RISE Right:
Your Security Responsibilities in the SAP Cloud
If your organization is one of the more than 400,000 using SAP, then you've likely been exploring cloud migration to simplify security management and streamline operations.
To fully realize these benefits, it's essential to understand how security responsibilities are shared between SAP and your organization. We’ve found that too many organizations assume migrating to the cloud means security accountability moves entirely onto the shoulders of SAP. But this is not the case. SAP manages the infrastructure, but as a customer, you retain ownership of the elements that make your SAP system uniquely yours — your data, configurations, user access, and custom developments.
Understanding this shared responsibility positions your organization to make informed strategic decisions about cloud migration. In this guide, we'll explore how SAP’s shared responsibility model works in practice, help you assess your organization's readiness, and outline strategic approaches for managing your responsibilities effectively. The goal isn't just security compliance — it's enabling confident business transformation.

Read on to navigate your path to secure SAP cloud transformation

Your cloud migration reality check
It’s easy to see why SAP cloud migration is so appealing. It can:
- Help simplify back-office operations that are often over-customized by on-premise solutions
- Eliminate expensive processes and functions that aren’t related to a business’s core offering
- Allow you to future-proof your system by moving away from data center management towards essential business services and innovation.
However, from our extensive experience of assisting organizations like yours with SAP cloud security, there remains a misconception that in a cloud environment, responsibility and accountability for security fall to SAP.
Security for your business is never ‘somebody else’s problem.’ You will always be accountable for security, both legally and operationally, even when the execution of security measures is delegated to SAP, hyperscalers, or anyone else.

Your cloud migration reality check
It’s easy to see why SAP cloud migration is so appealing. It can:
- Help simplify back-office operations that are often over-customized by on-premise solutions.
- Eliminate expensive processes and functions that aren’t related to a business’s core offering.
- Allow you to future-proof your system by moving away from data center management towards essential business services and innovation.
However, from our extensive experience of assisting organizations like yours, there remains a misconception that in a cloud environment, responsibility and accountability for security fall to SAP.
Security for your business is never ‘somebody else’s problem.’ You will always be accountable for security, both legally and operationally, even when the execution of security measures is delegated to SAP, hyperscalers, or anyone else.
The real business risks of neglecting SAP migration security can include:
Missed objectives
Security gaps can restrict your return on investment from SAP cloud migration, due to roadblocks and migration delays, and additional reworking costs.
Reduced agility
Relying on SAP support teams and their SLAs can mean waiting for weeks for important changes, which negates the supposed agility benefits of cloud.
Security and compliance failures
If SAP is wrongly assumed to be handling all angles of security, gaps can quickly open up.
Operational disruption
Unmanaged security responsibilities can lead to attacks and incidents getting missed and spiraling out of control.
The new SAP licensing equation: Better security = Lower costs
Moving to RISE with SAP on S/4HANA? If you haven’t already, you’ll likely receive an attractive migration offer from SAP. But what do you need to know before signing on the dotted line?
One critical and often overlooked consideration is the automatic transition to SAP’s new Full Use Equivalent (FUE) licensing model. Under this model, your security provisioning – specifically your roles and authorizations – directly determines your licensing costs. What you pay is based on what users are authorized to do; not what users have executed.
The FUE license model represents a significant and potentially costly change for your business. One that even SAP's promotional discounts won't offset if your roles and authorizations aren't optimized before migration.
Establishing and maintaining well-designed, right-sized security is now synonymous with maximizing your SAP investment. This guide explores how an expert, targeted license review can set you on the right track, and how it’s already helped organizations like yours…

You can outsource the doing, but you can’t outsource the thinking. No technology can tell you your business strategy. Before you buy in new technology, the most important question to ask yourself is ‘why?’
Simon Persin, Global Practice Director for Risk, Security and Controls, Turnkey Consulting
SAP migration: From on-premise to RISE with enhanced security
Data
Application
Application Server
Operating System and Database
Infrastructure
As-Is On Prem
Managed by customer
Future RISE with SAP
Managed by Turnkey
Simplified by Onapsis
Managed by SAP
- Application Vulnerability Management
- Application Threat Detection and Response
- Custom Code & Cloud Extensions Security
- Transport Security and Change Management
- Application Compliance Adherence & Monitoring
Critical considerations for your SAP IdM transition
Customization vs. Simplicity
Evaluate whether your organization needs highly tailored solutions or could benefit from standardizing processes. Customization delivers precision but increases complexity and maintenance costs.
