SAP’s cloud transformation and shared-responsibility risks
Digital transformation in Polish enterprises is inseparable from the migration of key systems to cloud solutions such as RISE with SAP or SAP Business Technology Platform (BTP). Modern IT environments increasingly combine on-premise systems and cloud services, changing the way organisations build operational resilience, meet regulatory requirements and safeguard the integrity of critical business data.
At the same time, the scale of threats is growing. In 2024, Poland’s Ministry of Digital Affairs recorded as many as 627,339 reports of breaches affecting ICT systems, an increase of 60% compared to the previous year. Polish companies are targeted by hacking attacks more than 250 times a day, placing Poland among the five most attacked countries in the European Union. In 2024, attacks using social engineering techniques supported by generative artificial intelligence increased by 442%.
One example involves an organisation that implemented SAP S/4HANA Cloud without a clear understanding of the division of responsibilities. A misconfiguration of access policies and a lack of regular event monitoring allowed a leak of personal data and a breach of GDPR principles. The audit clearly showed: SAP was responsible for the infrastructure, but the client had neglected its share of responsibility for identity management and audits. Such situations also occur in Poland – companies convinced that the cloud provider ensures comprehensive protection lose vigilance and fall into the trap of false assumptions.
This is a key context for the question every Polish IT manager must ask: who is actually responsible for the security of data, systems and compliance in the rapidly changing SAP cloud?
This article analyses the current state of knowledge and legal regulation (GDPR, NIS2, ISO 27001), industry practice and specific security tools – including in the context of SNOK’s participation in the PWCyber programme run by Poland’s Ministry of Digital Affairs.
The shared-responsibility model – the foundations of SAP security
Definition and key concepts
Modern cloud deployments delivered by SAP are built on a shared-responsibility model. This is a deliberate concept that defines the scope of competences precisely: SAP (as the platform provider) is responsible solely for the security of the cloud, while the client is responsible for security in the cloud – that is, everything above the level of infrastructure and underlying services.
The key division of roles can be presented across four dimensions:
Infrastructure – SAP is responsible for the physical data centres, networks and hypervisor, while the client is responsible for configuring external connections and its own VPN network.
Platform – SAP provides updates, backups, baseline hardening and infrastructure monitoring, while the client manages applications, dedicated configurations and system extensions.
Applications – SAP delivers standard functionality, while the client is responsible for configuration, access management and custom code development.
Data and compliance – SAP ensures data encryption in transit and at rest, while the client is responsible for data classification, implementing GDPR recommendations, backing up business data and complying with legal requirements.
In SAP RISE, the separation of responsibility layers is supported by RACI matrices and dedicated documentation that precisely specifies what falls to SAP and what falls to the client. This is not an empty formality – it is a legal and operational commitment.
Jaroslaw Kamil Zdanowski, Partner at SNOK, highlights: “Shared responsibility today is not only a matter of regulatory compliance, but also of strategic business security. There will be no return on investment in digitalisation unless it is clearly established where the provider’s role ends and the company’s responsibility begins. Proper documentation of the division of tasks and regular audits are key to boards sleeping soundly and to operational security.”
RISE with SAP vs. standalone BTP – differences between the models
RISE with SAP offers a managed environment package in which SAP takes on a larger share of operational responsibility. This includes managing infrastructure, databases, backups, system redundancy and a certain level of monitoring. It is a solution for companies that want to reduce their operational obligations and focus on business requirements.
In standalone BTP (Platform as a Service), the majority of the obligations rest with the client. This is an environment built on collaboration between various cloud providers (AWS, Azure, GCP). This flexibility brings business benefits – companies can choose the best solutions for individual processes – but it also increases security complexity.
RISE with SAP – where are the boundaries of responsibility?
Specific areas of client responsibility
The client’s real security responsibility in RISE with SAP includes:
User access management – assigning authorisations, managing account lifecycles, segregation of duties (SoD), assigning business roles and access auditing. The client must ensure that every employee has access only to the data and functions necessary to perform their duties.
Security of custom code – regular audits of dedicated solutions, vulnerability testing, scanning ABAP code for security gaps, and remediating vulnerabilities detected by the Code Vulnerability Analyzer. SAP is not responsible for errors in custom code written by the client or its partners.
Data classification and encryption – implementing mandatory encryption and segmentation for particularly sensitive data, managing encryption keys (BYOK), and developing a data retention policy compliant with business and legal requirements.
Meeting GDPR and NIS2 requirements – maintaining a retention policy, fulfilling data subjects’ rights, reporting incidents within 72 hours, documenting processing activities, concluding data processing agreements (DPAs) and carrying out data protection impact assessments.
