Your cloud migration reality check

It’s easy to see why SAP cloud migration is so appealing. It can:

  • Help simplify back-office operations that are often over-customized by on-premise solutions
  • Eliminate expensive processes and functions that aren’t related to a business’s core offering
  • Allow you to future-proof your system by moving away from data center management towards essential business services and innovation. 

However, from our extensive experience of assisting organizations like yours with SAP cloud security, there remains a misconception that in a cloud environment, responsibility and accountability for security fall to SAP. 

Security for your business is never ‘somebody else’s problem.’ You will always be accountable for security, both legally and operationally, even when the execution of security measures is delegated to SAP, hyperscalers, or anyone else.

shutterstock_1056350111-min

Your cloud migration reality check

It’s easy to see why SAP cloud migration is so appealing. It can:

  • Help simplify back-office operations that are often over-customized by on-premise solutions.
  • Eliminate expensive processes and functions that aren’t related to a business’s core offering.
  • Allow you to future-proof your system by moving away from data center management towards essential business services and innovation. 

However, from our extensive experience of assisting organizations like yours, there remains a misconception that in a cloud environment, responsibility and accountability for security fall to SAP. 

Security for your business is never ‘somebody else’s problem.’ You will always be accountable for security, both legally and operationally, even when the execution of security measures is delegated to SAP, hyperscalers, or anyone else.

The real business risks of neglecting SAP migration security can include:

fi_1570089

Missed objectives

Security gaps can restrict your return on investment from SAP cloud migration, due to roadblocks and migration delays, and additional reworking costs.

fi_2693498

Reduced agility

Relying on SAP support teams and their SLAs can mean waiting for weeks for important changes, which negates the supposed agility benefits of cloud.

fi_2345086

Security and compliance failures

If SAP is wrongly assumed to be handling all angles of security, gaps can quickly open up.

fi_1570101

Operational disruption

Unmanaged security responsibilities can lead to attacks and incidents getting missed and spiraling out of control.

The new SAP licensing equation: Better security = Lower costs

Moving to RISE with SAP on S/4HANA? If you haven’t already, you’ll likely receive an attractive migration offer from SAP. But what do you need to know before signing on the dotted line? 

One critical and often overlooked consideration is the automatic transition to SAP’s new Full Use Equivalent (FUE) licensing model. Under this model, your security provisioning – specifically your roles and authorizations – directly determines your licensing costs. What you pay is based on what users are authorized to do; not what users have executed. 

The FUE license model represents a significant and potentially costly change for your business. One that even SAP's promotional discounts won't offset if your roles and authorizations aren't optimized before migration.  

Establishing and maintaining well-designed, right-sized security is now synonymous with maximizing your SAP investment. This guide explores how an expert, targeted license review can set you on the right track, and how it’s already helped organizations like yours…

45b7f54e298cdadb8099c529708ee222
Group (1)

You can outsource the doing, but you can’t outsource the thinking. No technology can tell you your business strategy. Before you buy in new technology, the most important question to ask yourself is ‘why?’

Simon Persin, Global Practice Director for Risk, Security and Controls, Turnkey Consulting

SAP migration: From on-premise to RISE with enhanced security

Data

Application

Application Server

Operating System and Database

Infrastructure

As-Is On Prem

Managed by customer

Future RISE with SAP

Managed by Turnkey

Simplified by Onapsis

Managed by SAP

  • Application Vulnerability Management
  • Application Threat Detection and Response
  • Custom Code & Cloud Extensions Security
  • Transport Security and Change Management
  • Application Compliance Adherence & Monitoring

Critical considerations for your SAP IdM transition

money · shopping · shop · ecommerce · hand

Customization vs. Simplicity

Evaluate whether your organization needs highly tailored solutions or could benefit from standardizing processes. Customization delivers precision but increases complexity and maintenance costs.

fi_2092263

Integration landscape

Complex SAP environments (with 30+ systems) require solutions capable of handling this scale. Verify each solution's capabilities for reading custom SAP tables and available connectors for your applications. Also consider how to balance SAP-specific needs with enterprise-wide identity management requirements.