Integration landscape
Complex SAP environments (with 30+ systems) require solutions capable of handling this scale. Verify each solution's capabilities for reading custom SAP tables and available connectors for your applications. Also consider how to balance SAP-specific needs with enterprise-wide identity management requirements.
Business transformation opportunity
Use the IdM migration as a catalyst to break down silos between SAP and enterprise identity management. Consider how process changes could simplify your technical requirements, especially if you're also planning an S/4HANA migration. This decision point presents an opportunity for business process transformation that could simplify technical requirements and reap numerous organization-wide benefits.
Resource requirements
Assess your team's capabilities against solution requirements to identify gaps in technical implementation skills, business process knowledge, and change management expertise. Consider whether partnerships with implementation experts will be necessary to supplement internal resources.
Common migration pitfalls
Prepare for typical obstacles including undocumented customizations, integration complexity, resource constraints, competing priorities, and dependencies on SAP IdM-specific capabilities. Mitigate risks through a phased migration approach with thorough planning, documentation, and robust testing at each stage.
Understanding the shared responsibility model
Perhaps the best way to describe the demarcation of the SAP shared responsibility model is this: SAP looks after security of the cloud, while you look after security in the cloud. In practice, this means that responsibilities are divided as follows:
What SAP covers
Physical infrastructure: The resilience and availability of infrastructure, including data center security, environmental controls, physical access, server hardware, storage devices, and networking equipment.
Network infrastructure: Global protection across all of SAP’s infrastructure, including network-level attack protection for network devices, firewalls, and load balancers.
Core software management: SAP application platform security, encompassing base operating system management and patching, database platform management, and virtualization-layer security.
Platform maintenance & operations: SAP ERP Cloud Private Edition covers the infrastructure layer, operating system, and database security, including core technical patching and hyperscaler relationship management. However, it’s important to note that the patching responsibility does not extend to application system patching or progressing anything into a productive environment.
What you cover
Identity & Access Management, including entitlements management: Setup and enforcement of your access strategy and authentication (including single-sign-on, identity federation and multi-factor authentication) and role-based access controls using the principle of least privilege. This also includes the processes by which users gain access to your systems, user role definition and management, and authorization controls.
Application layer security: All the unique configurations that make the system work for your business, such as SAP applications, customizations, business processes, system parameter settings, and security hardening. This includes application patch management and implementation.
Security monitoring & incident response: Application-level security monitoring and threat detection, security audit logging and analysis, and incident response for application-level events. This includes identifying application threats and patches to be applied as well as implementing them.
Data protection: Data classification and handling procedures, privacy control validation, application-level encryption, sensitive data access monitoring, and data loss prevention strategies. This could also involve the implementation of custom encryption key management given this is a common requirement to protect the information assets held within your systems.
Compliance & governance: Implementing governance frameworks, internal controls operation and testing, compliance validation and reporting, and audit evidence collection and presentation.
Custom code & development: Custom code vulnerability management and secure coding practices, security-testing custom applications, and transport validation.
Network controls: Configuring security settings for customer-managed VPNs, virtual networks, and integrations; validating network security configurations; and deploying access controls and/or technologies to support secure connectivity to SAP cloud services.
Integration security: Third-party system connection security, API security and access controls, data flow security, and assessing vendor security for any integrated solutions.
Assessing organizational maturity: Are you a knowing buyer?
With a clear understanding of the SAP shared responsibility model and how it works, you’re in a better position to assess whether the rest of your organization is aware of it and ready for the change.
The ideal state to reach is that of a ‘knowing buyer’, where you:
Understand
Know what solutions you’re purchasing to cover your responsibilities and why.
Assess
Have a realistic view of what can be achieved internally and externally.
Establish
Create a clear definition of success and how to measure it.
Three exercises to assess your organization’s readiness
Understanding your "Why"
A strategic motivation assessment can provide clarity on why you’re moving to the cloud, allowing those drivers to be aligned with your security approach. This context helps you avoid cutting too many corners with cost reductions, understand which infrastructure complexities should be transformed or eliminated, and support rather than constrain business agility.
Understanding your “How”
Finding the gaps between your current practices and your expected responsibilities under the SAP shared responsibility model is important, especially if you have multiple teams handling different security processes in parallel.
