Sign in Subscribe
3 min read

Cloud security responsibilities in SAP RISE

SAP RISE does not remove customer accountability. This article explains how CISOs can map shared security responsibilities across the SAP Cloud Lifecycle — from IAM and data governance to monitoring, configuration and compliance.
Share
Cloud security responsibilities in SAP RISE
Image by Victoria from Pixabay

What’s SAP’s job, what’s ours?

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

In the realm of cloud-based ERP solutions, RISE with SAP represents a leap toward simplified digital transformation. However, it can also generate confusion around the delineation of cybersecurity roles. Many organizations assume that “cloud-based” means “fully secured,” inadvertently overlooking their own responsibilities. This article addresses the often-misunderstood shared responsibilities in SAP RISE, detailing which security obligations lie with SAP and which must be shouldered by customers, all mapped against the SAP Cloud Lifecycle.

🌐 Understanding the SAP Cloud Lifecycle

SAP’s cloud lifecycle typically traverses five phases: Plan, Build, Deploy, Run, and Optimize. Each phase introduces its own blend of tasks, vulnerabilities, and security considerations. While SAP provides robust technical controls and cloud services, customers still must implement additional layers of governance and oversight to ensure comprehensive protection. Recognizing these responsibilities early helps prevent security gaps from surfacing at a later, more critical stage.

🤝 The Shared Responsibility Model

At its core, the shared responsibility model stipulates that while SAP secures and maintains its underlying cloud infrastructure, each customer bears accountability for user management, data classification, and specific configurations within SAP’s system. This dynamic closely resembles standard public cloud models, yet with a stronger focus on enterprise ERP nuances such as authorization objects, compliance alignment (e.g., GDPR), and advanced role management.

1. SAP’s Role:

Infrastructure and Virtualization: Maintaining secure, patched, and robust infrastructures in line with industry standards (ISO 27001, SOC 2, etc.).

Platform Security: Ensuring the SAP application stack, from NetWeaver to S/4HANA components, is up to date, resilient, and monitored around the clock.

Core Network & Physical Security: Protecting data center environments, physical hardware, and network boundaries.

2. Customer’s Role:

Identity & Access Management (IAM): Defining roles, authorizations, and user access policies, and ensuring that employees follow established procedures.

Data Governance & Compliance: Classifying data, implementing data retention policies, and meeting region-specific mandates like GDPR or HIPAA.

Configuration & Integration Security: Appropriately configuring modules, encrypting connections (e.g., TLS), and securing integration points with third-party systems.

📊 A Visual Mapping of Responsibilities Across the Lifecycle

Imagine a simplified matrix aligned with the Plan-Build-Deploy-Run-Optimize stages:

Plan:

SAP: High-level architectural security guidelines, baseline infrastructure controls.

Customer: Security requirements definition, data governance blueprint.

Build:

SAP: Patch management and framework updates.

Customer: Custom ABAP code reviews, user role definition, security testing.

Deploy:

SAP: Ensuring the platform is rolled out with secure baseline configurations.

Customer: Reviewing final configurations, validating data flows, establishing monitoring.

Run:

SAP: Continuous infrastructure monitoring, automated vulnerability scans, SLAs for uptime.

Customer: Ongoing role administration, monitoring logs for anomalies, enforcing security policies.

Optimize:

SAP: Continuous feature enhancements, security updates.

Customer: Evolving governance frameworks, auditing user permissions, planning for regulatory changes.

🚀 Best Practices for Effective Collaboration

  • Establish Clear Security SLAs: Formalize responsibilities in service-level agreements to prevent misunderstandings.
  • Implement Strong IAM: Adopt MFA (multi-factor authentication) and strict role-based access.
  • Audit & Monitor: Use both SAP-native and third-party SIEM tools to detect anomalies and unify logs.
  • Continuous Training: Regularly train internal teams on SAP security intricacies, especially around advanced authorization concepts and data privacy requirements.
  • Engage Early in Lifecycle Stages: Involve security stakeholders from project inception, not post go-live.

⚙️ Conclusion

RISE with SAP is far more than a standard “lift-and-shift” approach to cloud-based ERP—its strategic benefits include streamlined updates and broad, built-in security measures. Nevertheless, ultimate data security still hinges on active customer participation. By aligning tasks across the SAP Cloud Lifecycle, CISOs and security teams can avert confusion and mitigate risks. Embrace the shared responsibility model holistically, and you will unlock both the innovative and secure potential that SAP RISE promises.

Publication Note & Disclaimer
This article was originally published on LinkedIn on April 26, 2025 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.

Published by:

Eckhart Mehler

Member discussion