fi_3630781

Business transformation opportunity

Use the IdM migration as a catalyst to break down silos between SAP and enterprise identity management. Consider how process changes could simplify your technical requirements, especially if you're also planning an S/4HANA migration. This decision point presents an opportunity for business process transformation that could simplify technical requirements and reap numerous organization-wide benefits.

fi_1570089 (1)

Resource requirements

Assess your team's capabilities against solution requirements to identify gaps in technical implementation skills, business process knowledge, and change management expertise. Consider whether partnerships with implementation experts will be necessary to supplement internal resources.

fi_1849428

Common migration pitfalls

Prepare for typical obstacles including undocumented customizations, integration complexity, resource constraints, competing priorities, and dependencies on SAP IdM-specific capabilities. Mitigate risks through a phased migration approach with thorough planning, documentation, and robust testing at each stage.

Understanding the shared responsibility model

Perhaps the best way to describe the demarcation of the SAP shared responsibility model is this: SAP looks after security of the cloud, while you look after security in the cloud. In practice, this means that responsibilities are divided as follows:

What SAP covers

Group (12)

Physical infrastructure: The resilience and availability of infrastructure, including data center security, environmental controls, physical access, server hardware, storage devices, and networking equipment.

fi_1063385

Network infrastructure: Global protection across all of SAP’s infrastructure, including network-level attack protection for network devices, firewalls, and load balancers.

Group (16)

Core software management: SAP application platform security, encompassing base operating system management and patching, database platform management, and virtualization-layer security.

Group (14)

Platform maintenance & operations: SAP ERP Cloud Private Edition covers the infrastructure layer, operating system, and database security, including core technical patching and hyperscaler relationship management. However, it’s important to note that the patching responsibility does not extend to application system patching or progressing anything into a productive environment.

What you cover

Group (19)

Identity & Access Management, including entitlements management: Setup and enforcement of your access strategy and authentication (including single-sign-on, identity federation and multi-factor authentication) and role-based access controls using the principle of least privilege. This also includes the processes by which users gain access to your systems, user role definition and management, and authorization controls.

fi_1516989

Application layer security: All the unique configurations that make the system work for your business, such as SAP applications, customizations, business processes, system parameter settings, and security hardening. This includes application patch management and implementation.

fi_1691685

Security monitoring & incident response: Application-level security monitoring and threat detection, security audit logging and analysis, and incident response for application-level events. This includes identifying application threats and patches to be applied as well as implementing them. 

fi_1230191

Data protection: Data classification and handling procedures, privacy control validation, application-level encryption, sensitive data access monitoring, and data loss prevention strategies. This could also involve the implementation of custom encryption key management given this is a common requirement to protect the information assets held within your systems.

Group (20)

Compliance & governance: Implementing governance frameworks, internal controls operation and testing, compliance validation and reporting, and audit evidence collection and presentation.

fi_3126539

Custom code & development: Custom code vulnerability management and secure coding practices, security-testing custom applications, and transport validation.

fi_1230191

Network controls: Configuring security settings for customer-managed VPNs, virtual networks, and integrations; validating network security configurations; and deploying access controls and/or technologies to support secure connectivity to SAP cloud services.

fi_2040367

Integration security: Third-party system connection security, API security and access controls, data flow security, and assessing vendor security for any integrated solutions.

Assessing organizational maturity: Are you a knowing buyer?

With a clear understanding of the SAP shared responsibility model and how it works, you’re in a better position to assess whether the rest of your organization is aware of it and ready for the change.

The ideal state to reach is that of a ‘knowing buyer’, where you:

01

Understand

Know what solutions you’re purchasing to cover your responsibilities and why.

02

Assess

Have a realistic view of what can be achieved internally and externally.

03

Establish

Create a clear definition of success and how to measure it.

Three exercises to assess your organization’s readiness

Step-icon-1

Understanding your "Why"

A strategic motivation assessment can provide clarity on why you’re moving to the cloud, allowing those drivers to be aligned with your security approach. This context helps you avoid cutting too many corners with cost reductions, understand which infrastructure complexities should be transformed or eliminated, and support rather than constrain business agility.