Common gaps include SOC teams that don't monitor SAP applications, SAP teams that don't handle application security, GRC technology that's not integrated and optimized, and integration points between different technologies and processes.
You should evaluate your current setup, expertise in SAP application security, capacity for continuous monitoring and rapid response, and how you can translate complex security data into business risk.
Understanding your “When”
Good indicators of high maturity include a clear understanding of migration objectives; a realistic assessment of capabilities and gaps; integration across security, SAP, and business teams; and a recognition that security can be a business enabler.
If there are assumptions that cloud migration automatically reduces security responsibilities, poor integration, overconfidence in internal expertise, or a focus on procurement over outcomes, then these should be treated as warning signs that you’re not yet ready to make the transition.
Your SAP security strategy: Core capabilities for cloud success
You can utilize a range of solutions and capabilities to take care of your side of the SAP shared responsibility model. In our experience, we’ve found that a combination of technology and expertise provides the most comprehensive coverage.
Identity & Access Management
Application layer security
Data protection
Security monitoring & incident response
Custom code & development
Compliance & governance
Network controls
Integrations (third-party connections & APIs)
Identity & Access Management
While SAP provides the platform, it doesn’t provision, govern, or monitor users and roles, which means you’re accountable for securing identities and managing privileged access with robust control over who can access what.
What you’ll need
- Role-based access control implementation
- Privileged access management
- Multi-factor authentication enforcement
- Segregation of duties conflict prevention
How this is delivered
There are many ways to manage identities within your cloud estate. Almost all traditional IGA vendors can integrate into SAP’s cloud estate, often combining with SAP’s own product capabilities. This provides full visibility of user access within SAP applications, whether running on-premise, in hyperscaler, or as part of SAP ERP Cloud Private.
How we support
Turnkey helps you navigate an appropriate strategy, understanding your current deployed solutions to define and implement a futureproof and scalable approach that enhances your business operations. Leveraging leading technologies, we help you secure provisioning, maintain access compliance, and reduce insider threat risk by managing identity lifecycle, access governance, and privileged accounts.
Application layer security
SAP does not validate business process configuration or govern transports and functional changes, meaning you’ll need to proactively identify and remediate security gaps across your SAP landscapes.
What you’ll need
- Automated vulnerability detection
- Configuration baseline management
- Deviation monitoring
- Transport validation
How this is delivered
Dedicated tooling can deliver automated SAP vulnerability management that continuously scans for missing patches, insecure configurations, and custom code vulnerabilities. This allows you to prioritize and remediate vulnerabilities based on actionable intelligence and your risk profile.
How we support
Turnkey enables secure, compliant, and resilient business operations by validating SAP configurations, scanning transports for risk, and governing change processes.
Data protection
You remain responsible for protecting sensitive data and validating privacy controls, including any sensitive information stored and processed within SAP systems.
What you’ll need
- Data classification and handling procedures
- Application-level encryption implementation
- Data loss prevention strategies
- Privacy control validation
How this is delivered
Combining SAP automated compliance with continuous monitoring against key benchmarks such as GDPR can help bridge the gap from policy to practice. Specialist tooling can help you with business process monitoring and automated control alerts based on high-risk data access; prescriptive and preventive controls, including access prevention or field-level encryption; or additional authentication checks at the point of access or transactional activity.
How we support
Turnkey provides assurance that data is secure and compliant by monitoring sensitive access, validating privacy configurations, and performing risk-based testing. Furthermore, we can introduce additional controls and compliance checks at the point of access or action to enable more timely business operations and reduce the need for cumbersome “safety net” controls.
Security monitoring & incident response
SAP monitors the infrastructure, but not the security of SAP applications. This means you need real-time identification of security issues at the application layer and the ability to log and detect threats and test security measures.
What you’ll need
- Threat detection covering application-level logging analysis
- Suspicious activity detection
- Behavioral anomaly identification
- Incident response coordination
How this is delivered
Specialist tooling, such as Onapsis, Security Bridge, or SAP ETD, is often required to identify the signs of compromise within an SAP environment. This may include suspicious user behavior or indicators of compromise from external sources. Such security monitoring and enterprise threat detection track SAP application logs in real time, identifying suspicious behavior and active attacks.
