ASUG Talks

ASUG Talks covers vital topics in the SAP ecosystems, leveraging thought leaders, customers, and experts to help listeners navigate modern challenges and maximize their SAP investments.

All Episodes

ASUG Talks

ASUG Talks Roundtable: Cybersecurity in the Cloud

June 15, 2025 • ASUG

As SAP customers migrate to the cloud, cybersecurity is a critical component of those transformation projects. Moving your IT ecosystem and sensitive organizational data from bare-metal, on-premises environments into the cloud requires a dedicated security approach, especially as threat actors’ efforts grow more sophisticated.

In this ASUG Talks Roundtable, we dig into how enterprises should approach cybersecurity in the cloud. ASUG Talks host, Jim Lichtenwalter, is joined by the authors of the SAP Press publication Cybersecurity for SAP:

Gaurav Singh
Juan Perez-Etchegoyen

Key Takeaways

Initial steps enterprises should take when securing their cloud migrations
The importance of adopting a shared responsibility security model
The cybersecurity benefits of RISE with SAP

Related Insights

Join the ASUG Communities team on June 17 for a Community Conversation focused on the business transformation management announcements that came out of SAP Sapphire & ASUG Annual Conference.
Learn Zeon Chemicals’ insights from its RISE with SAP project.
Dive into Stefan Steinle, leader of SAP’s Customer Support & Cloud Lifecycle Management organization, thoughts on how AI is impacting the SAP support strategy.

SPEAKER_02: 0:02

From the America's SAP customer community, I'm Jim Lichtenwalter, and this is ASIC Talks, a podcast devoted to the conversations with innovators, leaders, and changemakers shaping the future of enterprise technology and the SAP ecosystem. Cybersecurity is a major priority for ASIC members, with one third of respondents to this year's Pulse of the SAP Customer Survey indicating that cybersecurity skills are critical to possess in their organizations. This isn't a surprise once you can Thank you. offerings like Rise and Grow with SAP help secure customers' data. Let's go now to our conversation. Well, Gaurav, JP, thank you so much for joining me today and congratulations on the publication of your SAP Press book. Looking forward to our discussion about cybersecurity specifically in the cloud. To kick things off, and Gaurav, I think I want to start with you on this question. I'm curious, as enterprises begin their cloud migrations, what are some of the first steps that they should take when it comes to securing their data and looking at cybersecurity practices?

SPEAKER_00: 1:37

Thank you, Jim, for having us. This is a privilege to be here. As you said, our book is released. So I need to answer a question around the cloud migration or the journey for the customers. I think something we refer in our book as well is like the identify piece, right? You can't protect what you don't know. So I guess identifying your data, where it's going to be, where you have today, and classifying maybe as well, like knowing what data, and then we always say, right, that whole NIST subsidy framework where you have to identify, and then you can protect it, right? So you have to know what data we are referring to, what data you as a customer have, and where it's going to sit, where it's going to reside. We have a lot of regulations, and we call it residency, and where it's going to sit. Is it in in my region, on what region, and also the regulations around the whole data and privacy, right? To make sure what data and regulations you need to comply for your data security. So that's where I would start. I know there's not one answer. There's never one answer, right? So I would start from there if you have to start.

SPEAKER_02: 2:38

Yeah, there are several ways to skin a cat or to protect your data in the cloud. So I think that's a great point. JP, anything you want to add to that? What are some initial steps that you would recommend organizations take as they begin their cloud migrations?

SPEAKER_01: 2:51

Yeah. Hi, Jim. Thanks for having us here. A pleasure to be joining you on this edition. Well, what Grav said, absolutely right. You need to understand the type of applications you have, the type of data you have in order to be able to protect it. I would say if we take a step back, you need to build consensus internally in terms of how important implementing security mechanisms is, especially when you are migrating to the cloud, right? So management buy-in, consensus across all the teams, IT security, SAP security, it's basically top-down, right? So as long as you are able to convey the message that security needs to be part of that transition, not as a side effect or a side project, but really like as a leading player on that migration, I would say all the other things would fall into place, right? You will be forced to understand the data you have, the applications. You will have to put controls in place. You will integrate your existing applications and your up-and-coming cloud applications into your IT security processes. So all of the things will fall after that. But I think it's important to be aware like have management buy-in, have that alignment and understanding that in today's world, especially in such an interconnected one with cloud applications, on-premise, everything in between, all interconnected, security has to be a key player on those projects.