 

border-2
Step-icon-3

Understanding your “How”

Finding the gaps between your current practices and your expected responsibilities under the SAP shared responsibility model is important, especially if you have multiple teams handling different security processes in parallel. 

Common gaps include SOC teams that don't monitor SAP applications, SAP teams that don't handle application security, GRC technology that's not integrated and optimized, and integration points between different technologies and processes. 

You should evaluate your current setup, expertise in SAP application security, capacity for continuous monitoring and rapid response, and how you can translate complex security data into business risk.

border-1
Step-icon-2

Understanding your “When”

Good indicators of high maturity include a clear understanding of migration objectives; a realistic assessment of capabilities and gaps; integration across security, SAP, and business teams; and a recognition that security can be a business enabler. 

If there are assumptions that cloud migration automatically reduces security responsibilities, poor integration, overconfidence in internal expertise, or a focus on procurement over outcomes, then these should be treated as warning signs that you’re not yet ready to make the transition.

 

border-3-1

Your SAP security strategy: Core capabilities for cloud success

You can utilize a range of solutions and capabilities to take care of your side of the SAP shared responsibility model. In our experience, we’ve found that a combination of technology and expertise provides the most comprehensive coverage.

fi_1244656

Identity & Access Management

fi_4029888

Application layer security

fi_272340

Data protection

Security monitoring & incident response

Security monitoring & incident response

Custom code and development

Custom code & development

Compliance and governance

Compliance & governance

Network controls

Network controls

Integrations

Integrations (third-party connections & APIs)

fi_1244656

Identity & Access Management

While SAP provides the platform, it doesn’t provision, govern, or monitor users and roles, which means you’re accountable for securing identities and managing privileged access with robust control over who can access what.

Group (18)

What you’ll need

  • Role-based access control implementation
  • Privileged access management
  • Multi-factor authentication enforcement
  • Segregation of duties conflict prevention
fi_310185 (1)

How this is delivered

There are many ways to manage identities within your cloud estate. Almost all traditional IGA vendors can integrate into SAP’s cloud estate, often combining with SAP’s own product capabilities. This provides full visibility of user access within SAP applications, whether running on-premise, in hyperscaler, or as part of SAP ERP Cloud Private.

fi_686308

How we support

Turnkey helps you navigate an appropriate strategy, understanding your current deployed solutions to define and implement a futureproof and scalable approach that enhances your business operations. Leveraging leading technologies, we help you secure provisioning, maintain access compliance, and reduce insider threat risk by managing identity lifecycle, access governance, and privileged accounts.

fi_4029888

Application layer security

SAP does not validate business process configuration or govern transports and functional changes, meaning you’ll need to proactively identify and remediate security gaps across your SAP landscapes.

Group (18)

What you’ll need

  • Automated vulnerability detection
  • Configuration baseline management
  • Deviation monitoring
  • Transport validation
fi_310185 (1)

How this is delivered

Dedicated tooling can deliver automated SAP vulnerability management that continuously scans for missing patches, insecure configurations, and custom code vulnerabilities. This allows you to prioritize and remediate vulnerabilities based on actionable intelligence and your risk profile.

fi_686308

How we support

Turnkey enables secure, compliant, and resilient business operations by validating SAP configurations, scanning transports for risk, and governing change processes.

fi_272340

Data protection

You remain responsible for protecting sensitive data and validating privacy controls, including any sensitive information stored and processed within SAP systems.

Group (18)

What you’ll need

  • Data classification and handling procedures
  • Application-level encryption implementation
  • Data loss prevention strategies
  • Privacy control validation
fi_310185 (1)

How this is delivered

Combining SAP automated compliance with continuous monitoring against key benchmarks such as GDPR can help bridge the gap from policy to practice. Specialist tooling can help you with business process monitoring and automated control alerts based on high-risk data access; prescriptive and preventive controls, including access prevention or field-level encryption; or additional authentication checks at the point of access or transactional activity. 

fi_686308

How we support

Turnkey provides assurance that data is secure and compliant by monitoring sensitive access, validating privacy configurations, and performing risk-based testing. Furthermore, we can introduce additional controls and compliance checks at the point of access or action to enable more timely business operations and reduce the need for cumbersome “safety net” controls. 

