Skip to Content
Technical Articles
Author's profile photo Jana Subramanian

Securing RISE with SAP


In the beginning of the year 2021, SAP has launched RISE with SAP, a unique proposition of ONE Contract and ONE offer for business to ride the wave of business transformation. The RISE with SAP bundle consists of SAP S/4HANA Cloud Suite, SAP Business Technology Platform Consumption, SAP Business Network Starter Pack, SAP Business Process Intelligence.

At the core of the bundle is SAP S/4HANA Cloud, Private Edition which handles critical business processes. SAP customers can choose the hyperscale provider of choice between Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform. The security and compliance are of paramount importance since the SAP S/4HANA Cloud, Private Edition and SAP Business Technology platforms handles mission critical business processes, integration flows, analytics, business processes and application development. In this blog, we will discuss shared security responsibility model on Rise with SAP bundle specifically S/4HANA Cloud, Private Edition and SAP Business Technology Platform.

Shared Security Responsibility Model

It is important to understand nuances on shared security responsibility model between various entities as a part of RISE with SAP – SAP as SaaS provider, Customers, Hyperscale providers. By leveraging hyperscale IaaS providers for providing secure data center, virtual infrastructure, secure hypervisor, operations and administration of the foundational virtual infrastructure and software defined services, SAP is able to deliver to our customers greater agility, deployment velocity, security, capacity for hosting SAP cloud applications, pivoting on security and compliance at the core of SaaS offering. The diagram below shows at a high-level SAP S/4HANA Cloud, Private Edition shared security responsibility model

Shared Security Responsibility


While SAP Business Technology Platform offers Identity Authentication Service, customer remains responsible for delegating authentication to customer-controlled identity provider to enable single-sign-on authentication to SAP cloud services. Customer control the business process, tenant specific security setting, security audit logs generated by applications and configuration of integration, extending their applications to cloud and applications development.

This shared security model brings great benefit to our customers as SAP manages the underlying platform, patches, updates, security monitoring, high availability, disaster recovery and provides contractual assurances on SLA, personal data protection and privacy and other security assurances such as independent 3rd party audit reports.

Customers can refer to SAP Trust Center for  independent audit reports, standard SAP contracts, FAQ on security, data protection and privacy.

SAP S/4HANA Cloud, Private Edition – Security and Compliance

SAP S/4HANA Cloud, Private Edition is a “single” tenanted edition that is considered as “private” since SAP S/4HANA Cloud, Private Edition is deployed on a logically isolated “Virtual Network (VNET) or Virtual Private Cloud” which considered as a dedicated network container to a single customer. Therefore, network services (gateway, proxy, DNS, LB, WAF), application instances and HANA instances are dedicated to a customer with customer assigned Private IP Addresses. The virtual network is configured in a customer specific dedicated subscription, accounts, or Project (Azure or AWS or GCP) which is owned and managed by SAP.

This is also considered as “Private Managed Environment”. SAP takes operational and management responsibility which includes: Infrastructure (Azure/AWS/GCP) Management, OS Management, DB Management, Orchestration and Account Configurations, SAP AS Basis Management, Security Monitoring, Audit & Compliance of the SAP S/4HANA Cloud, Private Edition.

SAP S/4HANA Cloud, Private Edition Landscape


Some salient aspects of SAP S/4HANA Cloud, Private Edition is as follows:

  • The landscape by default consists of 3 tier environments meant for development, quality assurance and production usage. Customers can optionally purchase additional environments to address their specific requirements.
  • Infrastructure sizing is in general mapped to the license metrics. Details are documented in the Service Description Guide. Additional infrastructure can be purchased based on the actual needs of the customer.
  • As this is a private cloud offering, the dedicated virtual network is created using customer provided private CIDR address range (RFC 1918 compliant) which is non-overlapping with customer’s on-premise network.
  • SAP S/4HANA Cloud, Private Edition requires customer to connect using a dedicated private network link. Site-to-Site VPN or dedicated access options ExpressRoute (Azure), AWS Direct Connect (AWS) or Cloud Interconnect (GCP). Name resolution is configured by creating a dedicated zone under customer’s internal DNS domain.
  • Exposure of services to public network (Internet) is restricted to specific use cases. Mobile users can be enabled for Fiori applications via a secure web application firewall upon customer request. Internet outbound is allowed for cloud Integrations using secure protocols and connecting to other SAP Cloud solutions (such as Ariba, Concur, SuccessFactors)
  • Customers can optionally subscribe to Disaster Recovery for their productive environments in cloud. Failover sites are configured with data replication from productive environments and with equal infrastructure capacity.

Data at Rest Encryption and Data-in-Transit Encryption

Data-in-transit encryption is used to secure all client connections from customer network to SAP systems. All HTTP traffics are protected with TLS 1.2 transport layer encryption with AES-256-GCM Access from thick clients (SAP Frontend) is uses SAP proprietary DIAG protocol secured by SAP Secure Network Communication (SNC) with AES-256-GCM.