SPEAKER_02: 4:38

So what I'm hearing broadly from both of you, at least initially, is making cybersecurity a critical part of the beginning processes of your cloud migration, making it the main focus, not sort of making it a side focus or even a back burner focus, but making it one of the main things you should focus on. Am I correct in that, Reid?

SPEAKER_00: 4:57

Yes, yes. Make it part of the phase zero. Don't make it like after cloud when you're already in your UAT and implementing and already on a cloud journey. So I probably agree with JP, yeah.

SPEAKER_01: 5:08

Yeah, absolutely. And not only because it's the right thing to do from a risk perspective, but making sure that you reduce your risk exposure, but also it's much more cost effective. If you bring security at the beginnings of the project, if you lead with those requirements, then running a secure application with all the controls you need, with all the controls you have to apply because of the regulations and compliance mandates we have, then it becomes easier smoother and much more cost effective. It could be, and we did some years ago, worked with SAP customers, bases, teams, trying to understand, okay, how much, right? Like quantifying that, it could be up to five times more expensive if you come with security controls in the backend of the project, right? Hey, we're about to go live. Let's bring... You know what? I remember there was something called security. Did we thought about it? And at that stage, it's already too late, too expensive. The risk exposure is just too much. So that's why... It's very, very important to lead with that.

SPEAKER_02: 6:21

Moving on from after you've migrated to the cloud, you're an organization that has migrated to a public cloud environment. JP, how should enterprises approach consistent data security from threat actors after they've done that migration? And how should they be consistently looking at cybersecurity and ensuring that their data is always secure after they've gone to the cloud?

SPEAKER_01: 6:45

Well, there are many things, and I'm sure we're going to talk about the shared responsibility model at some point during today's session. But what I think is really, really important is to have the right processes in place. It's a good invention about identify, right? And understand what applications are. Well, the visibility aspect is like, do you know your risks, your vulnerabilities, your exposure? Do you have... the mechanisms and the processes to identify unauthorized access, the exploitation of vulnerability, the extraction of data in an unauthorized way. All of those elements are basically mapped into processes, right? Vulnerability management, continuous monitoring, secure development, all of those that are processes that your organization already has. Every SAP customer already has in some way, shape or form, vulnerability management running in the organization, continuous monitoring, SOC, secure development policies. All of those, you need to bring SAP into those and make that integration. So when you're running in the cloud, when you have your data in the cloud, now it becomes much more easy to protect it because it's part of the overarching strategy security framework and security policies that you have on your organization.

SPEAKER_00: 8:14

Gaurav, anything to add on your

SPEAKER_02: 8:15

end?

SPEAKER_00: 8:16

I think JP covered it very well. Just the whole trust but verify, right? I think you still, as a customer, you still are responsible for your data security, even though you kind of move to a cloud in whatever model you move to, whether it's a private cloud or public cloud, the data security is still your responsibility. So make sure you have processes as JP was saying. the whole triangle, like process people and technology, right? You can have a technology. You have to make sure you have enough resources. They are skilled. They understand first what this new cloud world is. This is all new world for a lot of us, right? So have that process, have that policy on your side. You already know what data, you already done that part during the project. If you haven't done, maybe do that part, right? Use a framework if you can. Adapt a framework which is already in the industry, like this cybersecurity framework or CIS and whatnot. Like, whatever policy or framework you kind of use at your enterprise, adapt to it. Don't try to reinvent the wheel. Use cloud-native services as you can. And yeah, I think the shared responsibility model, as JP was saying, is going to be, I think we've been talking about that as well. Use that shared responsibility model with your CSP, understand your RACI, And yeah, do the trust, but verify, like make sure you are doing due diligence and do care to secure your data and not just assuming, oh, we are just on cloud and everything is all good. So nothing is, you still got to do what you got to do, right, to protect your data.

