The SAP Shared Responsibility Model: Who Secures What in the Cloud Era?

The customer is responsible for securely configuring their specific SAP applications (e.g., S/4HANA configurations), managing custom development, and ensuring that all application settings align with security best practices.

This is a critical customer responsibility. It involves defining and managing user roles, ensuring proper authorizations, implementing the principle of least privilege, and securely managing privileged user access within the SAP applications. Effective SAP Identity & Access Management (IAM) is vital, and Onapsis can assist in continuously monitoring and validating these access controls to prevent segregation of duties (SoD) conflicts and critical access risks.

Customers are responsible for classifying their data, implementing application-level encryption, and deploying Data Loss Prevention (DLP) strategies to protect sensitive information stored and processed within their SAP systems.

While SAP secures its own network, customers are responsible for securing their connectivity to SAP cloud services. This includes configuring customer-managed VPNs, securing their Virtual Private Cloud (VPC) or Virtual Network (VNet) settings, and managing network access controls to their SAP instances.

Any integrations with third-party systems or the use of APIs (Application Programming Interfaces) fall squarely within the customer’s security responsibility. This requires careful assessment of the security of connected systems and securing data flows between them. Onapsis extends visibility and threat detection to these critical integration points.

Any custom code developed by the customer or third parties for their SAP applications must adhere to secure coding practices. Incorporating SAP DevSecOps principles ensures security is built into the development lifecycle from the start, a process Onapsis supports by integrating security into the CI/CD pipeline for custom SAP developments.

While SAP monitors its infrastructure, customers are responsible for monitoring their SAP application layer for suspicious activities, security anomalies, and potential threats. This includes setting up robust SAP security monitoring and having an incident response plan for application-level security events, often leveraging solutions for enterprise threat detection provided by Onapsis to gain real-time insights into attacks and vulnerabilities impacting SAP applications.

The ultimate responsibility for demonstrating compliance with industry regulations (like GDPR, SOX, NIST) and internal governance policies for the SAP applications and data rests with the customer. This often involves processes for SAP Automated Compliance, a key area where Onapsis excels by automating control testing and audit readiness.

One of the biggest challenges for customers in cloud and hybrid SAP environments is gaining comprehensive visibility into their application layer. Traditional security tools often lack the deep understanding of SAP’s unique architecture. Onapsis provides unparalleled visibility into the configurations, vulnerabilities, and user access within SAP applications, whether they are running on-premise, in a hyperscaler, or as part of RISE with SAP. This unified oversight allows customers to understand their true attack surface and potential risks within their responsibility domain.

Manual processes for identifying and remediating SAP vulnerabilities and misconfigurations are unsustainable at scale, especially in dynamic cloud environments. Onapsis automates SAP vulnerability management by continuously scanning for missing patches (including those highlighted on SAP Patch Day), insecure configurations, and custom code vulnerabilities. It provides actionable intelligence to help prioritize and remediate these findings, significantly reducing the customer’s exposure to known exploits and strengthening their overall posture. This includes proactive configuration management to prevent misconfigurations at scale.

Meeting regulatory requirements and internal governance policies for SAP systems is a continuous customer responsibility. Onapsis helps bridge the gap from policy to practice by facilitating SAP Automated Compliance. It provides automated control testing, continuous monitoring against compliance benchmarks (like SOX, GDPR, NIST), and simplified audit evidence collection. This ensures organizations are continuously audit-ready, reducing the burden of manual compliance checks and minimizing the risk of non-compliance fines.

Even with robust preventive measures, the threat landscape is constantly evolving. Customers need the capability to detect and respond to active threats targeting their SAP applications. Onapsis provides specialized SAP security monitoring and enterprise threat detection capabilities that go beyond network and endpoint security. It monitors SAP application logs and activities in real-time, identifying anomalous behavior, indicators of compromise, and active attacks, enabling rapid incident response and minimizing potential damage.

Onapsis understands the nuances of different SAP cloud deployments. It offers tailored support and capabilities for securing various cloud offerings, including:

• RISE with SAP: Providing the deep application-layer security necessary to complement SAP’s responsibilities, giving customers control over their SAP RISE security.
• SAP Business Technology Platform (BTP): Helping secure custom applications and developments on the PaaS layer, integrating security into the SAP DevSecOps pipeline.
• SAP S/4HANA Cloud: Delivering critical insights into application configurations and vulnerabilities, essential for effective transformation with S/4HANA and ongoing security in both public and private editions.

By partnering with Onapsis, organizations can confidently embrace cloud-based SAP, knowing they have a robust solution to fulfill their security responsibilities within the Shared Responsibility Model.

The core principle is that security is a shared obligation between SAP (or the cloud provider) and the customer. SAP is responsible for the “security of the cloud,” meaning the underlying infrastructure and services. The customer is responsible for the “security in the cloud,” which includes their data, application configurations, access management, and custom developments.

While cloud providers offer a highly secure infrastructure, they do not have access to or control over your specific data, application configurations, user setups, or custom code. These elements are unique to your business operations, and securing them requires your active management and vigilance.

Key customer responsibilities include managing user identities and access, securing application configurations, protecting sensitive data, ensuring the security of custom code, managing integrations, and performing application-level security monitoring and incident response.

With RISE with SAP, SAP typically manages more of the technical operations and underlying infrastructure. However, the customer retains responsibility for application configurations, user access, data protection, and any custom code or integrations within their S/4HANA instance. This makes SAP RISE security a collaborative effort.

In S/4HANA Cloud (Public Edition), SAP manages a larger portion of the stack due to its standardized SaaS nature. This can reduce the customer’s operational burden for certain security aspects. However, the customer still holds responsibility for user access, data management within the application, and securing specific configurations and integrations.

Onapsis helps customers operationalize their share of the security responsibility by providing deep visibility into SAP applications, automating SAP vulnerability management and configuration hardening, enabling continuous SAP security monitoring for threats, and assisting with SAP Automated Compliance validation across various cloud deployments.

Misunderstanding can lead to critical security gaps, resulting in potential data breaches, non-compliance with regulatory requirements, operational disruptions, and significant financial losses. It often stems from the false assumption that the cloud provider handles all security.

Implementing strong SAP Identity & Access Management (IAM) practices is crucial. This includes enforcing the principle of least privilege, utilizing Multi-Factor Authentication (MFA), establishing Role-Based Access Control (RBAC), and regularly reviewing user authorizations to prevent unauthorized access.

While the fundamental security principles remain, the specific tools and approaches may differ. Cloud environments often require solutions that can integrate with hyperscaler services, provide API security, and offer continuous monitoring capabilities tailored to dynamic cloud infrastructures, extending beyond traditional on-premise tooling.

SAP DevSecOps is highly important for cloud SAP, especially when developing custom applications or extensions on platforms like SAP BTP. Integrating security practices early into the development lifecycle helps identify and remediate vulnerabilities before they reach production, ensuring security by design.

Yes, the Shared Responsibility Model applies universally across all industries using cloud ERP. For sectors like utilities, which often face unique regulatory and operational technology (OT) security requirements, understanding and fulfilling the customer’s security responsibilities is even more critical to meet sector-specific compliance and protect vital infrastructure.

Customers must have a robust process for tracking SAP security notes released on SAP Patch Day, assessing their relevance to their cloud environment, prioritizing critical patches, and efficiently applying them to their SAP applications. Automated tools can greatly assist in this ongoing SAP Vulnerability Management process.