Security monitoring & incident response

Security monitoring & incident response

SAP monitors the infrastructure, but not the security of SAP applications. This means you need real-time identification of security issues at the application layer and the ability to log and detect threats and test security measures.

Group (18)

What you’ll need

  • Threat detection covering application-level logging analysis
  • Suspicious activity detection
  • Behavioral anomaly identification
  • Incident response coordination
fi_310185 (1)

How this is delivered

Specialist tooling, such as Onapsis, Security Bridge, or SAP ETD, is often required to identify the signs of compromise within an SAP environment. This may include suspicious user behavior or indicators of compromise from external sources. Such security monitoring and enterprise threat detection track SAP application logs in real time, identifying suspicious behavior and active attacks.

fi_686308

How we support

Turnkey proactively monitors threats and alerts, investigates anomalous activity, manages patch cycles, and guides remediation strategies to contain risks and keep SAP environments secure. In this manner, we create a bridge to the SOC by adding valuable business context to the identified threat, allowing it to be evaluated based on business impact and facilitating the appropriate response actions. 

Custom code and development

Custom code & development

Any custom code or modification developed by you or a third party is outside of SAP’s management responsibility and needs validating in accordance with secure coding practices.

Group (18)

What you’ll need

  • Secure coding practices implementation
  • Custom code vulnerability scanning
  • Development lifecycle security integration
fi_310185 (1)

How this is delivered

Code-scanning technology can search for known vulnerabilities, performance optimization, and omissions of vital security clauses, as well as provide actionable insights to support remediation. 

fi_686308

How we support

Turnkey interprets and plans improvements and remediation of identified code considerations, based on the identified transports and custom code vulnerabilities, adding vital insight to your roadmaps.

Compliance and governance

Compliance & governance

You are responsible for controls operation and testing, maintaining compliance, and providing audit-ready reporting. This is best achieved through a continuous approach to compliance rather than periodic, manual checks.

Group (18)

What you’ll need

  • Automated controls testing
  • Evidence collection
  • Audit readiness reporting
  • Regulatory framework alignment
fi_310185 (1)

How this is delivered

Automated compliance solutions provide automated controls testing, continuous monitoring against compliance benchmarks such as SOX, GDPR and NIST, and simplified audit evidence collection, helping to enable continuous audit readiness.

fi_686308

How we support

Turnkey designs, implements and operates appropriate controls aligned to your specific compliance and business objectives. This information is used to provide evidence for audits while embedding improvements across the SAP controls environment.

Network controls

Network controls

Network controls
You’ll need to take care of private connectivity and secure integration points between SAP systems and other business applications.

Group (18)

What you’ll need

  • Network security configuration validation
  • Secure connectivity implementation
  • Integration point monitoring
fi_310185 (1)

How this is delivered

The right tools can help you understand the interconnectivity required between applications, delivering full visibility into configurations and potential risks within customer responsibility domains, including network connectivity validation. You'll also be able to deploy conditional access policies, multi-factor authentication, and single sign-on or passwordless technology to enhance the end-user experience, aligning with improvements to operational controls.

fi_686308

How we support

Turnkey advises, implements, configures, and enhances connectivity configurations, helping foster an SAP landscape with secure, compliant connections to the hyperscaler.

Integrations

Integrations (third-party connections & APIs)

Extended code, interfaces, partner add-ons, system integrations, and API integrations are all your responsibility, a demand that is increasing as SAP environments become more connected with wider business infrastructure.

Group (18)

What you’ll need:

  • Integration point security validation
  • API security implementation
  • Data flow protection
  • Vendor security assessments
fi_310185 (1)

How this is delivered

Specialist tooling, such as Onapsis, combined with business process awareness, help give you full visibility into your true attack surface and potential risks within your responsibility domains, including integration points and extended applications.

fi_686308

How we support

Turnkey mitigates and removes vulnerabilities within extensions and integrations by securing APIs, reviewing custom code, and validating partner add-ons.

