Skip to Content
Technical Articles
Author's profile photo Limor Wainstein

Implementing Zero Trust in a SAP Environment


Image Source: Pixabay

What Is Zero Trust?

Zero trust is a strategy that helps stop successful information breaches by removing the idea of trust from the network architecture of an organization. Founded in the concept of don’t trust, always authenticate, zero trust is created to safeguard contemporary digital environments by preventing lateral movement, streamlining granular user-access control, leveraging network segmentation, and offering Layer 7 threat prevention.

The zero trust security model was developed by John Kindervag while he was principal analyst and vice president of Forrester Research. The concept is founded on the insight that traditional security frameworks operate on the out-of-date premise that everything within the organization’s network must be trusted. 

Under this ineffective trust model, it is believed that a user acts in good faith and should be trusted, and that the identity of the user is not compromised. The zero trust framework understands that trust is a vulnerability. Once using a network, users (who may be malicious insiders or threat actors) can freely travel laterally and exfiltrate any data they are not restricted from accessing. 

Zero trust is not a matter of making a system trustworthy, but rather of eliminating trust. 

Benefits of Zero Trust for SAP

Zero trust safeguards the network from outside and inside, while providing any user with access to relevant services and applications that are necessary to complete authorized tasks. By authenticating devices and users on an ongoing basis, every time they use an asset, environment, or application, zero trust makes sure that no threat actors have access to data that is valuable, even if they are present in the network. 

Here are some important benefits of a zero trust model for a Systems Applications and Products (SAP) environment.

Offers Secure SAP Connectivity

By authorizing any user that needs access to a network feature, zero trust makes sure that cybercriminals cannot access any valuable data or the crown jewels. This helps safeguard against harmful security breaches. 

The limited network access provided via zero trust does not equal entire network access. Third-parties and remote employees inside the network can only access the applications they are authorized to, so even if such individuals are compromised, the cybercriminal will have limited access to assets.  

Guarantees Optimized SAP Performance

Zero trust does not demand or develop an additional network layer, like terminal servers or VPNs. Rather, it may be put into effect on an existing network, such as the public internet. Consequently, performance is always maximized. 

Supports SAP Agility and Scalability 

A web UI enables scalability, whereby security teams can readily remove or add user permissions for all user types. End-users don’t need to install software on their computer or other devices. Thus, any user can be given controlled access to systems and resources regardless of where they are located.

Increases Employee Productivity When Using SAP

Transparent and smooth connection to SAP for remote employees and third-party users minimizes time, reduces frustration and overheads and increases productive work. Rather than focusing on connecting to SAP, partners and employees can work with SAP immediately. 

How to Implement Zero Trust in a SAP Environment?

Use the following practices to apply a zero trust model to your SAP environment.

Specify Your Protect Surface

To configure the protect surface:

  • Locate where the protect surface is
  • Isolate and classify applications, data, services and assets
  • Increase contextual and visibility awareness—this includes awareness of the application and identification of users

Define the Transaction Flows

You can achieve this by:

  • Utilizing automated tools to map data over all forms of traffic
  • Identifying how applications, data, networks, and systems interact
  • Categorizing all traffic and recording the findings 

Develop a Zero Trust Network

Zero Trust Network Access (ZTNA) is a technology solution that can help implement zero trust network authorization and dynamic network segmentation. To build your ZTN:

  • Establish a policy to outline a micro-perimeter by linking the protect surface to a segmentation gateway 
  • Ensure your zero trust strategy is consistent and unified by implementing a centralized management system
  • Establish virtual, physical, or cloud-based next-gen firewalls (NGFWs) as segmentation gateways
  • Apply scalable security solutions to reduce bottlenecks 

Define Your Trust Policy

When you create your policy, you should:

  • Automate and develop application rules according to best practices
  • Incorporate a multi-layered security approach to scan for threats and mitigate them
  • Ensure the policy addresses details such as:
    • Who can access what
    • When is access granted or restricted
    • Where the user is located
    • How the resource is accessed
    • Why the user requires access

Adjust Your Incident Response Process

Incident response is a critical process in any production environment, especially for mission critical SAP applications. As you transition to a zero trust model, you must adjust your incident response process:

  • Use the additional data about user accounts, devices, and protected services, to gain more context about security incidents
  • Leverage automated capabilities in ZTNA to rapidly contain attacks using network segmentation
  • Use lessons learned from security incidents to fine tune trust policies

Keep Your SAP Environment Secure

To ensure you maintain the security of your environment:

  • Monitor the environment on an ongoing basis
  • Update and enhance the environment periodically
  • Implement a fast threat detection and response strategy, for example by utilizing AI-based tools

Zero Trust in the Cloud Using SAP Data Custodian

No one particular technology will ensure a zero trust architecture—this demands a holistic strategy for network security that uses various technologies and principles. SAP Data Custodian is an approach that may contribute to this framework and help organizations develop their zero trust approach. 

SAP Data Custodian is a SaaS application created to provide top data protection for SAP applications and public cloud infrastructure users. It allows you to extend zero trust to the cloud and SAP applications, including SAP IBP, SAP ECC, and SAP HANA.

Cloud Control and Visibility  

SAP applications and public cloud users, such as SAP ECC and SAP S/4HANA, offer visibility into who is accessing information stored in the cloud in near real time. Users may also configure information protection approaches to manage data storage and access. 

Context-Based Access Control

The zero trust method demands strict verification of all devices and individuals that try to access the resources of an organization. SAP Data Custodian’s contextual access control function lets users broaden their authentication process and develop access approaches according to user contexts, including citizenship, geo-location, employment type, department and the like.

Rather than providing users with access to applications according to, for example, password and ID, the access decision may rely on the particular characteristics of a user (e.g. geolocation). Context-based access control may be related to hyperscaler resources and SAP applications such as SAP ECC and SAP S/4HANA.

Access Control for the Cloud Provider 

Cloud providers often need to access an organization’s cloud resources for the purpose of maintenance, which raises security issues. SAP Data Custodian allows you to control and identify when cloud service providers access your cloud resources. It also oversees access approval and notifies you when the provider accesses your cloud resources.   

 Detection of Anomalous Activity

You can leverage AI to deliver zero trust and safeguard your organization’s data. The SAP Data Custodian anomaly detection tool uses AI to offer customers added layers of protection. For instance, if a cybercriminal compromises the identity of a verified user, the anomaly detector may isolate and alert users of suspicious behavior in their cloud, according to a machine learning analysis of previous user behavior patterns.   

Strong cybersecurity involves multiple layers, leveraging different technologies to protect the organization both from the outside and from the inside. Zero trust is an important layer that should also be applied to the cloud, although this necessitates additional transparency and access control measures. SAP Data Custodian provides features such as access control, transparency, and anomaly detection to reinforce your zero trust strategy. 


In this article I explained the basics of zero trust, the benefits it can provide in a mission critical SAP environment, and several steps for implementing zero trust for SAP solutions:

  • Specify the protect surface – to understand which individual units in the SAP environment must be isolated and protect
  • Define transaction flows – to set up allowed vs disallowed workflows
  • Develop a zero trust network – to implement advanced authentication, authorization and network segmentation
  • Define the trust policy – a central policy specifying who can access what and when
  • Keep SAP environment secure – in a zero trust model, this includes securing internal components against compromised accounts or services

I hope this will be of help as you improve the security of your SAP environment using zero trust principles.

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.