Security Recommendations
The SAP IoT services for SAP BTP for the Cloud Foundry environment currently comes
with an initial set of security features. Please also consider the following points:
Recommendations
Caution
All Internet of Things Service APIs use Transport Layer Security (TLS) to secure the
communication between the client and the server. Ensure that clients check the
server certificate as part of the TLS handshake regarding to the correct host name and
the trustworthiness of the Certificate Authority (CA). All server certificates are issued
by well-known and generally trusted certificate authorities, for example DigiCert.
Please be aware that CA certificates might be updated over time. Such updates are
announced in the section What's New for SAP BTP. Clients need to implement a life-
cycle management process for trusted certificates. Typically, this is done by relying on
the default system trust store or by being extensible with respect to the list of trusted
CAs.
Do not delete or change applications and other security settings that are
installed by the Internet of Things Service.
Protect the devices and their stored device certificates including their private
keys all times against unauthorized access. If possible, use an encryption
method to store the private key on the device. Remove the old device
certificate including its private key when installing a new device certificate on
the device.
Protect the system hosting the Internet of Things Edge Platform against
unauthorized access as well.
�For both devices and the Internet of Things Edge Platform regularly check for
security-relevant patches on OS/ firmware level.
Quickly apply the provided Internet of Things Edge Platform security patches.
If the device receives messages from the cloud, allow for secure processing of
these messages to avoid unintended actions being triggered on the device.
Use the existing logging capabilities to check the platform, monitor the
system, and regularly check for any exceptional behavior.
It is recommended to mark sensitive header as sensitive while creating HTTP
configuration. Please refer Create a Configuration for the HTTP Processing
Service.
If you want to use Internet of Things Service to process sensitive data
(including personal data), use your own database to store these sensitive data.
You can setup your SQL processing service from SQL Processing Service (SQL).
Consult a security expert or carefully read the information provided in the
following sections to be aware of your current protection level.