SAP HANA in-memory database uses HANA Volume Encryption to provide “data-at-rest” encryption for data, log and backup volumes.  It uses AES-256 encryption algorithm with Cipher block chaining (CBC) cipher mode (AES-256-CBC)

Besides SAP HANA volume encryption, persistent storage where SAP HANA stores encrypted volume is also encrypted using storage encryption modules (“data-at-rest” encryption).  It also uses AES-256-GCM.

Data at Rest and Data-in-Transit Encryption

The summary of SAP S/4HANA cloud Private Cloud Edition is highlighted as follows. While this does not all aspects of the security, it gives a snapshot of key security design and architectural approach the SAP S/4HANA cloud deployed with Hyperscaler.


Summary of SAP S/4HANA Cloud, Private Edition Security

SAP Business Technology Platform:

Our customers have many applications both SAP and non-SAP in their landscape and building robust business process is key successful business transformation. SAP Business Technology platform, which is offered as Platform-as-a-Service (PaaS), delivers this key functionality providing data management and analytics, supports application development and integration, and allows customers to use intelligent technologies such as artificial intelligence, machine learning, and the Internet of Things to drive innovation. While this blog does not cover all aspects of security on SAP Business Technology Platform (SAP BTP), the platform provides many native security tools and services that our customer leverage to build secure applications, integration, and extension capability. The operational security is very similar to SAP SaaS services, security assurance is provided to our customers such as ISO27001, ISO27017, ISO27018 and SOC attestations. The SAP BTP natively has many tools to provide integration security which can be consumed by customers readily with CPEA licenses. Some of the popular security tools and services is listed here for convenience but more detailed capability of the SAP BTP can be found here.

SAP BTP Certifications and Security Services



As a Cloud Service Provider (CSP), SAP understands importance of protecting customer data with confidentiality, integrity, availability, and privacy controls through many layers of security. Rise with SAP is being offered to many regulated industries and SAP is committed to help our customers comply to the sectorial as well as government regulations. SAP provides contractual assurances on personal data processing to adhere to applicable local data privacy regulations, security assurances via Service Organization Control (SOC) reports and certifications to provide independent evidence for security, availability, confidentiality, data protection, and quality. SAP security policies have been derived from industry best practice standards such as ISO 27002, NIST and SAP maintains robust policies, processes, and procedures, secure architecture covering cloud applications with integrated management system for information security, data protection, and service delivery.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Sissy Haegele
      Sissy Haegele

      Thanks a lot for this useful Blog Post!
      It is important that customer, partners & SAP knows about their tasks and where to work close together.

      Author's profile photo Gov TOTAWAR
      Gov TOTAWAR

      Thank you, Jana. Great summary.

      Author's profile photo Fake Runner
      Fake Runner

      Thanks for Giving us Such a Great Information.



      Author's profile photo Harald Hafner
      Harald Hafner

      Danke für die Infomationen. Sehr hilfreich!

      Author's profile photo Filip Van Grembergen
      Filip Van Grembergen

      Thank you, provided deep insight into PCE security topics.

      Author's profile photo joris van de Vis
      joris van de Vis

      Hi Jana,


      If I want to have inbound ports opened in the firewall, is that allowed? Can you let me know who might tell me more on that topic?





      Author's profile photo Jana Subramanian
      Jana Subramanian
      Blog Post Author

      WAF can be enabled for SAP S/4HANA Cloud, Private Edition for inbound traffic from Internet. Each subnets is associated with security groups where IP access control policy can be defined.

      Author's profile photo Yogita Mahajan
      Yogita Mahajan

      Hi Jana,

      Thanks for details. Wondering if there is any RACI details available for SAP Rise?

      Author's profile photo Jana Subramanian
      Jana Subramanian
      Blog Post Author

      Hi Mahajan,

      You can refer to Roles and Responsibilities for Rise with SAP - SAP S/4HANA Cloud, Private Edition here:



      Author's profile photo Huijie Zhang
      Huijie Zhang

      Hi Jana,

      Great post !

      My BTP tenant on public cloud is on AWS. Is its Launchpad protected by AWS, such as against DDoS?  Is it possible to enable WAF for this tenant?

      If we enable WAF for this tenant, would it interfere with the Cloud Connector exposing services to this tenant?

      Thank you

      Author's profile photo Jana Subramanian
      Jana Subramanian
      Blog Post Author

      Hi Zhang,

      Yes. Network level DDOS protection is available with SAP BTP on AWS (AWS Shield). As far as I know, there is no traditional WAF deployment available for custom applications on SAP BTP. It is highly recommended to use security features available within API Management such as rate limiting, access control, JSON access control, Message Validation Policy, OAuth etc. You have to be careful about inserting WAF between SAP BTP and Cloud Connectors, as it may interfere with mutual TLS1.2 authentication.



      Author's profile photo Huijie Zhang
      Huijie Zhang

      Thank you Janna. This is very helpful. Is BTP using AWS Shield Standard or Advanced?. Thank you

      Author's profile photo Jana Subramanian
      Jana Subramanian
      Blog Post Author

      The Network Level DDOS Protections such as protection against commonly occurring infrastructure (layer 3 and 4) attacks like SYN/UDP floods, reflection attacks are provided via AWS Shield Standard.

      Author's profile photo Huijie Zhang
      Huijie Zhang

      Thank you Janna.