Security for SAP RISE Solutions

More Coverage at Lower Costs than SAP RISE Security Solutions and Services

SAP RISE: A Shared Model of Responsibility for Security

In contrast to traditional on-premise SAP landscapes, the responsibilities for security in SAP RISE are shared between SAP and customers. SAP is responsible for security at the hyperscaler and network level, as well as databases and servers. Customers are responsible for securing the application and data layer.

Customers can purchase optional solutions and Cloud Application Services (CAS) that are not included as standard in RISE for additional support from SAP.

The Cybersecurity Extension for SAP cloud edition provides an alternative to Cloud Application Services and solutions from SAP. The extension is certified for SAP S/4HANA and available as a cloud subscription. It delivers more coverage at lower cost than the equivalent RISE services and solutions and provides a unified alternative to multiple SAP RISE offerings.

SECURITY SCENARIO	STANDARD RISE SERVICE / SOLUTION	OPTIONAL RISE SERVICE / SOLUTION
Access Risk Analysis		Segregation of Duties Check
Vulnerability & Compliance Management		Application Security Monitoring
Custom Code Security		SAP Code Vulnerability Analyzer
Security Patching		Application Security Updates
Threat Detection & Response		SAP Enterprise Threat Detection Cloud Edition
Security Dashboard		SAP Analytics Cloud

Access Risk Analysis

Customers are responsible for managing user permissions and ensuring access to critical roles and authorizations is restricted and compliant with the principle of the Segregation of Duties (SoD). SAP offers an optional Cloud Application Service to detect critical access and SoD risks in customer S/4HANA systems using the SAP GRC ruleset. The Cybersecurity Extension for SAP also performs critical access and SoD checks for S/4HANA using a ruleset benchmarked against SAP GRC.

Vulnerability & Compliance Management

Customers are responsible for the secure configuration of applications in SAP RISE. SAP offers an additional Cloud Application Service not included in standard RISE services to perform security checks for ABAP and HANA systems using SAP Solution Manager. The Cybersecurity Extension for SAP performs more extensive security checks than the CAS and enables customers to detect compliance gaps with security frameworks. This includes compliance monitoring for security settings mandated by SAP Enterprise Cloud Services (ECS) for SAP RISE solutions.

Custom Code Security

Developing and maintaining secure custom applications is the responsibility of customers in SAP RISE. This includes custom developments adapted and migrated from SAP ECC to SAP S/4HANA. Customers can license SAP Code Vulnerability Analyzer (CVA) to detect vulnerabilities in custom ABAP programs. CVA is not included in standard RISE solutions. The Cybersecurity Extension for SAP includes a higher number of test cases than CVA and supports security scanning for custom SAPUI5 applications.

Security Patching

Customers are responsible for identifying and applying application-specific security notes and testing for security notes in SAP RISE. SAP offers an optional Cloud Application Service for implementing application-level security notes. However, this excludes support for implementing notes with manual corrections and testing security notes. The Cybersecurity Extension for SAP automates the discovery of security notes and supports lifecycle management for required patches.

Threat Detection & Response

Monitoring and investigating security incidents in SAP applications is the responsibility of customers in SAP RISE. SAP offers managed services using SAP Enterprise Threat Detection (ETD) cloud edition as an optional CAS. The services exclude monitoring of HANA logs. ETD must be licensed by the customer to use the services. The Cybersecurity Extension for SAP includes more detection patterns than ETD and supports monitoring of HANA logs.

Security Dashboard

Standard RISE solutions and services do not include a security dashboard for monitoring security-related KPIs. RISE customers can subscribe to a cybersecurity dashboard available in SAP Analytics Cloud. However, the data sources for the dashboard include SAP ETD, SAP Focused Run and SAP Risk Management. The solutions must be licensed from SAP to use the dashboard. The Cybersecurity Extension for SAP includes an interactive dashboard, trend analysis and threat map for monitoring security KPIs.

Cybersecurity Extension for SAP Cloud Edition

The Cybersecurity Extension for SAP cloud edition is optimized for SAP RISE solutions. Download the detailed comparison of RISE services and solutions versus the Cybersecurity Extension for SAP or learn more about the capabilities of the solution.

Download now Learn more

Sign Up for a Demo

Schedule a live demo of the Cybersecurity Extension for SAP^® Solutions to experience industry-leading protection for your SAP systems.

ACCESS RISK ANALYSIS	SAP RISE STANDARD	SAP RISE OPTIONAL CAS / SOLUTION¹	CYBERSECURITY EXTENSION FOR SAP
Critical Access & SoD Checks for S/4HANA
Scanning Interval	None	On Demand	Daily
Detailed Reporting including Risk Analysis & Recommendations
Report Scheduling including Automatic Email Distribution
Dashboard & Trend Analysis Integration
Ruleset Customization
Support for User Exclusions

VULNERABILITY & COMPLIANCE MANAGEMENT	SAP RISE STANDARD	SAP RISE OPTIONAL CAS / SOLUTION¹	CYBERSECURITY EXTENSION FOR SAP
SAP Solution Manager Installation Required in Customer SAP Landscape
Support for ABAP
Support for HANA
Support for Java
Support for ASE Database
Support for Linux OS
Quantity of Security Checks	None	Low	High²
Automated Compliance Gap Assessments for Security Frameworks including Custom Security Policies			³
Report Scheduling including Automatic Email Distribution
Dashboard & Trend Analysis Integration
Alert Integration
Integration with Custom Code Security Scanning
Security Check Customization including Exclusions for Systems & Users
Remediation Management

CUSTOM CODE SECURITY	SAP RISE STANDARD	SAP RISE OPTIONAL CAS / SOLUTION¹	CYBERSECURITY EXTENSION FOR SAP
Support for ABAP Code
Support for SAPUI5 Code
Quantity of Security Code Checks	None	70+²	270+³
Support for Centralized Scanning
Integration with ABAP Test Cockpit and SAP Code Inspector
Report Scheduling including Automatic Email Distribution
External Call Analysis for Custom Programs
Dashboard & Trend Analysis Integration
Support for Exclusions

SECURITY PATCHING	SAP RISE STANDARD	SAP RISE OPTIONAL CAS / SOLUTION¹	CYBERSECURITY EXTENSION FOR SAP
Calculation of Relevant Security Notes		–
Automatic Check for Implementation Status of Security Notes to Remove Installed Notes from Calculated Results
Implementation of Security Notes for SAP Basis/ ABAP		–
Implementation of Application-Level Security Notes
Implementation of Security Notes with Manual Corrections
Testing for Security Notes
Report Scheduling including Automatic Email Distribution
Dashboard & Trend Analysis Integration

THREAT DETECTION & RESPONSE	SAP RISE STANDARD	SAP RISE OPTIONAL CAS / SOLUTION¹	CYBERSECURITY EXTENSION FOR SAP
SAP Enterprise Threat Detection License Required
Support for ABAP
Support for HANA
Support for Java
Support for ASE Database
Support for Linux OS
Support for SAProuter & SAP Web Dispatcher
Quantity of Patterns	None	45+	1000+²
Detection of Actively Exploited Vulnerabilities
Forensic Analysis of SAP Logs
Custom Threat Patterns and Alarms
SIEM Integration
Alert Tuning including Exclusions
Incident Response
Report Scheduling including Automatic Email Distribution
Dashboard Integration		³
Trend Analysis Integration