Skip to Content
Technical Articles
Author's profile photo Jana Subramanian

Securing GROW with SAP Landscape

(Jana Subramanian serves as  APJ Principal Cybersecurity Advisor for Cloud Security and has been recognized as a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals (IAPP). As part of his responsibilities, Jana helps with strategic customer engagements related to topics such as cybersecurity, data privacy, multi-cloud security integration architecture, contractual assurance, audit, and compliance.)


SAP has introduced GROW with SAP in March 2023 as a means of supporting mid-sized businesses on their journey to Cloud ERP. The GROW with SAP package encompasses several key components, including cloud ERP solution – SAP S/4HANA Cloud, public edition , SAP Business Technology Platform with certain CPEA credits, pre-configured baseline and packaged activation services, SAP Build Services, and expert user support through SAP Community among others. This offering helps customers to manage business operation with an enhanced cloud-based system,  delivering security, flexibility, and predictable cost.

GROW with SAP bundle provides comprehensive security and ensures that customer core applications and data are protected through secure operations. In this blog, we will delve into the security features of the cloud-based ERP solution provided by GROW with SAP bundle offering and how it enables businesses of various sizes to protect their core valuable assets and data.


Figure 1: SAP Secure Cloud Operations

Shared Security Responsibility

SAP S/4HANA cloud, public edition is offered as public SaaS. SAP takes responsibility for ensuring the security of the SaaS platform architecture through advanced multi-tenant logical separation, security patching, managing backup and restoration, as well as securing infrastructure elements such as operating systems, networking, and applications. Additionally, SAP handles cloud (Hyperscaler) account management, operational security monitoring, incident management, personal data breach notifications, hardening and patching operating systems, application and providing solution support. Adherence to SLAs and contractual assurance is maintained through SAP Service Level Agreements, SAP Data Processing Agreements, General Terms and Conditions and SAP support policy. Customers are responsible for managing application layer security, user authentication, authorization, and secure integration to third-party systems and data privacy settings. The table below provides insight into the shared security responsibilities between SAP and the customer for key security topics.

S.No Security Theme SAP Responsibility Customer Responsibility
1 Business/Customer User Authentication
  • Provide SAP Cloud Identity Services (SAP BTP) for authentication and SSO integration with customer IDP
  • The responsibility of delegating authentication to customer’s own Corporate Identity Provider (IDP) and configuring SAP Identity Authentication Services as an Identity Proxy lies with the customer.
2 Authorization
  • Configure Role Based Access Control (RBAC) of SAP Cloud Admin Users via Cloud Access Manager (CAM)
  • Defines Business Roles and Configure Role Based Access Control to Business Users
3 Network Security
  • Setting up Trust boundaries that separates network into zones and each zone into segments. Setting up system landscape such as Load Balancers, Web Dispatchers, setting up Security Groups, ABAP, SAP HANA – Tenant DB, System DB
  • Customer is responsible for setting up secure integration for inbound and outbound communications to 3rd party systems and configuring trust between systems.
4 Security Patch Management
  • Perform regular vulnerability management and penetration testing of the SaaS platform. Perform regular patches for OS, Application and DB and for functional enhancements
  • Validate and revise the authorization concept following functional upgrades.
5 Secure Software Development Lifecycle (SSDLC)
  • SAP follows Secure Software Development Lifecycle approach to application development ensuring that application is secure, free from known malicious code
  • Customer is responsible for security of any custom code or extension built
6 Logging and Monitoring
  • Maintain 24×7 Security Monitoring
  • Collect and Correlate Platform logs.
  • Define Security Use cases for automatic alerting.
  • Maintain Security Incident and Event Management Platform.
  • Responsible for reviewing security audit logs such as technical user level logins and retrieval of such logs via API.
  • Review of logs such as Change documents, Read access logs, Authorization trace logs, SAP support user request logs
7 Encryption
  • Encrypt end-to-end data in transit with TLS 1.2 and Data at Rest with AES-256-bit encryption.
  • Generate customer specific encryption keys to encrypt data at rest during the deployment
8 Backup and restore
  • SAP performs regular scheduled backups. In case of any logical errors such as data corruption and other irreparable situations, SAP will perform restore operations. The backups storage is encrypted with AES 256-bit encryption. Appropriate processes and automated tools are in place to validate backup integrity, and backup logs are reviewed daily to detect and correct backup failures.
  • Customer can raise a service request for logical errors such as data corruption and other irreparable emergency situations for restore from backup.
9 Retention and Deletion
  • SAP does not delete customer data over the subscription term. At the end of the termination period, as a part of decommission process, SAP deletes customer data as specified in the contract. SAP provides features and functions to facilitate compliance with relevant legal requirements related to data protection.
  • Customer owns customer data. Customers have the ability to configure blocking and deletion settings based on the Information Lifecycle Management (ILM) applications in use. This includes the ability to define specific residence and retention periods for different purposes within the system.
10 Virus Scans on the Uploaded Content
  • Virus scans on uploaded external data to detect malicious, harmful, or suspicious content, rejecting any uploaded malicious content
  • Customer is responsible for ensuring that the endpoints such as desktop, laptops have anti-virus protection deployed and enabled.
11 Secure by Design and Secure by Default
  • SAP maintains default security setting for session timeouts for UI, ABAP, Backend. Additional default settings include Business user Login via IAS, Retention, Read Access Logging, Certificates Auto-update etc
  • Customer can change the security setting as per their policy requirement subject to limits set in the settings.
12 Connectivity
  • SAP manages cloud networking within the SAP S/4HANA cloud, public edition setting up trust boundaries. The Internet have built-in network level DDOS protection enabled
  • Customer end connection to SAP S/4HANA cloud, public edition and any 3rd party applications is via Internet over TLS 1.2 session and this connectivity is under customer responsibility.
13 Disaster Recovery
  • SAP manages disaster recovery setup, process, and activation.
  • Customer should consider for disaster recovery optionally if the business requires it and may have a commercial impact.