How we support
Turnkey proactively monitors threats and alerts, investigates anomalous activity, manages patch cycles, and guides remediation strategies to contain risks and keep SAP environments secure. In this manner, we create a bridge to the SOC by adding valuable business context to the identified threat, allowing it to be evaluated based on business impact and facilitating the appropriate response actions.
Custom code & development
Any custom code or modification developed by you or a third party is outside of SAP’s management responsibility and needs validating in accordance with secure coding practices.
What you’ll need
- Secure coding practices implementation
- Custom code vulnerability scanning
- Development lifecycle security integration
How this is delivered
Code-scanning technology can search for known vulnerabilities, performance optimization, and omissions of vital security clauses, as well as provide actionable insights to support remediation.
How we support
Turnkey interprets and plans improvements and remediation of identified code considerations, based on the identified transports and custom code vulnerabilities, adding vital insight to your roadmaps.
Compliance & governance
You are responsible for controls operation and testing, maintaining compliance, and providing audit-ready reporting. This is best achieved through a continuous approach to compliance rather than periodic, manual checks.
What you’ll need
- Automated controls testing
- Evidence collection
- Audit readiness reporting
- Regulatory framework alignment
How this is delivered
Automated compliance solutions provide automated controls testing, continuous monitoring against compliance benchmarks such as SOX, GDPR and NIST, and simplified audit evidence collection, helping to enable continuous audit readiness.
How we support
Turnkey designs, implements and operates appropriate controls aligned to your specific compliance and business objectives. This information is used to provide evidence for audits while embedding improvements across the SAP controls environment.
Network controls
Network controls
You’ll need to take care of private connectivity and secure integration points between SAP systems and other business applications.
What you’ll need
- Network security configuration validation
- Secure connectivity implementation
- Integration point monitoring
How this is delivered
The right tools can help you understand the interconnectivity required between applications, delivering full visibility into configurations and potential risks within customer responsibility domains, including network connectivity validation. You'll also be able to deploy conditional access policies, multi-factor authentication, and single sign-on or passwordless technology to enhance the end-user experience, aligning with improvements to operational controls.
How we support
Turnkey advises, implements, configures, and enhances connectivity configurations, helping foster an SAP landscape with secure, compliant connections to the hyperscaler.
Integrations (third-party connections & APIs)
Extended code, interfaces, partner add-ons, system integrations, and API integrations are all your responsibility, a demand that is increasing as SAP environments become more connected with wider business infrastructure.
What you’ll need:
- Integration point security validation
- API security implementation
- Data flow protection
- Vendor security assessments
How this is delivered
Specialist tooling, such as Onapsis, combined with business process awareness, help give you full visibility into your true attack surface and potential risks within your responsibility domains, including integration points and extended applications.
How we support
Turnkey mitigates and removes vulnerabilities within extensions and integrations by securing APIs, reviewing custom code, and validating partner add-ons.
Implementation approaches: From in-house to fully managed
Under the shared responsibility model, security technologies are only one part of the story. You’ll also need to procure the skills, capacity, and expert management to turn huge volumes of data into actionable insights and help security solutions deliver positive outcomes. This is essential for turning security tools from cost centers into business enablers.
In terms of accessing that expertise and experience, there are three main choices available to you: In-house management, hybrid management, or fully managed services.
- In–house management
- Hybrid model (Expert-on-demand)
- Fully managed services
In–house management
Business fit
Organizations that feel they have sufficient capacity internally are more likely to retain control in-house. However, many organizations overestimate their ability to manage the full range of responsibilities, so a thorough assessment should be done before relying on this option.
Key considerations
- Make sure you have deep SAP security expertise (not just roles and authorizations) and sufficient capacity for continuous monitoring.
- Prepare to dynamically scale capacity demands up and down according to business needs.
- Develop the ability to address integration gaps between different security tools, processes, and domains.
Hybrid model (Expert-on-demand)
Business fit
In this model, outsourced partners look after specific, pre-agreed areas of specialist expertise or resource augmentation, while you retain ultimate responsibility and oversight of the wider SAP security picture. This option is ideal for organizations that have pockets of expertise and sufficient internal capacity but lack experts in a few vital areas.
Key considerations
- Assess your need to leverage external expertise at peak times and for specific uses.
- Consider the best combination of your internal skills with external know-how and seek the right expertise to fill the gaps.