SPEAKER_02: 9:42

When we talk about that shared responsibility model, what specific tools, solutions does SAP offer its cloud customers on the cybersecurity end that you would recommend our listeners take a look at or check out?

SPEAKER_01: 9:56

Yeah, I think, yeah, the very first, the starting point for that is a tool that is not super complex. It's actually a PDF, a very extensive one that describes actually the shared responsibility model, like what is on your side and what is on SAP's side. So that's, I would say, the starting point because it's important for organizations to understand what is still your responsibility and what is on SAP's side. After that, There are many things that you can choose to implement with SAP, with some CAS services. And then there are some additional tools that you can use or platforms. There are fine details in that shared responsibility model in terms of what is still One

SPEAKER_02: 10:49

of the things that I hear from ASUB members when they think about the cloud is they're concerned about the cybersecurity implications of moving to the public cloud. They're concerned that their data is going to get leaked, going to get stolen by threat actors. With that in mind, what would you say is the biggest misconception about public cloud environments and cybersecurity that the two of you encounter? And I would love to give you an opportunity to dispel those misconceptions. Gaurab, why don't we go ahead and start with you? I

SPEAKER_00: 11:20

think we do have a few false sense of security or misconceptions in our world, especially from a cyber perspective, right? There's a whole kind of a thought of, okay, you move to cloud. Again, talking about SAP specifically here, especially on the rise, private cloud edition model, or maybe for public as well. There's a false sense of security, like, okay, we move to cloud, SAP is going to do everything for us. I think that R&R, which JP was mentioning, that whole PDF, which SAP does share it, they have done a good job on sharing the information, I think, educating customers. But we as a customer got to understand that whole idea 100-page document which SAP provides based on which model you're going to, whether it's a public or private cloud. I mean, it's a long and huge document, but you've got to understand that even from your contract, I mean, from the initial get-to-go perspective, they're not going to be doing everything for you. You, as a customer, is still maybe responsible for your application level security if you're on a rice PC, If you're on a public cloud, the S4 public cloud, which is more SaaS-based, they won't do almost everything except your application data and user management. So I guess understanding that and knowing this is what I still own as a customer and then doing the things like start with your framework, make sure you have a process, you have a team, you understand that. I think that kind of, I would say, that's where I will start. Again, security is always multilayered. secure by design. It's a multi-faceted answer. But if I have to pick, I guess I would say that whole just understanding that saying, no, if you move to public cloud, even private cloud, we don't transfer every responsibility for security to SAP. We as a customer still own a piece. That piece of the puzzle, you still have to figure it out and make sure you have a RACI all documented and all the stakeholders in your in your company understand that like whether it's a base use cyber sap and whatnot they all should be on one page and have that whole race you created so that when bad thing happens we always say it's matter of when not if and when that when happens right you're not kind of scrambling and knowing oh okay you were on the hook for that and sap would just give you okay point to that 100 page document there no this is on you right so that's surprise let's make sure we don't get surprised when that that when things happen, unfortunately, it's going to happen. So yeah, we are prepared for that.

SPEAKER_02: 13:39

So you do think it is, you know, a cybersecurity issue, hurdle, it's going to happen to every organization once they migrate to the cloud. It's a certainty, it sounds like to you. And so it's about preparing for that certainty? I

SPEAKER_00: 13:51

think we always, we are the risks, we are the cyber guys. We always have to prepare for that worst scenario, right? Even for your personal life also, you're always going to have an insurance or medical insurance. We don't want that to happen, but you know, like, things happen. We have seen COVID and whatnot, supply chain disruptions, things which is beyond our control, right? It's not just a cybersecurity incident. It can be something which is coming from outside world, a regulation, a compliance and whatnot, which you have to adhere to, right? So, yeah, I think you've got to understand what you own as a customer and then take necessary actions.

SPEAKER_02: 14:23

I think that's such great advice. You know, hope for the best, prepare for the worst, you know, have the money sewed into the mattress in case something happens. I think that is great advice for all of the listeners of this podcast. JP, anything that you want to add about misconceptions about cloud cybersecurity that you encounter or anything you want to dispel?