Monitoring and logging events – tracking user activity, detecting anomalies, responding to security incidents, maintaining audit logs and integrating with security information and event management (SIEM) systems.
Practical scenarios from the Polish market
Case 1: An audit at a medium-sized Polish industrial company revealed that an audit of custom code had been omitted. Result: an SQL injection vulnerability allowed the interception of business partner data via a malicious file uploaded by a user with test-level privileges. File scanning and an automated threat-blocking system (bowbridge) successfully stopped the attack before any damage occurred.
Case 2: An organisation using RISE with SAP fell victim to a ransomware attack. Infrastructure backups proved insufficient, because access segmentation had not been carried out, encryption keys had not been rotated, and recovery procedures had not been tested. Both SAP and the client shared the consequences – the provider demonstrated it had fulfilled its part, but the client had not prepared for the incident.
What SAP’s responsibility does not cover
SAP is not responsible for application authorisation configuration, customisations, the regularity of audits, deploying patches for custom solutions, documenting compliance with local law, or dedicated incident-management and reporting pathways to Poland’s data protection authority (UODO). All of this is the client company’s obligation.
Dariusz Kurkiewicz, Team Leader SAP Cybersecurity/BASIS, explains: “In real RISE deployments, the clear assignment of roles accounts for 70% of successful compliance audits. Regardless of SAP’s automation, it is essential to regularly verify authorisations, maintain compliance documentation, and test backup and recovery procedures. Developing clearly defined response procedures, particularly in light of NIS2 and GDPR, is a good example of practical shared responsibility.”
SAP BTP – security in a multi-cloud environment
Specifics and challenges of BTP
SAP BTP is an environment built on collaboration between various cloud providers (AWS, Azure, GCP). This flexibility brings business benefits – companies can choose the best solutions for individual processes – but it also increases security complexity.
Identity management requires integrating SAP Cloud Identity with corporate systems. Reliance on multi-factor authentication (MFA) policies, SSO federation and enforcement of least-privilege principles is essential. Every integration point is a potential attack vector.
Monitoring and logging events must be carried out through both native BTP logs and central SIEM tools. The challenge is correlating events across a distributed architecture – this requires advanced analytical tools.
API interface security – protecting integration points against attacks requires both code audits and systematic vulnerability testing and access segmentation. Every programming interface is a potential gateway for an attacker.
Protecting dedicated application data – not only backup and archiving, but also regular analysis of external service providers and supply-chain analysis with respect to NIS2 compliance.
Dariusz Kurkiewicz notes: “BTP is a multi-layered environment – a single main audit is not enough. Practice shows that most incidents stem from misconfigured connections, a lack of key rotation and insufficient testing of custom and partner-built BTP solutions. A secure architecture is one that is continuously audited and developed – not only on the SAP side, but on the side of every cloud provider.”
Monitoring application security – a practical approach
Key indicators and metrics
The number of failed login attempts and anomalies in login activity indicate potential brute-force attempts or account compromise.
The distribution of privileged authorisations – how many people have access to administrative roles, how long they hold them, and whether this is justified from a business perspective.
User activity anomalies – changes in login times, locations, data transfer volumes, access to new applications, or the launching of new processes.
The number of system configuration changes – every change is a point of risk, particularly if it was not approved by the appropriate people.
Integration-related incidents – errors, timeouts and failed data transmissions between systems.
Integrating logs with SIEM systems enables the correlation of incidents across the entire SAP and external ecosystem. This makes it possible to detect complex attacks that might not be visible in individual logs.
The obligation to monitor compliance with password policy, MFA, and the effectiveness of retention and backups against ISO 27001 and NIS2 standards is both a regulatory and a business requirement.
Native SAP tools versus third-party solutions
SAP offers basic monitoring tools: SAP Enterprise Threat Detection for security log analysis, SAP GRC Access Control for access management, and SAP Cloud ALM for application management.
However, advanced solutions such as SecurityBridge enable continuous monitoring across all layers (on-premise and cloud), rapid anomaly detection, and automated threat alerting. SecurityBridge collects logs not only from SAP BTP, but also from custom solutions, detecting subtle patterns of abuse or privilege-escalation attempts.
Patryk Budkowski, SAP Cybersecurity Consultant, notes: “In day-to-day operations, a simple analysis of native logs is often not enough. Integrated tools of the SecurityBridge class collect logs not only from SAP BTP, but also from custom solutions, detecting subtle patterns of abuse or privilege-escalation attempts. The biggest challenge is maintaining transactional context in log analysis – and without automated audits and correlation, this is often unachievable in large deployments.”