For more details, please refer to the reference documentation for SAP S/4HANA cloud, public edition.

Customer Access to SAP S/4HANA cloud, public edition

  1. The SAP S/4HANA cloud, public edition is hosted in SAP Converged Data Center, Azure, and Google Cloud at various global locations. In the SAP S/4HANA Cloud, Public Edition and SAP BTP, business users access the application via a standard browser, providing a seamless user experience across all devices and Fiori applications through the Fiori Launchpad.
  2. SAP S/4HANA Cloud uses a load balancer and a web dispatcher. The incoming request is directed to the load balancer. The load balancer distributes incoming network traffic across shared web dispatcher cluster. Each customer accesses their system through a unique, customer-specific URL, with communication managed by the SAP Web Dispatcher’s Reverse Proxy component. The web dispatcher is responsible for routing incoming requests from the load balancer to the customer specific application (ABAP)
  3. Standard users authenticate using SAML 2.0 assertions (SSO) through SAP Cloud Identity, ensuring secure access to the system. It handles authentication, ensuring that end users can securely access the system.
  4. At the backend, the SAP HANA database powers the system, providing optimized access through Core Data Services (CDS) views. Both the SAP S/4HANA ABAP and SAP HANA components are managed by SAP, ensuring a reliable and secure environment for users.


Figure 2: Customer Access to SAP S/4HANA cloud, public edition

Secure Customer Data Segregation

In the SAP S/4HANA Cloud, public edition each customer’s environment is segregated using Security Group. Security Groups provide a mechanism for controlling access and communication between different resources in the cloud. This isolation ensures that customers’ applications and data are not exposed to other customers’ environments. Every tenant has their own ABAP application servers that operate on distinct SAP HANA tenant databases. The SAP S/4HANA cloud, public edition relies on multi-tenant database containers (MDC) feature of SAP HANA database allowing multiple isolated databases, referred to as “Tenant DB”. Tenant DB refers to independent databases that are part of a single SAP HANA system database. These databases store all the application data and configuration that are specific to each tenant. Therefore, each SAP HANA Tenant DB has its own set of tables, users, and security policies, and can be managed independently of other Tenant DB on the same system.

Customer security group allows system communication between various environment of the same customer. Within a customer’s environment, there are three system landscape: Development (D), Testing (T), and Production (P). The customer security group enables secure communication between these systems, ensuring that only authorized users and resources within the same customer’s environment can access and interact with the data and processes in these systems.