SPEAKER_01: 14:43

Yeah, Jim, so it's actually... Such an interesting question because the cloud is full of that, right? The cloud, and if we go back to its beginnings, like a couple of years ago when organizations started talking about cloud, there was a lot of uncertainty in terms of, and really friction, mainly driven by security concerns. Was it, hey, like, I don't own this. It's not going to be running on my data center, so... How is that expected to be secure? So over time, organizations learned to get comfortable with running or someone else running their applications, hosting their data in someone else's data center and managed by a different team. And we've seen that evolution, right? From organizations really... struggling to adopt the cloud all the way to today where no one would argue because we have attestations, we have different type of elements that allows us to understand what are the controls that are the providers putting their toolkit to ensure that our data is secure. But I would say probably the biggest misconception is security, around security especially, is security is taken for granted. It's like, okay, now I'm moving to the cloud because The cloud, we know that now the cloud is more secure. And now we're not going to have to deal with security anymore. It says, like, we'll transfer our data. The provider will deal with everything. Well, that's not the case, right? So there's still this, and we're going to repeat it a hundred times, but the shared responsibility model is exactly that. It's like customers need to deal with some things provider needs to deal with some other things. It so happens that when you're in a SaaS world, the provider deals with many more things. If you're in the infrastructure as a service, if you start going into a little bit more complex scenarios, you still have a big piece of the pie to deal with. So I would say to summarize it, the biggest misconception is still security is taken for granted in the cloud. So it's important to understand what is provided by the provider in terms of security and what is still some things that you need to address. Because as Gaurav said, it's your data. No matter what type of cloud service you implement, it's still your data and you're accountable for it, right? So if you lose your customers' data, your patients' data, your providers' data, they're going to go after you because you should have been making due diligence and due care around the controls around that data.

SPEAKER_02: 17:43

Let's talk a little bit about Rise at the SAP specifically. When it comes to Rise and cybersecurity, what are some of the benefits that you see from this offering that you want to point out for our listeners?

SPEAKER_01: 17:54

And the same way organizations need to understand the shared responsibility model is like a lot of those things that organizations had to deal with in the past now no longer, right? Infrastructure, some of the management of the underlying operating system network. There's a lot of things that are now no longer a part of their blade. So that's a great thing for organizations. They have more time to focus on their business, on their applications, and they don't need to deal with the underlying infrastructure or even some aspects of the application. So I would say that The cloud is a good thing from security, but it's not a silver bullet. That's important to understand. It's a step forward for us to secure our applications because now it's a more efficient way to manage our applications and also from a security perspective. But still, going back to the previous point, it's not... It's not a silver bullet. Everything is addressed. We need to understand what are the boundaries.

SPEAKER_02: 19:03

Gaurav, anything to add? Any cybersecurity specifications in RISE with SAP that you want to point out or that you want to highlight?

SPEAKER_00: 19:11

Yeah, sure, Jim. I think the one thing I would say I like about it with the RISE model, as JP was saying, you're getting a SAP own more than what you would own, like the infra layer, the patching of your operating system, your kernel, your database. And You may be doing that on your site as a customer on a more recreational on-prem model, but there's always a, I would say, gap on core infra team. They don't still understand SAP, right? But you're getting that piece over to a team which lives and breathes SAP, right? So it's better. You're getting a trusted partner, right? Which kind of they understand SAP from get-go from every layer. And now they're going to be responsible for patching and securing your infra layer, your and your database and whatnot, right? So it's kind of, I feel like I would rather have that partner, at least from, I'm talking from SAP perspective, right? If I have to deal with securing every layer of SAP, right? I feel like it's still a struggle if you have to, okay, there's SAP team, SAP basis team, who understand SAP on the application side, but there's a different team, a cloud team, a other team or database, not database, maybe that's still SAP team, but your Linux team, your Windows team, right? So they still don't get SAP the way you would like to get it. So there's always constant learning, constant gap and whatnot, versus you move to RISE, at least those three layers is still kind of being done, but done by a bigger team of experts who understand SAP. And if this has to, something has to happen, I think we will have a better response because we can correlate things and we have a team who understand SAP. If I see something on operating system, I know, or I see some log on my, whatever same solution I'm using on the SAP RISE side, I think they can better correlate and help us to kind of stay ahead from the bad actors. And also that whole secure by design, which I think Rise is pushing hard with their ECS offering, which I kind of like it. It was like an option for customer, now kind of they're enforcing it. They have their own kind of a baseline around parameters and configuration, which as a customer, you can still change few things, but they're kind of putting very hard on like, These are security parameters configurations. This has to be like that. It's kind of helping you become like a more secure once kind of you move on the rise model, which I like it.