Security solutions for the SAP cloud environment
SecurityBridge – a comprehensive platform for SAP RISE and BTP
SecurityBridge is a modern solution designed specifically for the SAP ecosystem, covering both on-premise and cloud systems. The platform operates in four main areas:
Real-time threat monitoring – log analysis with direct access to SAP data, anomaly detection using machine learning, attack-pattern identification, staff-support actions, and automatic alerts sent to the security team and SIEM systems.
Vulnerability scanning in code – continuous analysis of ABAP code, detection of known and new vulnerabilities, analysis against SAP’s secure-coding recommendations, and priority vulnerability reporting.
Regulatory compliance monitoring – support for ISO 27001 audit processes, support for NIS2, GDPR, SOX, NIST and KRITIS requirements, and automatic generation of compliance reports for auditors and regulators.
Forensic capabilities – access to historical data, the ability to trace user actions, root-cause analysis of incidents, and support for internal and external investigations.
The SecurityBridge deployment process is structured: configuration analysis (assessing the security posture), SIEM integration (connecting to the central monitoring hub), team training (knowledge transfer), documentation (preparing procedures), penetration testing (verifying effectiveness), and rule optimisation (fine-tuning for specific conditions).
bowbridge – a specialised solution for file protection
bowbridge is a specialised tool that protects SAP systems against file-related threats. Its main applications include:
Protection against malicious content in uploads and integrations – antivirus adapted for SAP Fiori, E-Recruiting and BTP integrations.
File scanning – every upload to SAP undergoes immediate analysis, with isolation of compromised files and incident reporting.
Integration with SecurityBridge – full interoperability, functionally complementary, providing centralised monitoring of upload security for SAP systems and cloud solutions.
The Fujitsu/Allianz SE case study shows how bowbridge secured SAP Fiori, provided automatic isolation of infected documents, centralised consent and quarantine workflows, ensured compliance with sector-specific regulations, and significantly reduced file-related incidents.
The issue of file security is serious – a file may contain many types of threats: viruses and malware (traditionally delivered via email and upload), software vulnerabilities (active content in documents), attacks on executable files (polymorphic malware), file-type evasion (extension spoofing), and attacks on SAP archives (SAPCAR does not submit to virus scanning).
Dariusz Kurkiewicz sums up the practice: “The combination of SecurityBridge and bowbridge is a versatile solution for Polish companies carrying out SAP deployments – it strengthens both threat detection and compliance with audit requirements. The competitive advantage comes from speed of response and ongoing automation of monitoring processes – including with regard to NIS2.”
ROI and practical implementation
Integrating these tools enables automatic compliance reports for NIS2 and ISO 27001, along with a register of data processing agreements and incident management. This is not a pure cost – it is an investment in business resilience.
ROI can be broken down across dimensions:
Lower risk – reduced risk of breaches through better monitoring; faster incident detection limits the damage.
Operational costs – less time spent manually searching logs, fewer meaningless alerts (false positives), and more effective use of team resources.
Regulatory compliance – faster audit preparation, lower risk of penalties from Poland’s data protection authority (UODO), and no exposure to compensation claims.
Patryk Budkowski observes from a practitioner’s perspective: “Advanced tools do not replace a well-organised audit and access-rotation process. In my experience, audit automation (SecurityBridge Monitor) makes it possible to quickly identify irregularities and eliminate the most common user or third-party integration errors. The real, immediate benefit? More time for proactive work, less time spent manually searching through logs.”
SNOK and the PWCyber programme – cybersecurity as a national priority
SNOK actively participates in the Public-Private Cybersecurity Cooperation programme (PWCyber) run by Poland’s Ministry of Digital Affairs, a strategic platform for cooperation between the public and private sectors in Poland.
SNOK brings unique competences in securing SAP applications to the programme, shares the results of regular penetration tests, and analyses current threat trends. The PWCyber programme facilitates knowledge exchange, organises workshops, promotes innovative cybersecurity practices and enables the exchange of vulnerability information between participants.
SNOK also cooperates with PwC Poland, which strengthens audit and compliance synergy – particularly in the context of GDPR and new EU regulations. SNOK experts co-develop implementation guidelines and conduct training, raising the competences of teams responsible for SAP security in Polish companies.
SNOK’s involvement in PWCyber is not only a matter of prestige – it has a real impact on strengthening the Polish economy’s resilience to cyberattacks. SNOK’s goal is to transfer technical and organisational knowledge, particularly from the perspective of SAP implementation practitioners.
