In the SAP RISE model, security is a shared partnership. SAP manages the security of the underlying cloud infrastructure, including the hyperscaler environment, network, servers, and databases. The customer retains full responsibility for securing the application and data layers, which includes managing custom code, user access, and threat monitoring.
While SAP provides a secure foundation, customers are accountable for critical application-level security that directly impacts their data and business processes. This includes tasks like analyzing security notes, securing custom code, managing user permissions, and monitoring for threats. Customers can delegate some of these responsibilities back to SAP by purchasing optional, paid add-ons called Cloud Application Services (CAS), but these are not included in the standard offering. Tools like the Cybersecurity Extension for SAP can assist customers in fulfilling their security duties by automating vulnerability detection, compliance monitoring, and threat identification across their entire SAP landscape.
Key Takeaways
- SAP manages the foundational infrastructure security (network, OS, DB).
- Customers are responsible for application-level security (data, code, access).
- Optional paid services (CAS) can shift some, but not all, customer tasks to SAP.
- Customers bear full responsibility for securing all custom code developments.
- By default, logging, monitoring, and threat detection are customer responsibilities.
- Third-party tools can help automate and manage customer-side security tasks.
What is the SAP RISE Shared Responsibility Model?
SAP RISE is a cloud service where SAP manages a private, single-tenant S/4HANA Cloud environment for each customer on a hyperscaler like AWS, Azure, or GCP. In this model, SAP acts as the cloud service provider, which means security responsibilities are divided. Unlike on-premise deployments where the customer handles nearly everything, SAP RISE splits the duties between SAP and the customer.
What Security Tasks Does SAP Manage?
As the cloud provider, SAP assumes responsibility for the security of the foundational infrastructure. This includes:
- Hyperscaler and Network Security: Securing the underlying cloud provider environment and network connections.
- Database and Server Security: Managing the security of the databases (excluding SAP HANA access) and the operating systems for SAP servers.
What Security Tasks Are Customers Responsible For?
In the standard SAP RISE offering, the customer is responsible for everything at the application and data layers. This is a critical distinction, as it means the customer is ultimately accountable for protecting their business data and processes. These responsibilities can be summarized in the table below.
| Security Area | Managed by SAP (Standard) | Managed by Customer (Standard) |
|---|---|---|
| Hyperscaler & Network | ✅ | |
| Servers & Databases | ✅ | |
| Application & Data | ✅ | |
| Security Patching (Notes) | Applies notes upon request | Analyzes and selects notes for implementation |
| Custom Code Security | ✅ | |
| Access Control (non-HANA) | ✅ | |
| Security Hardening | Applies standard build | Can override settings; must monitor compliance |
| Logging & Monitoring | Provides application logs | Integrates logs; manages threat detection |
How is Custom Code Security Handled?
The security of all custom code is the sole responsibility of the customer. Customers are encouraged to follow SAP’s “Clean Core” principle by removing obsolete or redundant code. For all remaining custom developments, the customer must ensure they are free of vulnerabilities. Tools like the SAP-certified Cybersecurity Extension for SAP (CES) can automate the detection of vulnerabilities in custom ABAP and UI5 applications to support migrations and ongoing development.
Who Manages Access Control?
With the exception of the SAP HANA database, the customer is responsible for all access control. This includes managing end-user permissions, administrative privileges, and segregation of duties (SoD). The Cybersecurity Extension for SAP can be used to monitor access privileges, identify SoD violations, and track access to critical roles and transactions. While optional CAS packages are available from SAP to manage this area, it is a customer responsibility by default.
What is SAP’s Role in Security Hardening?
SAP applies security hardening through standard system builds based on the mandatory settings in SAP Note 3250501. These settings cover security-relevant profile parameters, securing standard users, deactivating vulnerable services, and hardening the RFC gateway and message server. However, customers can override these settings. Therefore, it is crucial for customers to continuously monitor their systems for compliance. The Cybersecurity Extension for SAP can automate compliance reporting against the requirements in SAP Note 3250501.
How Does Logging and Monitoring Work in SAP RISE?
Logging and monitoring are primarily customer responsibilities. SAP provides access to application logs, but access to OS, database, and network logs requires a premium offering called LogServe. Customers can integrate these logs with their own SIEM solutions for threat detection. Alternatively, customers can purchase SAP Enterprise Threat Detection (ETD), cloud edition, or a managed service from SAP, as neither is included in the standard RISE service.
It’s important to note the difference in threat detection capabilities. The cloud edition of ETD includes fewer than 50 detection patterns, whereas the Cybersecurity Extension for SAP provides over 900 patterns for systems, databases, and operating systems.
Can Customer Responsibilities Be Delegated to SAP?
Yes, some customer responsibilities can be delegated to SAP, but only by purchasing optional Cloud Application Services (CAS) packages at an additional cost. Areas like security note analysis, access control management, and threat detection can be managed by SAP through these services. However, standard SAP RISE services do not delegate these tasks. A comprehensive matrix provided by SAP details the specific responsibilities for over 1000 tasks, clarifying what is included and what requires an additional service fee.
Frequently Asked Questions (FAQ)
Q: Is security patching included in the standard SAP RISE service?
A: No. In the standard service, the customer is responsible for analyzing and selecting the required security notes. Once the customer creates a service request, SAP will apply the notes. Full management of security notes requires purchasing an optional Cloud Application Services (CAS) package.
Q: Who is responsible for securing custom ABAP code in SAP RISE?
A: The customer is 100% responsible for the security of their custom code. This includes analyzing all developments for vulnerabilities to comply with SAP’s Clean Core principle. Tools like the Cybersecurity Extension for SAP can be used to automate this process.
Q: Does SAP RISE include threat detection?
A: No, not by default. Customers are responsible for logging, monitoring, and threat detection. They can integrate logs into their own SIEM, purchase SAP’s Enterprise Threat Detection (ETD) as a paid add-on, or use more comprehensive third-party tools.