Role: SAP BTP Security Architect

Location: Rosemead, CA/Onsite

Key Responsibilities

Security Architecture & Design

• Design and maintain secure architecture for SAP BTP services including:

o Cloud Foundry

o Kyma Runtime

o SAP Integration Suite

o SAP Extension Suite

• Define security patterns for multi-account, subaccount, and tenant-based BTP landscapes

• Architect secure cloud-to-cloud and cloud-to-on-premise integrations

Identity & Access Management (IAM)

• Architect and manage authentication and authorization using:

o SAP Identity Authentication Service (IAS)

o SAP Identity Provisioning Service (IPS)

o SAP BTP Authorization concepts (roles, role collections)

• Implement Single Sign-On (SSO) and Federated Identity (SAML 2.0, OAuth 2.0, OpenID Connect)

• Integrate SAP BTP security with corporate IdPs (Azure AD, Okta, etc.)

Application & Integration Security

• Secure REST APIs, events, and integrations within SAP BTP

• Define API security using OAuth scopes, XSUAA, certificates, and token-based authentication

• Ensure secure connectivity using SAP Cloud Connector and mTLS

Platform & Infrastructure Security

• Implement network security controls, trust configuration, and secure connectivity

• Apply secure configuration for BTP services and runtimes

• Define standards for secrets management and certificate lifecycle management

Governance, Risk & Compliance (GRC)

• Establish security standards, policies, and guardrails for SAP BTP

• Ensure compliance with regulatory frameworks (ISO 27001, SOC 2, GDPR, SOX, etc.)

• Support security audits, risk assessments, and penetration testing activities

DevSecOps & Monitoring

• Embed security into CI/CD pipelines for BTP applications

• Define secure coding and deployment guidelines

• Monitor security events using SAP and enterprise security tools and respond to incidents

Advisory & Stakeholder Collaboration

• Act as a trusted security advisor to architects, developers, and business stakeholders

• Provide guidance for secure extensions, custom developments, and modernization initiatives

• Stay current on SAP BTP security roadmap and emerging threats

Required Skills & Qualifications /Technical Skills

• Strong expertise in SAP BTP security architecture

• Hands-on experience with:

o SAP IAS / IPS

o XSUAA

o OAuth 2.0, SAML 2.0, OpenID Connect

• Deep understanding of cloud security principles (Zero Trust, least privilege)

• Experience securing SAP landscapes (S/4HANA, SuccessFactors, Ariba, etc.)

• Knowledge of API security, certificates, encryption, and key management

Cloud & Integration Knowledge

• Good understanding of cloud platforms (SAP BTP, Azure, AWS, or GCP)

• Experience with hybrid integrations and SAP Cloud Connector

• Familiarity with DevSecOps practices and CI/CD security

Certifications (Preferred)

• SAP Certified Technology Associate – SAP BTP

• SAP Security or SAP Cloud certifications

• Cloud security certifications (Azure Security Engineer, CISSP, CCSP – a plus)