Practical recommendations and an implementation checklist
Preparing for transformation and audit
Before starting a migration to RISE or BTP, a security audit should be carried out, covering data inventory, risk analysis in line with GDPR, NIS2 and industry standards, an assessment of existing security controls, and gap identification.
Formalising the scope of responsibility – preparing RACI documentation, task-division matrices, a register of data processing agreements (DPAs), signing internal shared-responsibility agreements, and clarifying security expectations.
Training and awareness
Educational programmes for IT teams – familiarisation with the shared-responsibility model, discussion of threats specific to the SAP cloud, and presentation of monitoring and response tools.
Enforcing knowledge – competence tests, regular incident simulations, procedure reviews, and certification courses for key personnel.
Regular audits and gap analysis
Automating authorisation reviews – a monthly review of who has access to what, whether it is justified, and whether authorisations have not been extended beyond the necessary period.
SIEM log analysis – a weekly or daily review (depending on complexity) of alerts, anomaly analysis and incident documentation.
Procedural review – a quarterly review of procedures against NIS2, ISO 27001 and GDPR requirements, updating procedures based on lessons learned from incidents.
Incident response plan
Strict alerting procedures – how quickly an employee reports suspicious activity, who is notified, and what the escalation path is.
Impact analysis of incidents – assessing whether it was an attack, how much data may have been affected, and what the business consequences are.
Minimising response time – from detection to remedial action should take hours, not days.
Reporting to UODO – a procedure for reporting an incident within 72 hours in line with GDPR, process documentation, and communication with affected data subjects.
Verifying and testing backups
Regular backup checks – a monthly test of data restoration from a backup copy, to ensure it actually works.
Independent backup copies – a minimum of two independent test scenarios per year, ideally in separate geographic locations.
Compliance with requirements – backup procedures must comply with GDPR, KRI and NIS2 standards.
Practical checklist
Has a detailed analysis of the scope of shared responsibility been carried out for each layer of the solution (BTP, RISE)?
Is the role of system and application administrator clearly defined and trained?
Have two-factor authentication and authorisation rotation policies been implemented?
Do code and file scanning tools (SecurityBridge, bowbridge) operate at every integration and upload point?
How often are compliance audits conducted under NIS2, GDPR and ISO 27001 – at least once a year?
Do you have an up-to-date gap analysis and an incident response plan tested through simulation?
Are backup and recovery procedures documented and regularly tested?
Does the team responsible for SAP security have access to real-time monitoring tools?
Are data processing agreements (DPAs) in place with suppliers and subcontractors?
Are incident reporting procedures known to and accessible by the IT team?
Key reflections
SAP security in the age of BTP is a matter of constant readiness to act, understanding the division of roles in line with the latest regulations (GDPR, NIS2), and the integrated use of tools such as SecurityBridge and bowbridge.
The real business value of digitalisation and cloud migration only becomes apparent once the final segment of responsibility is handled by the client – with full awareness of risk and operational maturity.
Jarosław Zdanowski sums up the vision: “Shared responsibility is the new norm. A client who treats SAP security as a business advantage wins both in the market and in the eyes of regulators. SNOK supports companies that choose this path – from audits, through implementation, to the long-term building of resilience.”
The future of SAP security in the cloud
We are observing growing emphasis on automation, compliance audits and the widespread adoption of centrally deployed SIEM mechanisms across entire organisations. The trends for 2025 and beyond are hybrid deployment models, the spread of Zero Trust architecture, and the growing importance of incident analysis and audits compliant with NIS2 and ISO 27001.
Companies that invest now in the maturity of their SAP cloud security will gain a significant competitive advantage. Deploying SecurityBridge and bowbridge, appointing people responsible for security, and automating monitoring – these are not expenses, they are investments in resilience.
A call to action
IT managers should implement the shared-responsibility model actively – not merely as a declaration. Drawing on the support of experienced SNOK experts, participating in the PWCyber programme, and integrating SecurityBridge and bowbridge solutions makes it possible to build genuine, lasting SAP cyber-resilience.
SNOK offers comprehensive advisory services: security audits, monitoring platform implementations, team training, penetration testing, and support in enforcing compliance with national and EU regulations.
Working with a company specialising in SAP security is an investment in the peace of mind of managers, the trust of regulators, and the resilience of the business.
***
An article in the “Safe Tuesday with SNOK” series
A series of articles produced by SNOK – a leading Polish company specialising in SAP security, backed by experience from the digital transformation of hundreds of companies across the Central European region.
document.getElementById(“page”).classList.add(“newLayout”);
Would you like to see this in practice or discuss an implementation for your organisation? Contact us – we will respond within 48 hours.