- Establish excellent internal coordination to enable external resources to integrate effectively.
Fully managed services
Business fit
Under this model, the managed service provider takes responsibility for delivering specific security outcomes, above and beyond providing resources or tools. This allows you to plug gaps in your internal expertise and formally delegate responsibility by written agreement. This more hands-off approach is best for organizations looking to focus on their core capabilities and internal objectives.
Key considerations
- Assess your team structure, as outsourcing means large teams for SAP security aren’t necessarily needed.
- Build protection through legal frameworks and outcome-based accountability into any agreements.
- Consider how freeing up staff time can help you focus on innovation and growth objectives and include this in your business case.
In–house management
In–house management
Business fit
Organizations that feel they have sufficient capacity internally are more likely to retain control in-house. However, many organizations overestimate their ability to manage the full range of responsibilities, so a thorough assessment should be done before relying on this option.
Key considerations
- Make sure you have deep SAP security expertise (not just roles and authorizations) and sufficient capacity for continuous monitoring.
- Prepare to dynamically scale capacity demands up and down according to business needs.
- Develop the ability to address integration gaps between different security tools, processes, and domains.
Hybrid model (Expert-on-demand)
Hybrid model (Expert-on-demand)
Business fit
In this model, outsourced partners look after specific, pre-agreed areas of specialist expertise or resource augmentation, while you retain ultimate responsibility and oversight of the wider SAP security picture. This option is ideal for organizations that have pockets of expertise and sufficient internal capacity but lack experts in a few vital areas.
Key considerations
- Assess your need to leverage external expertise at peak times and for specific uses.
- Consider the best combination of your internal skills with external know-how and seek the right expertise to fill the gaps.
- Establish excellent internal coordination to enable external resources to integrate effectively.
Fully managed services
Fully managed services
Business fit
Under this model, the managed service provider takes responsibility for delivering specific security outcomes, above and beyond providing resources or tools. This allows you to plug gaps in your internal expertise and formally delegate responsibility by written agreement. This more hands-off approach is best for organizations looking to focus on their core capabilities and internal objectives.
Key considerations
- Assess your team structure, as outsourcing means large teams for SAP security aren’t necessarily needed.
- Build protection through legal frameworks and outcome-based accountability into any agreements.
- Consider how freeing up staff time can help you focus on innovation and growth objectives and include this in your business case.
Business fit
- Good option for enterprise grade organizations with hybrid infrastructure.
- Ideal for those who want to lower OpEx, overheads, and maintenance.
- Suited for organizations that don't need highly-specialized customization.
- Best for organizations with less complex SAP environments looking for an enterprise IGA solution.
Getting expert support
By partnering with Turnkey, you can access strategic solutions, consulting, and managed services that turn security capabilities into business outcomes. Our integrated solution combines Turnkey's Bedrock Managed Service with the technology and tools provided by SAP and the wider partner ecosystem to maximize security performance, however demanding your SAP cloud responsibilities are.
Strategic expertise
Get expert insight into how security choices can support your business objectives in accessible language that aids informed decision-making and business cases.
Complementary partnership
Turnkey’s strategic expertise, response, and outcome delivery is dovetailed by leading SAP security tooling and platforms.
Going beyond tools
Gain a clear focus on business results rather than just implementing security technologies with defense in mind.
In summary: Making informed decisions
The key to getting the shared responsibility model right is to leave nothing to chance. Don’t assume that new capabilities will magically appear or will be covered by technology without oversight. To be successful, you’ll need strong expertise, careful management, and an integrated approach across security, SAP, and business teams.
If you need external support for your SAP cloud security, now is the time to source it. The earlier you engage security expertise (ideally during initial strategy and planning), the better-placed you’ll be for strategy alignment, understanding your licensing needs, and fully assessing your risks.
To get this process underway, you should:
- Conduct an honest assessment of your strategic drivers for cloud migration.
- Evaluate current security capabilities and identify gaps.
- Determine whether security management represents a competitive advantage or an operational necessity for your business.
With answers to those questions, you can pursue your new security approach with confidence, maintaining the speed and flexibility that cloud migration can deliver and freeing up internal resources to focus on business differentiation rather than operational security management.

Get in touch with Turnkey today
Sign up to get the latest updates
Resources
Find Us
Turnkey HQ:
58 Ayres Street
London
SE1 1EU