicated Regions.
Deploying and upgrading the Mission Control Agents	Customer-Controlled Regions			Since the Mission Control Agent is deployed in the Customer-Controlled Region, the customer is responsible for the Mission Control Agent, but the activity of performing the upgrade is a joint effort with SAP. The customer must contact SAP when they want to upgrade their Mission Control Agent.
Security updates to Event broker services	Public Regions and Dedicated Regions			For the event broker service software version, SAP and customer coordinate to determine when the best time to perform the upgrade with the customer update it. The lead time required is usually two weeks. In customer-controlled environments, the customer is responsible to monitor for product notices and request upgrades when they are available; this includes taking appropriate actions as required.
	Customer-Controlled Regions
Security for networking and network access of the event broker service (e.g., maintenance of NAT, load balancers)	Public Regions and Dedicated Regions			SAP manages the network access for dedicated-customer regions and manages security updates for the SAP-controlled parts of the network.
	Customer-Controlled Regions			If the client applications can connect from within a customer's private network, the customer is responsible to manage access of those applications, manage security updates, and configure their network so that the client applications can access event broker services.
Configuring VPC/VNet routes as required between the event broker services and client applications	Public Regions and Dedicated Regions			In Public Regions, SAP is responsible for configuring, monitoring and resolving issues with VPC peering. Peering between Dedicated Regions or Public Regions and customer VPCs requires that the customer assist with configuration and provide SAP with the required access to the customer network. In this scenario, SAP is responsible for maintaining only the Public Region and Dedicated Region parts of the network. For Dedicated Regions, SAP exchanges custom routes between the Dedicated Regions using one of the Networking Options for Dedicated Region Deployments supported by SAP. VPN connectivity is not supported for Dedicated Regions.
	Customer-Controlled Regions			In Customer-Controlled Regions, the customer is responsible for configuring, monitoring, and resolving issues with VPC peering and VPN connectivity. Peering between Public Regions or Dedicated Regions, and customer VPCs requires that the customer assist with configuration and provide SAP with the required access to the customer network. In this scenario, SAP is responsible for maintaining only the Public Region or Dedicated Regions. The customer is responsible for coordinating with their infrastructure teams to configure secure connectivity (VPC/VNet peering , VPN, Transit Gateway, etc.) between where the client applications reside and event broker services in the Kubernetes cluster. This may also include configuring load balancers, gateways, and NAT access.
Network infrastructure security of the client messaging applications	Public Regions and Dedicated Regions			The security infrastructure that the client application runs on is managed by the customers.
	Customer-Controlled Regions
Security of the infrastructure where the event broker services are deployed [includes Kubernetes clusters (GCP) and the supporting infrastructure]. This includes security maintenance updates.	Public Regions and Dedicated Regions			SAP ensures that the most recent security measures and best practices are implemented to address on-going security threats for the infrastructure where the event broker services run.
	Customer-Controlled Regions			The customer is responsible for setting up, managing, securing, and maintaining their private region (VPC/VNET) for the Kubernetes cluster.

User Control Responsibilities

The users (customers) are responsible for establishing their own system of internal control and enforcing those controls. It is not feasible for all trust services criteria to be solely achieved by SAP. User control encompasses access from users, which includes both people and client application access.

Task Description	Ownership	Responsibility		Notes
Task Description	Ownership	SAP	Customer	Notes
The security and integrity of data stored and processed in facilities, infrastructure, and environments	Public Regions and Dedicated Regions			The event broker services run on SAP-controlled infrastructure. The data in on the messaging plane portion of the event broker services is not accessible to SAP. Any data stored or captured by the client applications are under the customer's control.
	Customer-Controlled Regions			The event broker services run on customer-controlled infrastructure. Any data stored or captured by the client applications are under the customer's control.
Managing access to the customer's advanced event mesh account (configuring access such as adding/deleting users, review, implementation of logical access security measures)	Public Regions and Dedicated Regions			The customers is responsible for managing the appropriate access (credentials, roles) for their users in their advanced event mesh account. The customer is responsible for adding or removing users for their advanced event mesh account. The customer is responsible for performing periodic review of their access and configuration in their advanced event mesh account. Customers using Dedicated Regions are responsible for reviewing and approving the security configuration of the VPC/VNet as well as access to the event broker services. The customer can contact SAP as required for assistance for access issues.
	Customer-Controlled Regions

Provide feedback