What Does RISE with SAP Mean for SAP Cybersecurity?

Explore what RISE with SAP means for cybersecurity responsibilities—and what customers still need to manage in a shared-responsibility model.

The cloud and its different service models (IaaS, PaaS, and SaaS) and deployment models (public, private, community, and hybrid) are relatively easy to understand. Both the cloud service provider and the customer are responsible for the security of the cloud, and mainly when you deploy on-premise SAP S/4HANA on these clouds.

The customer is responsible for everything from the OS, database, and application, whereas the underlying infrastructure, resources (compute, network, storage), physical data center security, and so on are the cloud service provider’s responsibility.

SAP’s Cloud Offerings

SAP’s cloud offerings, known as GROW with SAP, a SaaS-based public cloud deployment model, are easy to understand and don’t create any confusion about security responsibilities for SAP customers (regarding what the customer needs to do and what SAP is doing). It’s pretty straightforward, right?

The confusion starts with another SAP cloud offering: RISE with SAP S/4HANA Cloud Private Edition. This is an IaaS model (on a very basic level) from SAP’s vendor perspective, where SAP hosts customers’ SAP S/4HANA and other SAP systems in the customer’s choice of public cloud providers (AWS, Microsoft Azure, GCP, etc.), in accounts owned and managed by SAP itself. The figure below illustrates the strategy for accounts creation in RISE with SAP S/4HANA Cloud Private Edition.

SAP then bundles this IaaS offering (AWS/Microsoft Azure/GCP) with its SAP licensing and other managed support and services, especially around the cloud/OS/database and application server perspective. It offers the same as PaaS, with one single contract (with defined SLAs, roles, and responsibilities) for the SAP customer, known as RISE with SAP S/4HANA Cloud Private Edition.

FUE Licensing and the Shift to a Cloud Operating Model

With its cloud model, SAP also introduced a new SAP licensing model known as the FUE, mentioned previously, versus earlier SAP user-based licensing models.

Total user equivalent is a unit of measurement used by SAP to grant licenses for its SAP S/4HANA Cloud applications. It signifies the permission given to users to access certain solution features within the SAP S/4HANA Cloud.

The SAP customer subscribing and contracting for RISE with SAP S/4HANA Cloud Private Edition model benefits from dealing with only one vendor (SAP, in this case) for its SAP infrastructure. With this model, the customer doesn’t lose access to anything below the application but gains ease of managing its SAP infrastructure, both from an IT perspective and from financial, legal, and licensing perspectives.

The licensing model for RISE with SAP S/4HANA Cloud Private Edition also moves to OpEx from CapEx. You also get the benefit of economy of scale because SAP is hosting all RISE with SAP S/4HANA Cloud Private Edition customers under the same master cloud account with built-in security solutions, processes, and a large cybersecurity team doing 24x7 security monitoring of the entire infrastructure from a cybersecurity perspective.

Understanding Service Level Agreement Options

Let’s look at the different aspects of SLAs that could be in play in this space:

• Standard service: Standard service includes all tasks and services that SAP performs for RISE with SAP customers included in the standard SLA and contract.
• SAP Cloud Application Services: These are services that customers may perform but may elect for SAP to deliver. This includes services such as additional security (SAP Security Notes), Logserv (logging), and so on.
• Optional services: SAP Cloud Application Services doesn’t cover optional services, which customers can opt for and which incur additional fees.
• Additional services: Ad hoc one-off requests that customers pay SAP to perform are tasks that only SAP can perform.
• Excluded tasks: Excluded tasks can only be performed by customers and can never be performed and offered by SAP. SAP security user management, audit and compliance, and so on come under this category.

What Is Logserv, and Why Might You Need It?

With RISE with SAP, one of the most significant issues we see from security is that we lose visibility, especially regarding systems logs on layers other than the application layer. Logserv is an additional SAP Cloud Application Services offering that RISE with SAP customers can add. Logserv provides logs from all SAP systems and layers (OS, database, etc.), and the logs can be integrated to be available to the customer’s security information and event management (SIEM) solution.

SAP offers a few options even with RISE with SAP S/4HANA Cloud Private Edition (standard, tailored, customer data center, large customer tailored currently), and we highly recommend reviewing in detail the roles and responsibility matrix for each offering to determine which is most suitable for your business.

We’ve tried to provide our take on the same in the figure below, but to be honest, there is still some ambiguity regarding what is covered or not covered from the application layer security perspective. So, be sure to thoroughly review standard services and SAP Cloud Application Services offerings and the Remarks section.

What Security Responsibilities Remain with the Customer?

When moving to RISE with SAP S/4HANA Cloud Private Edition, you don’t transfer all security responsibilities to SAP, as you can see in the following:

• OS, database, and cloud security are all SAP’s responsibility.
• Application layer security, including data, is still the customer’s responsibility.
• Customers lose client 000, as its all managed by SAP (the customer may be provided temporary access to support specific needs such as Transport Management System [TMS] configuration).
• Application-level security audit logging and monitoring around threat and incident response and so on is still the customer’s responsibility.
• If customers need visibility regarding the OS, database level, and so on to feed into Splunk, they may want to subscribe to Logserv in SAP Cloud Application Services.
• At the time of writing this post, the whole logging and monitoring capabilities are still not mature yet, and this is one of the reasons customers are hesitant to move to RISE with SAP, especially those with complex compliance and regulations and from a highly regulated industry. SAP is working on a service called Raven to provide better visibility logging and monitoring to its RISE with SAP S/4HANA Cloud Private Edition customers.
• Customers also lose visibility into a lot of network and cloud monitoring, and it seems Raven would help to provide that visibility when it’s available for general use for RISE with SAP customers. 

Private Network Architecture and Security Controls

Finally, RISE with SAP S/4HANA Cloud Private Edition onboarding includes SAP customers working with SAP and provides a private Classless Inter-Domain Routing (CIDR) range. However, with this, the RISE with SAP S/4HANA Cloud Private Edition deployment ensures all SAP resources are only available within the customer’s private network, as explained in this figure.

Security services (security group, web application firewall [WAF], load balancer) are used along with other services such as SAP Web Dispatcher to allow any public inbound connection, hence providing isolation for actual SAP application servers and security.

Editor’s note: This post has been adapted from a section of the book Cybersecurity for SAP by Gaurav Singh and Juan Perez-Etchegoyen. Gaurav is an SAP cybersecurity manager at Under Armour with more than 19 years of experience and a proven track record of helping organizations protect themselves from cyber threats while maximizing their SAP investments. Juan is the chief technology officer at Onapsis. With more than 20 years of experience in the IT security field, JP is a leading expert in business-critical application security, specializing in safeguarding ERP landscapes.

This post was originally published 5/2025.