RISE With SAP
RISE with SAP is a comprehensive managed cloud service and subscription model designed to help organizations migrate their on-premises ERP systems to the cloud. It is critical for enterprise security teams because migrating to this model fundamentally changes the organization’s security architecture. While SAP manages the underlying infrastructure and baseline security, the customer remains entirely responsible for securing their application layer, user access, and custom code under the SAP shared responsibility model.
How to Secure a RISE with SAP Migration
Securing a cloud migration requires establishing visibility into the application layer before, during, and after the transition. Relying on the cloud provider to secure the entire stack leaves custom ABAP code and third-party integrations exposed to exploitation.
Prerequisites
- A comprehensive inventory of all custom code, user roles, and existing system vulnerabilities.
- An automated Application Security Testing (AST) platform to analyze custom code prior to migration.
- Cross-functional alignment on the specific security duties owned by the customer versus the cloud provider.
The Remediation Workflow
- Pre-Migration Assessment: Scan the existing on-premises SAP landscape to identify and remediate legacy vulnerabilities, ensuring you do not migrate vulnerable code into the new cloud environment.
- Clean Core Alignment: Identify highly customized applications that can be decoupled from the main ERP and moved to the SAP Business Technology Platform (BTP) to reduce the attack surface.
- Continuous Threat Monitoring: Deploy application-layer threat detection to monitor user behavior and API integrations in real time as the system goes live in the cloud.
- Post-Migration Hardening: Update your security baselines to reflect the new cloud architecture and automate continuous compliance checks.
Verification Step
Run an automated architectural and vulnerability scan post-migration to verify that all custom code is secure, appropriate authorizations are enforced, and no misconfigurations were introduced during the cloud transition.
Frequently Asked Questions
Does RISE with SAP include security?
Yes, but it is limited to the infrastructure and network layers. SAP secures the cloud environment itself, including physical servers and baseline network configurations. However, under the RISE with SAP shared responsibility model, the customer remains completely responsible for securing everything they put inside the cloud, including proprietary business data, custom code, and user permissions.
What are the biggest security risks during an SAP cloud migration?
The most common risks are lifting and shifting existing vulnerabilities into the cloud, misconfiguring API connections between cloud and on-premises systems, and failing to monitor for application-layer threats that bypass standard network firewalls.
How do organizations build cyber resilience for RISE with SAP?
Organizations build cyber resilience for RISE with SAP by implementing specialized application security platforms. Utilizing solutions like Onapsis allows teams to automate vulnerability management and threat detection, ensuring the customer-owned portion of the shared responsibility model is fully protected.
