There are different points of view on the SAP Cloud Security topic. For example:

  • The security that a cloud service provider offers from Italian providers or international hyperscalers (for example: Microsoft Azure, Amazon AWS, Google, Alibaba Cloud)
  • Customer-view security in configuring products that reside in cloud environments

But let's go in order. We can identify two main ways of managing systems, which in turn can be further differentiated:

  • On-premise
  • On Cloud

In the first On-premise case, SAP products are physically under customer control. As they reside and are managed directly by the customer.

In the second On Cloud case, the products do not reside in the customer's infrastructure but are hosted and/or managed by a service provider. There are additional sub-classifications such as logics:

  • Infrastructure-as-a-service [IaaS], in fact SAP does not use this model, left to hyperscalers
  • Platform-as-a-service [PaaS], SAP uses this model. Here the application part is left to the customer, while the architectural aspects to the provider
  • Software-as-a-service [SaaS], SAP uses this model. Here, system upgrade is managed directly by the provider

SAP is in fact turning into a software house that provided on-premises software to a software house projected to the Cloud. The idea is to continue to innovate business processes, reducing management costs and improving security aspects. 


"Reasoning at 360 degrees on cyber security issues, also at SAP, is important."

But what changes if I use the Cloud or the On-Premise in my case?

slide-dx-4Let's start with the various pillars of SAP security.

  • Physical security
    • In all cloud models, it's the provider that's responsible for it
  • Hardware
    • In all cloud models, it's the provider that's responsible for it
  • Development of ES SAP Cloud Platform Applications
    • It is directly you who carry out and control the developments, while the infrastructure is made available by the provider, in this case attention to developments if and where carried out
      • SAP Cloud Platform Cloud Foundry environment (SAP platform but open)
      • SAP Cloud Platform Neo environment (SAP's proprietary platform)
  • Application level
    • In all cases, you manage the operation of the various processes and application security

Attention, in the Cloud part SAP makes and has made several acquisitions over time, such as for Ariba and Success Factors, Hybris, Gigya products. These products may not have the same authorization logics as in "classic" SAP systems

Does application security change?

Product application security is not the responsibility of service providers. So you have to manage all aspects of security, user profiling and compliance with any regulations and policies within the systems.

As a result, the profiling logics of SAP systems remain unchanged in this case:

  • Utility management (TransactionSU01)
  • Profiling management (Transaction PFCG)
  • All trace and log logics within the SAP suite


Compliance with regulations e.g. SoX, GDPR, SoD, ISO etc.

In these cases being regulations related, for the most part to application data, the management methods do not change whether the systems are on-premises or the SAP systems are On Cloud.

  • Read this article to understand how SoD helps you protect your business data.
  • Read here how it pays to tackle GDPR in particular on SAP, to protect personal data.
  • Staff training es. Security awareness 
  • Masking and scrambling data in SAP



SAP Governance Risk and Compliance (GRC)

One of the tools SAP provides to control and manage the company's compliance with the reference regulations is the SAP GRC. This tool allows you to integrate on-premises and on-cloud systems.

This tool made from different systems (read the in-depth study here), allows in the case of Access Control, to manage the following aspects.

  • ARA - Access Risk Analysis, Segregation of duties, all phases of the sod except the mitigation part for testing controls (this requires the use of GRC Process Control)
  • BRM - Role management, that is, managing an authorization role lifecycle
  • EAM - Emergency Access Management, i.e. the management of privileged access (super users, fire call, system administrator)
  • ARQ - Access Request Management, that is, the management of the sap user lifecycle through the use of approved workflows

In the event that your landscape is totally on-cloud, it is advisable to focus on the solution of Identity and Access Governance SAP IAG in the case of hybrid scenarios the GRC system in version 12 can integrate into on-cloud systems.

SAP Identity Management (SAP IDM)SAP Identity Management

In complex landscape, many systems to be managed and heterogeneous with each other, it is essential to equip ourselves with a tool that allows to control the life cycle of users, at least for these cases:

  • new utilities
  • job changes
  • divestment of utilities


SAP's tool that performs these activities is called SAP identity management.

This tool can be connected to SAP and non-SAP systems to provision and deprovision users/roles across linked systems by defining approved workflows. SAP's identity management does not provide the ability to manage segregation of duties, which is why it is connected to the SAP GRC system.

In the On-Cloud and Hybrid scenarios, it is essential to have a tool that allows you to manage users and access to various resources. In on-cloud systems unlike on-premises systems being exposed on the internet, it is essential to block access to resources that are no longer formally allowed to access.

Secure Programming

As seen above it is important to understand which development platform to use in the cloud environment.

  • SAP Cloud Platform Cloud Foundry environment (SAP platform but open)
  • SAP Cloud Platform Neo environment (SAP's proprietary platform)

What are the main differences?

SAP Neo SAP Cloud Foundry
Owner SAP Open Source
Supports only: Java, HTML5, HANA XS Support many more languages, for example: PHP, Java, Python, Ruby etcc
Can't manage other languages You can develop with your own language
SAP provides support for the languages mentioned above SAP provides support only for Java e Node JS
Supports only connection to SAP data centers Manages the interface linking to third-party "data source" systems e.g. AWS, Google or Azure


Although the SAP Cloud Foundry platform allows you to manage multiple languages and links, these inevitably expose you to greater risks. It is therefore essential to activate mechanisms to control the development of the ABAP code.

How can Aglea help you?

Since 2003 we have been dealing exclusively with providing SAP security advice in Italy and also abroad.

We have carried out many dozens of SAP security concept design and authorization review projects. This allowed us to define project accelerators and tools that help to get the IT department (normally very technical) to talk to the business. With the aim of simplifying communication between the actors involved and improving the control of the systems.

See our certifications and case history.


Contact us!

Suggested Post from our SAP Security Blog

SAP Cloud Identity Access Governance

  • Di che cosa si tratta? Cosa significa SAP IAG?
  • Meglio rimanere On-premise, andare in Cloud o scenari ibridi?

10 suggerimenti dopo aver installato SAP GRC

GRC Tips_tricks
  • Hai installato uno dei sistemi SAP GRC? 
  • 10 suggerimenti su come migliorare l'utilizzo della suite di Governance SAP anche negli ambienti in Cloud con l'analisi Cross System


SAP Cloud Security, quali gli aspetti da considerare?

SAP Cloud Security
  • È meglio avere i sistemi in cloud oppure on-premise?
  • Ma dal punto di vista della security ci sono dei punti di attenzione da considerare? Davvero i sistemi on-premise sono più sicuri?