SPEAKER_02: 21:22

Related to this, as customers leverage rise, how should they approach patching for cybersecurity needs?

SPEAKER_00: 21:29

Jim, that's a, I would say, really great question. And there has been some confusion as we talk about it. I think we saw that in some of the conferences which we have been part of it. JP, maybe you can add us to it as well. Like, patching is a big piece. When you say patching, which layer we're talking, right? And as we move to RISE model, which is more of a private cloud edition model, where your infra-level patching, which is operating system, your kernel, your database, would become SAP's responsibility, right? But even there, you still as a customer, so they're like patching can be live patching. and then something which you need a system downtime, right? You have to take a system down, which SAP cannot just do it. They're going to ask you to kind of coordinate and give them the timeline where they can patch your systems. Understanding that new way of that whole patching process, like have a vulnerability and patching process, understand what does that mean on the rise perspective, And you as a customer, you're still kind of on the hook for the application level patching. So all the SAP security nodes, which comes every second past Tuesdays, unless you have a CAS package with SAP, you still have to work with your basis team, figure out what's going on, and then apply those security nodes, or even you do support pack upgrade, right? It's kind of social responsibility. I know we keep, as JPEGs, we have to keep talking about that. Maybe that's one page, we take a printout, we just put it there all over the place, and wherever we all SAP guys work, understanding that patching, like what is that patching is for me on the rise board, which layer I'm responsible, even for the infra layer. I want to do live patching without even telling me, but for other, I still have to, as a customer, have to submit a service request, give you a timeline. Okay, you can take my system down on this, whatever maintenance window. So it's become more process than the actual, like as a customer, it become more process, more coordination, which you will get like SAP, CST, I'm working with you along the way anyway. But I would say like that's a long learning process for somebody, a customer who just move on a rise. Yeah. Understanding that nitty gritty, that whole SAP.me portal and okay, where do I see this? How do I schedule that? Whatever patching you want to do it for me. Application layer, It's still your responsibility. So I think I will stop there. I know we can always talk and talk and talk, but I think I will... I like

SPEAKER_02: 23:47

it when you talk and talk and talk. It's great. A lot of insights there. JP, anything from you? Any insights about how organizations should approach patching as they're leveraging Rise?

SPEAKER_01: 23:57

Well, I think Gaurav did a great job on describing it. Now with this shared responsibility model, everything on the layer... of the infrastructure to database, all of those layers, networking, that's SAP, right? It becomes transparent to you. Now, at the application level, it depends on the service that you subscribe to, right? You may be responsible for patching. SAP may be responsible for patching. And even if SAP is, what are they on the hook for, right? Is it hot news? In most cases, it's like hot news will be applied with an SLA, and then you can request anything below that. And we have a good example. Very recently, there's been an update to CISA-KEB, which is CISA is a security infrastructure agency in the US, and the KEB is the Catalog of Known Exploited Vulnerabilities. Well, CISA updated last week the Catalogue of Non-Exploited Vulnerabilities with an SAP vulnerability dating back to 2017. So this vulnerability was initially patched in 2017. Then in 2021, there was an update. In 24, there was a knowledge base article explaining organizations why even though they patched, that vulnerability may still be around in their systems. And we've seen active exploitation around that. it's a CBSS7 vulnerability, meaning that it wouldn't make a hot news. However, it's critical enough that you need to address it immediately. So that's the type of scenarios where it's important for organizations to be on top of these things, understand what are the expectations in terms of patching by your provider or your teams, to be able to guide that and lead that the definitions in terms of, I need this to be patched ASAP, right? It's a hot news. It's a high priority. It's a midi priority. It's being actively exploited. All of that, those insights are valuable to be able to make those decisions. So that's why now it's a new world. SAP's dealing with a lot of those elements. You are still responsible for many others. So understanding that balance and being able to make those decisions is going to be key move forward.

