And why it is important to scan SCC systems regularly

Introduction
Every month, new security features and checks are released for our SAP Vulnerability Management solution. We try to keep as many SAP system types well secured as possible. The SAP Cloud Connector was one of the SAP system types on our roadmap. In our February Support Pack release (2302), we added the SAP Cloud Connector system type to our solution scope!
What is the SAP Cloud Connector?
The SAP Cloud Connector (SCC) is perhaps best described as the ‘linking pin’ between an on-premise SAP system landscape and the cloud-based SAP Business Technology Platform (BTP). It plays a pivotal role in connecting these 2 important domains of the SAP ecosystem. Some key features of the SCC are:
- Runs as an on-premise component with low TCO and high-availability options.
- Setup of a secure ‘tunnel’ between the on-premise landscape and SAP BTP without the need to open firewall ports.
- Support of multiple protocols, like HTTP and RFC.
- Fine grained control over on-premise systems and resources that can be accessed by SAP cloud applications.
- Identity propagation of cloud users to on-premise systems.
- Connectivity of on-premise databases to cloud-based SAP HANA databases.
See the following blog for a nice (non-technical) introduction of the SCC. The following picture from this blog clearly shows what central role the SCC plays in basically any scenario that involves SAP cloud services and an on-premise SAP landscape.

Security of the SAP Cloud Connector
In an earlier blog, we have pointed at the security aspects of the SCC. And looking at the scenarios above that involve the SCC, it is not hard to see why it is important to make sure this component is properly secured. It is essential that the right systems and services are exposed to the right SAP BTP subaccounts and access is only granted to allowed components and users. And keep in mind that the SCC not only holds configuration. It also services actual data flows that go from one system to the other. Enough reasons to keep this component secure…
So how does Protect4S Vulnerability Management (VM) help to keep this component safe? Since the February release 2302, an SCC system can be scanned by our VM solution to identify vulnerabilities and take appropriate action. Using our light-weight and proven check framework, we have included a number of checks that can be executed for an SCC system. Some examples of these checks are:
- Version check of the installed SCC and underlying Java release.
- Check for usage of default passwords and users.
- Check on trust settings to on-premise backend systems.
- Check for the configured authentication mode.
- Check for the installation mode of the SCC.
Example of a SAP Cloud Connector scan result:

We are excited to have this new feature in our VM solution to help secure this important component. And off course we are more than happy to tell anyone about our products that help control the intriguing aspects of SAP platform or cybersecurity. Feel free to contact us about the capabilities of our solutions Vulnerability Management and Threat Detection.
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!