Protecting your cloud solutions and data
Security measures in the cloud
SAP security measures meet the highest standards for cybersecurity, operations, and privacy protection tailored to the individual needs of our customers.
We manage security and compliance risks and operate cybersecurity and physical security programs across our technology landscape, including cloud environments, facilities, events, and employees.
SAP applies our security framework for every customer, all the time
The SAP security framework is the foundation of our security measures and covers multiple security domains:
Product security
Identity and access management
Infrastructure and platform security
Tenant isolation and data security
Monitoring, detection, and incident response
Resilience and recovery
Physical security
Security culture and awareness
Security measures in the cloud
Product security
SAP product security covers the full secure development and operations lifecycle (SDOL) of cloud services and applies secure-by-design and secure-by-default principles while creating and operating our cloud services. It includes a broad set of measures and standards:
Risk, data privacy, and ethics assessments
Threat modeling to identify security risks in the architecture design
Secure coding guidelines and code reviews
Security and vulnerability scans
Penetration tests and red teaming
Secure deployment of software releases
Secure operations, including resilience, backup, and recovery
Bug bounty programs
Product security response
Infrastructure and platform security
Our security policy framework includes required hardening procedures for cloud infrastructure to protect against common cloud misconfigurations:
Centralized audit event logging
Minimum requirements for encryption-in-transit and encryption-in-rest
VPN configurations
Centrally operated scans for cloud security posture management (CSPM)
Constant vulnerability scans for cloud infrastructures
Identity and access management
SAP manages identity and access management for our provided services and underlying layers, while customers retain responsibility for user access management within the solution administration layer. This allows us to deliver cloud services without having access to customer data and customer solution instances.
Tenant isolation and data security
Where cloud solution architectures allow, SAP separates and isolates customer tenants per cloud account. We apply strong encryption-in-transit and at-rest policies with options for further enhancement. Customers manage access to data on the solution, preventing non-authorized access.
Monitoring, detection, and security incident response
SAP monitors and provides alerts for suspicious activity and vulnerabilities, conducts routine scans of external-facing web infrastructure and third-party penetration tests, and deploys red team testing to evaluate system security. We maintain a 24x7 security operations center (SOC) to centrally manage security incident response and communication.
Resilience and recovery
SAP builds redundancy and business continuity management into our systems to help us respond to operational, reputational, and other threats to our customers’ interests. We provide service-level-agreements (SLAs) for resilience and recovery for each solution.
Physical security
Protecting physical assets is crucial to protecting customer data. SAP physical security programs manage the safety of our employees while they work. We operate datacenters with strong physical security and maintain strong partnerships with hyperscaler datacenter operators to keep physical assets and data secure.
Security culture and awareness
Training employees to fulfill security responsibilities appropriate to their roles and functions requires ongoing attention to security culture and awareness. SAP provides mandatory and elective security and compliance training and organizes events for learning, networking, and exchanging experiences.
SAP cloud services shared responsibility model for security
How the customer, SAP, and the CSP share security responsibility
SAP provides cloud solutions as software-as-a-service (SaaS) on top of infrastructure and platforms provided by public cloud service providers (CSPs). Our shared responsibility model divides security responsibilities among the customer, SAP, and the public CSPs.
SAP Customer Responsibilities
SAP customers are responsible for administering the solution by managing the application configuration and logs, user access, data access, and application threat detection and response. System management responsibilities are shared with SAP.
SAP Responsibilities
SAP is responsible for managing security and compliance risks for the company. SAP also manages the applications and cloud services, infrastructure and platform configuration, and shares system management responsibilities with SAP customers.
Public CSP Responsibilities
The public CSP is responsible for public cloud IaaS and PaaS services. The CSP manages physical hardware, the data center, the cloud control plane, on-demand managed services, and services for compute, network, and storage.
SAP product security guides and recommendations
SAP provides guides that apply to SAP products and services to assist you in securing your systems.
Product security guides are comprehensive descriptions of various security parameters and options.
Stay informed
Subscribe to our newsletter
Stay informed about SAP security products, solutions, and events
Join our Security Community
Connect and engage with our community to get answers, discuss best practices, and learn more about SAP solutions.