SPEAKER_02: 26:31

I want to summarize a little bit because we've talked about a lot of things here. You've given a lot of great advice. Let's specifically put yourself in the mindset. You're an SAP customer. You're moving from an on-premise environment, moving to an open cloud environment using Rise. What advice would you have for those customers? as they embark about that, their public cloud migration. I

SPEAKER_00: 26:55

think we're going to look like a broken record, right? The shared responsibility model. I think make sure you spend enough time there that's where it starts and it ends. As JP was saying, cloud is, I would say, is even good for us as security professionals. I personally have been kind of became like a more like not liking it than become like a fan of it because it kind of gives us more visibility. And sorry, you have other sessions, okay, all the SOCs, one SOC, two and whatnot. But I think the one advice I would say, again, the shared responsibility model is key. Spend the time to go over that 100-page document which SAP provides, which is like a, especially going into each and every details. okay, my SAP security node, who's on the hook for it? What is the standard offering? What is the CAS offering? I should look into it. What else they have offered? Are they offering like some more visibility to me, see the data, even the infra layer, right? I know they have some service called log server, And they're working on some other services called Ravens, which is, I think, which to me sounds like something must have for every customer because you lose some visibility when you move to Rise, right? And maybe on-prem, you know, good or bad, whatever security posture you are right now, but I guess you still as a customer, you own the final responsibility for your compliance, your data security and whatnot. An attentional responsibility model is spending enough time to go over that 100-page document with your contract and your leadership and everybody, and then find gaps. Like where these things, we are moving to RISE, this is going to be covered by SAP. There's still some gap. Do the gap assessment. On very early, on phase zero, don't make it after thought. Yeah, I think security has to be there when you start thinking about RISE and cloud migration. And do the gap assessment and figure out where we have to fill in the gap from process, people and technology perspective. Where we have still gap when you move to RISE. And then, yeah, take actions. And again, this is a journey. It's not going to be done day one. But yeah, at least have that mindset and start there.

SPEAKER_01: 28:54

I think I would try to summarize a little bit of the things we've been going through. It's a first, build consensus. Make sure that you have, that this becomes a critical initiative across the board, including IT security, SAP security, all the teams. They will all benefit from of improving and increasing the security of these applications. Lead with security, right? In most cases, this is a CIO-driven initiative with board-level visibility. Let's make sure you incorporate security from the get-go and you lead with that. And also, repeating also what we said a couple of times, the shared responsibility model It's important to understand that because that will drive then other sorts of things, processes, programs, resources you need in terms of people, technology, all of that. But understanding what are the controls that are still in your responsibility it's going to be driving all the rest of the things.

SPEAKER_02: 30:08

Well, gentlemen, thank you so much for joining me today. Thank you for sharing your perspectives. Congratulations on the publication of your book. Looking forward for our listeners to hear this and for them to check out Cybersecurity for SAP. So thank you for being here.

SPEAKER_01: 30:20

Thank you, Jim. Really, really honored to be here joining

SPEAKER_02: 30:25

you. Thank you. Thank you, Jim, for having us. Thank you to my guests. If you're interested in purchasing cybersecurity for SAP, visit the SAP Press website, which is linked in the description. ASAP Talks listeners also get 15% off any SAP Press title by applying the discount code 15ASAP at the checkout. Let's look now at what's going on around the ASAP ecosystem. Stefan Seinald, the head of SAP Customer Support and Cloud Lifecycle Management, recently sat down with ASAP Vice President of Content They discuss not only how SAP continues to evolve its customer support strategy, but also the ways AI is impacting SAP support. Xeon Chemicals recently shared insights into its rise of SAP transformation with ASUG, including how it overcame specific digital transformation hurdles and the benefits realized since leveraging the offering. The ASUG Communities team continues its series of community conversations focused on recapping SAP Sapphire and ASUG Annual Conference. On June 17th, they dive specifically into business transformation announcements unveiled at the event. You can find the links to these resources in the description. I'm Jim Lichtenwalter. Thanks for listening.