Implementation approaches: From in-house to fully managed

Under the shared responsibility model, security technologies are only one part of the story. You’ll also need to procure the skills, capacity, and expert management to turn huge volumes of data into actionable insights and help security solutions deliver positive outcomes. This is essential for turning security tools from cost centers into business enablers.

In terms of accessing that expertise and experience, there are three main choices available to you: In-house management, hybrid management, or fully managed services.

  • In–house management
  • Hybrid model (Expert-on-demand)
  • Fully managed services

In–house management

Business fit

Organizations that feel they have sufficient capacity internally are more likely to retain control in-house. However, many organizations overestimate their ability to manage the full range of responsibilities, so a thorough assessment should be done before relying on this option.

Key considerations

  • Make sure you have deep SAP security expertise (not just roles and authorizations) and sufficient capacity for continuous monitoring.
  • Prepare to dynamically scale capacity demands up and down according to business needs.
  • Develop the ability to address integration gaps between different security tools, processes, and domains.

Hybrid model (Expert-on-demand)

Business fit

In this model, outsourced partners look after specific, pre-agreed areas of specialist expertise or resource augmentation, while you retain ultimate responsibility and oversight of the wider SAP security picture. This option is ideal for organizations that have pockets of expertise and sufficient internal capacity but lack experts in a few vital areas.

Key considerations

  • Assess your need to leverage external expertise at peak times and for specific uses.
  • Consider the best combination of your internal skills with external know-how and seek the right expertise to fill the gaps.
  • Establish excellent internal coordination to enable external resources to integrate effectively.

Fully managed services

Business fit

Under this model, the managed service provider takes responsibility for delivering specific security outcomes, above and beyond providing resources or tools. This allows you to plug gaps in your internal expertise and formally delegate responsibility by written agreement. This more hands-off approach is best for organizations looking to focus on their core capabilities and internal objectives.

Key considerations

  • Assess your team structure, as outsourcing means large teams for SAP security aren’t necessarily needed.
  • Build protection through legal frameworks and outcome-based accountability into any agreements.
  • Consider how freeing up staff time can help you focus on innovation and growth objectives and include this in your business case.

In–house management

Hybrid model (Expert-on-demand)

Fully managed services

Getting expert support

By partnering with Turnkey, you can access strategic solutions, consulting, and managed services that turn security capabilities into business outcomes. Our integrated solution combines Turnkey's Bedrock Managed Service with the technology and tools provided by SAP and the wider partner ecosystem to maximize security performance, however demanding your SAP cloud responsibilities are. 

Before
help-icon-1

Strategic expertise

Get expert insight into how security choices can support your business objectives in accessible language that aids informed decision-making and business cases.

During
help-icon-2

Complementary partnership

Turnkey’s strategic expertise, response, and outcome delivery is dovetailed by leading SAP security tooling and platforms.

After
help-icon-3

Going beyond tools

Gain a clear focus on business results rather than just implementing security technologies with defense in mind.

In summary: Making informed decisions

The key to getting the shared responsibility model right is to leave nothing to chance. Don’t assume that new capabilities will magically appear or will be covered by technology without oversight. To be successful, you’ll need strong expertise, careful management, and an integrated approach across security, SAP, and business teams.

If you need external support for your SAP cloud security, now is the time to source it. The earlier you engage security expertise (ideally during initial strategy and planning), the better-placed you’ll be for strategy alignment, understanding your licensing needs, and fully assessing your risks.

To get this process underway, you should:

  • Conduct an honest assessment of your strategic drivers for cloud migration.
  • Evaluate current security capabilities and identify gaps.
  • Determine whether security management represents a competitive advantage or an operational necessity for your business.

With answers to those questions, you can pursue your new security approach with confidence, maintaining the speed and flexibility that cloud migration can deliver and freeing up internal resources to focus on business differentiation rather than operational security management.

shutterstock_1918634396-min

Get in touch with Turnkey today

Sign up to get the latest updates