Protect your cloud solutions and data with SAP security
Security measures in the cloud
SAP security measures meet the highest standards for cybersecurity, operations, and privacy protection, applying our security framework for every customer, every time.
We manage security and compliance risks and operate cybersecurity and physical security programs across our technology landscape, including cloud environments, facilities, events, and employees.
The SAP security framework is the foundation for:
Product security
Identity and access management
Infrastructure and platform security
Tenant isolation and data security
Monitoring, detection, and incident response
Resilience and recovery
Physical security
Security culture and awareness
SAP product security guides and recommendations
Product security guides are comprehensive descriptions of various security parameters and options for select SAP products.
Security measures in the cloud
Product security
SAP’s secure development and operations lifecycle (SDOL) involves risk, privacy, and ethics assessments; architecture threat modeling; guidelines for secure programming and code reviews; secure deployment of software releases; and bug bounty programs.
Infrastructure and platform security
SAP requires hardening procedures that protect cloud infrastructures against common misconfigurations by centralizing audit-event logging, encrypting transmitted and stored data, configuring VPNs, centralizing cloud security posture management (CSPM), and constantly scanning for vulnerabilities.
Identity and access management
SAP manages identity and access for our provided services and underlying layers, while customers retain responsibility for user access management within the solution administration layer. This division allows us to deliver cloud services without having access to customer data and solution instances.
Tenant isolation and data security
Where cloud solution architectures allow, SAP separates and isolates the customer tenants in separate cloud accounts. We apply strong encryption-in-transit and at-rest policies with options for further enhancement. Customers manage access to data on the solution, preventing unauthorized access.
Monitoring, detection, and security incident response
SAP monitors and provides alerts for suspicious activity and vulnerabilities, conducts routine scans of external-facing web infrastructure and third-party penetration tests, and deploys red team testing to evaluate system security. Our security operations center manages security incident response and communication 24/7.
Resilience and recovery
SAP builds redundancy and business continuity management into our systems to help us respond to operational, reputational, and other threats to our customers’ interests. We provide service-level agreements for resilience and recovery for each solution.
Physical security
SAP protects both physical assets and our employees while they work. We operate datacenters with high physical security and maintain close partnerships with hyperscaler data center operators to keep physical assets and data secure.
Security culture and awareness
Training employees to fulfill security responsibilities appropriate to their roles and functions requires ongoing attention to security culture and awareness. SAP provides both mandatory and elective security and compliance training. We also organize events for learning, networking, and exchanging experiences.
SAP cloud services shared responsibility model for security
Our shared responsibility model divides security responsibilities among SAP, the customer, and public cloud service providers.
SAP provides cloud solutions as software as a service (SaaS) on top of infrastructure and platforms provided by public cloud service providers.
SAP customer responsibilities
SAP customers are responsible for administering the solution by managing the application configuration and logs, user access, data access, and application threat detection and response. System management responsibilities are shared with SAP.
SAP responsibilities
SAP manages security and compliance risks for the customer, the applications and cloud services, and infrastructure and platform configuration. We share system management responsibilities with SAP customers.
Public CSP responsibilities
The public CSP is responsible for public cloud infrastructure and platform as a service. The CSP manages physical hardware, the data center, the cloud control plane, on-demand managed services, and services for compute, network, and storage.
Stay informed
SAP Security Products and Solutions Newsletter
Stay informed about SAP security products, solutions, and events.
Security and Compliance Blog Posts
Read curated posts by SAP's internal security community on security practices and operations in SAP, and sharing our experience with the community.
Join our security community
Connect and engage with our community to get answers, discuss best practices, and learn more about SAP solutions.