Security has become the #1 topic on the agenda of all our customers.
The exponential growth of online traffic has generated a proportional growth of online attacks and malicious behaviors which can cause critical damage to your business and reputation.
Considering this, the SAP product team have been continuously adding new features and capabilities to the SAP Customer Data Cloud (CIAM) solution, leveraging the latest security standards (e.g. FIDO) and technologies such as Artificial Intelligence and Machine Learning.
We are now pleased to share with you a
Security Package prepared by our experts.
It includes comprehensive material to guide you in discovering, understanding, and implementing all the security features available in the SAP Customer Data Cloud platform.
This package will help you maximize the security of your SAP Customer Data Cloud platform and ensure protection of your customers’ identity and data, as well as prevent fraud, attacks, and malicious behavior.
We hope you will find this material useful.
Please contact your Customer Success Partner should you have any question or require further information or guidance.
The SAP Customer Data Cloud (CIAM) Security Package includes:
- Links to dedicated SAP CDC Security resources.
- List of SAP CDC Security features with their comprehensive description in SAP CDC documentation.
- Links to selected Knowledge Base articles on SAP CDC Security implementation and best practices.
SAP CDC Security Package
1. Links to dedicated resources
- Listen to our Webinar on CDC Security Features presented by CDC Product team
- View our Interactive demo of Account Take Over in action
- Access SAP Trust Center resources (security reports and certifications)
- Access CDC roadmap details
- Access the Security Guide in SAP CDC documentation
- Review the Security recommendations for SAP CDC implementation
- Monitor the What’s new section in SAP Documentation
2. Links to Security features description in SAP CDC documentation
- IP Restrictions - Controls IP addresses that can access the CDC APIs with IP allow/ deny lists.
- Account Harvesting Protection - Protects your implementation from account harvesting attempts (note the UX impact!).
- API Rate Limit - Protects the CDC infrastructure and your implementation from abusive API calls.
- SDK Management - Allows you to filter out traffic to your endpoints according to SDK types and versions.
- Rule Based Authentication (RBA) - A framework allowing you to configure rules to enforce a higher level of authentication upon a particular risk level
- The rules are created in a context of specific flows (e.g., login, registration) and define what events or triggers (e.g., failure to login, login from a new device, ATO risk score) should result in an additional challenge (e.g. reCAPTCHA/ TFA challenge, account lock).
- Account Takeover Protection (ATO)
- CDC native and recommended AI/ML based Risk Engine.
- Provides a risk score that can be used to trigger RBA rules.
- CAPTCHA - Allows you to enable the CAPTCHA challenge within the RBA rules;
- Offers integration with Google reCAPTCHA (v2) or Arkose Labs.
- The Google reCaptcha v3/ Enterprise risk score can be consumed in the RBA rules and complement the ATO risk score.
- TransUnion Risk Assessment - Ability to integrate the TransUnion Risk score; can be used as an RBA trigger.
- Two Factor Authentication (TFA) - Allows enforcing an additional authentication depending on the required authentication level; can be used as an RBA challenge.
- Network Protected Identity (NPI) - RBA component that keeps track of Email and IP addresses associated with brute force attacks across the whole SAP Customer Data Cloud platform; can be used as an RBA trigger.
- Unknown Location Notification - RBA component allowing you to notify the user about a login from an unknown location.
- Impossible Traveler Policy - RBA feature allowing you to notify the user if a login is detected from an “impossible” location.
- Client Context - For server-side integration, allows you to pass additional details required by the RBA rules (e.g. the end user IP address).
- Log Connector - Allows real-time sharing of the logs with an extensive set of external log provider (e.g., Splunk or DataDog) to run analytics, set up alerts etc.
- Security Notifications- Allows you to send security email notifications when the ATO Engine notices a suspicious activity.
- Security Dashboard- Allows for an insight into the current state of security of your sites.
3. Links to selected Knowledge Base Articles
- 3348999 Security Implementation Best Practices for SAP Customer Data Cloud.
- 3269521 What are some basic ways to mitigate malicious login attempts on my sites and/or applications that are utilizing SAP Customer Data Solutions' Identity solution?
- 3269543 What are some intermediate ways to mitigate malicious login attempts on my sites and/or applications that are utilizing SAP Customer Data Solutions' Identity solution?
- 3269553 What are some advanced ways to mitigate malicious login attempts on my sites and/or applications that are utilizing SAP Customer Data Solutions' Identity solution?
- 3150156 How do I leverage the enhanced risk assessment measures offered by SAP Customer Data Cloud's Risk Based Authentication platform to mitigate the risk of malicious Account Takeovers?
- 3241000 SAP Customer Data Cloud's accounts.login API endpoint triggers an error "400006 Invalid parameter value" with details "Your request is blocked because of security issues.” (GMID Validation)
- 2703523 What are the effects when Account Harvesting is enabled?
- 2702625 What rate limits are in place for SAP Customer Data Cloud APIs?
- 2703288 How do I enforce a CAPTCHA during the RaaS registration flow?
- 3281920 Changes from reCAPTCHA v3 to reCAPTCHA Enterprise
- 2784337 Risk Based Authentication (RBA) is not working with REST API or Server-Side SDKs
- 3210686 How to implement captcha verification using SAP Customer Data Cloud's server-side Risk Based Authentication (RBA) functionality?
