Security Focus

Security & Compliance

SAP secures the infrastructure. You secure the application, data, and users. Here's where the responsibility line is drawn.

You

own application security

SAP

secures infrastructure

5

critical security tasks

SOX

GDPR, your responsibility

Foundation

The Fundamental Truth

RISE is NOT a security outsourcing.

SAP is responsible for infrastructure security (hyperscaler, network, OS patches). You remain responsible for application security, data protection, user access, and compliance.

Think of it like living in a secure apartment building: the landlord locks the building entrance, but you still need to lock your apartment door and protect your belongings.

Overview

Security Responsibility Matrix

A clear view of who owns what across security domains.

Security DomainSAPCustomerKey Activities
Infrastructure SecurityHyperscaler security, physical security, network firewalls
OS & Database PatchingSAP executes patches; Customer approves timing and validates
Security HardeningSAP hardens OS/DB; Customer hardens SAP app (profile params, gateways)
SAP Application PatchingCustomer downloads, tests, and applies SAP Security Notes
User Access ManagementRoles, authorizations, SoD, user provisioning/deprovisioning
Data Encryption (at rest)HANA native encryption enabled by default
Data Encryption (in transit)SAP enforces TLS; Customer configures interface encryption
Data ClassificationCustomer classifies sensitive data and implements controls
Audit LoggingSAP provides SAL infrastructure; Customer configures and monitors
Vulnerability ScanningSAP scans infrastructure; Customer scans custom code (CVA)
Incident ResponseSAP notifies infrastructure issues; Customer investigates app layer
Compliance (GDPR, SOX)SAP provides certifications; Customer ensures app compliance
Primary Responsibility
Shared Responsibility
Not Responsible

Action Required

Your Critical Security Tasks

These five areas require your direct attention and cannot be delegated to SAP.

1

User Access & Authorization

You design, implement, and maintain all user roles.

Design role-based access control (RBAC) strategy
Build and test authorization objects (PFCG)
Implement segregation of duties (SoD) controls
User provisioning, de-provisioning, recertification
Emergency access (firefighter) procedures
Privilege access management for admins
2

Application Security Configuration

SAP doesn't configure security settings - you do.

Security Audit Log (SAL) configuration and monitoring
Password policies and authentication methods
Network security (RFC destinations, trusted systems)
Gateway security (secinfo, reginfo)
Web Dispatcher configuration
Fiori Launchpad authorization
3

Data Protection & Privacy

You own all data - PII, financial, trade secrets.

Data classification and labeling
Personal data identification (GDPR, CCPA)
Data retention and deletion policies
Data masking for non-production systems
Data subject access requests (DSAR)
Cross-border data transfer controls
4

Vulnerability Management

You monitor SAP security notes and apply patches.

Subscribe to SAP Security Notes
Assess criticality of security patches
Test and deploy security notes
Run Code Vulnerability Analyzer (CVA)
Scan custom code for security flaws
Address ABAP code injection risks
5

Monitoring & Incident Response

SAP provides tools, but you configure and respond.

Monitor Security Audit Log (SM19/SM20)
Configure alerts for suspicious activity
Integrate with SIEM (Splunk, QRadar, Sentinel)
Investigate security incidents
Forensic analysis when breaches occur
Incident reporting to regulators (if required)

Regulatory

Compliance Frameworks

SAP provides infrastructure certifications, but you remain responsible for application-level compliance.

SAP Provides (Infrastructure Level)

  • ISO 27001, ISO 27017, ISO 27018 certifications
  • SOC 1 Type II, SOC 2 Type II reports
  • Cloud Security Alliance (CSA) STAR
  • Regional compliance (EU Model Clauses)

You Must Ensure (Application Level)

  • GDPR compliance (consent, DPIAs, breach notification)
  • SOX controls (financial data integrity, access controls)
  • Industry-specific regulations (HIPAA, PCI-DSS)
  • Audit trail completeness and retention

Pro tip: Don't assume RISE "makes you compliant." You still need to configure controls, document processes, and demonstrate compliance to auditors.

Tooling

Security Tools & Services

Included in RISE

  • • SAP Enterprise Threat Detection (ETD) - cloud edition
  • • Security Audit Log (SAL)
  • • Code Vulnerability Analyzer (CVA)
  • • SAP Cloud Connector (for hybrid scenarios)
  • • Basic DDoS protection

You May Need to Add

  • • GRC Access Control (SoD monitoring)
  • • SIEM integration (Splunk, QRadar)
  • • Identity governance (SailPoint, Saviynt)
  • • Privileged access management (CyberArk)
  • • Data loss prevention (DLP)

Avoid These

Common Security Mistakes

Assuming SAP handles security

SAP secures infrastructure. You secure the application.

Not monitoring Security Audit Log

If you're not watching SAL, you won't detect breaches.

Weak authorization design

Overprivileged users = SOX violations and fraud risk.

Ignoring SAP security notes

Unpatched applications are the #1 breach vector.

No incident response plan

When breach happens, panic and chaos will cost you dearly.

Evaluating RISE with SAP?

Understand the full scope of RISE responsibilities with our comprehensive assessment. Identify gaps before they become problems.

Take RISE Assessment