Integrated Secure Landscape

A secure connectivity from SAP S/4HANA cloud, public edition and SAP Business Technology Platform can be established via several methods that includes support for standard OData services in SAP S/4HANA cloud that can be consumed by applications running on SAP BTP, Integration Suite in SAP BTP to integrate SAP S/4HANA Cloud with other services and applications on SAP BTP by creating integration flows that define how data is exchanged between the systems.

Additionally  customer’s expose SAP S/4HANA Cloud services as APIs and consume them in your applications on SAP BTP. The secure connectivity can be established between SAP S/4HANA Cloud and SAP BTP leveraging  security and authentication mechanisms available such as  OAuth 2.0, SAML 2.0, and Client certificates. For example, SAP S/4HANA Cloud uses OAuth 2.0 for authentication and authorization. This ensures that only authorized users and applications can access data in SAP BTP.

SAP S/4HANA Cloud, public edition subscription contains embedded SAP Analytics Cloud and is automatically deployed and configured during tenant provisioning. However, this is limited to only live connection to  S/4HANA Cloud tenant.


Figure 3: Secure Integrated Landscape

Encryption Controls:

By default, SAP manages encryption key for data at rest encryption keys for SAP S/4HANA cloud, public edition. To manage the encryption keys, two Secure Stores in the File System (SSFS) are used. The Instance SSFS stores various encryption root keys (data volume, log volume, backup), while the System PKI SSFS stores system-internal root certificates for secure internal communication. The contents of both SSFSs are protected by SSFS Master Keys, which are generated during installation. There is an option for customers to use Customer-Controlled Encryption Key integration, You can refer to the documentation for details.


Figure 4: Data Protection and Encryption Stack

API Security:

Customers should follow best practice approach to security settings under their responsibility. SAP BTP provide API Security in API Management. The SAP S/4HANA cloud provides Business user Change API, Security Audit Log API, Business Role Change API, OAuth 2.0, SAML2.0, Cross Origin Resource Sharing security. Besides, customer should ensure establishing strong authentication methods for business users, such as multi-factor authentication and single sign-on. Additionally, it is crucial to define and enforce appropriate authorization levels based on users’ roles, securely configure, and manage trusted certificates for secure communication channels and implement read access logging to monitor and audit data access for potential security breaches or unauthorized activities.


Figure 5: API Security

Data Protection and Privacy

While SAP, as a data processor, is committed to protecting data through its Data Processing Agreement and Technical and Organisational Measures, SAP S/4HANA cloud application offers built-in security features and specific data protection functions that customers can easily customize to their needs to meet their data privacy compliance. These functions include consent management, security audit logs, read access logs, blocking, and deletion of personal data.


Figure 6: Data Privacy in SAP S/4HANA cloud, public edition

For more details in Data Protection and Privacy features available with SAP S/4HANA cloud, public edition, please refer to this documentation.

Additional References

S.No Description
1 Protect SAP S/4HANA cloud, public edition
2 Best Practices for SAP BTP – Security Concepts
3 Defence in Depth Security Architecture with SAP S/4HANA Cloud, public edition
4 Essential Data Privacy and Security Controls in SAP Business Technology Platform
5 Data Protection – SAP S/4HANA cloud, public edition



Cybersecurity is paramount for safeguarding critical assets in all businesses, regardless of their size and scale. The GROW with SAP bundle addresses this need by providing a holistic approach to cybersecurity and data privacy requirements. This comprehensive offering not only ensures the protection of a company’s core assets but also affords flexibility, seamless integration, and the ability to extend and modernize their core ERP digitally. Thus, as mid-sized businesses adapt to the changing digital landscape, adopting the GROW with SAP bundle can help them enhance their  cybersecurity posture and compliance measures.



© 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on for use terms, disclaimers, disclosures, or restrictions related to SAP Materials for general audiences.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Saumitra Deshmukh
      Saumitra Deshmukh

      Very well illustrated Jana Subramanian. With more customers going into our Public Cloud ERP, this helps clarify the security aspects to our Partners & Customers.


      Author's profile photo Uppdeep Singh Mann
      Uppdeep Singh Mann

      Hi Jana,

      Very well explained and provide overall picture around SAP Public Cloud Security,

      Thanks for Sharing.