SAPinsider has released its highly anticipated
RISE with SAP 2025 benchmark report, revealing a critical disconnect between the adoption of SAP Cloud ERP Private and the implementation of mandatory security controls. Co-sponsored by
Layer Seven Security and based on a survey of 122 SAPinsider community members, the research highlights a pervasive compliance gap.
The findings confirm that organizations frequently underestimate their role in the shared responsibility model. While SAP manages the cloud infrastructure, the data confirms that customers are struggling to uphold their end of the bargain. Specifically, they are failing to rigorously apply SAP’s hardening requirements.
The Reality of Shared Responsibility Gaps
The report’s most startling finding is that less than half (45%) of respondents are actively following the shared responsibility model for SAP Cloud ERP Private security. Furthermore, approximately one-third of organizations are aware of the model but admit to not following it rigorously.
This lack of adherence is not merely an administrative oversight; it represents a material cybersecurity risk. As organizations migrate to the cloud, many mistakenly assume that security is wholly transferred to the provider. However, the report clarifies that customers remain accountable for critical outcomes. This includes secure configuration, access controls, and compliance with specific SAP notes, such as 3250501, 3480723, and 3381209.
This phenomenon, described as compliance drift, poses a significant operational challenge. The research notes that compliance is a moving target because SAP regularly updates its mandatory parameters to address new threats. Consequently, a system that is secure at go-live can quickly become vulnerable without continuous management.
The consequences of this drift extend beyond technical exposure to include legal and support risks. In the event of a breach, organizations that cannot demonstrate adherence to vendor-prescribed security standards face weakened defensibility. Additionally, non-compliance can complicate incident response, as SAP support may face friction in diagnosing environments that deviate from required baselines.
Operationalizing Security Oversight
To address these vulnerabilities, the report emphasizes the need for a shift from periodic reviews to continuous automated monitoring. This aligns with the survey data, where 80% of respondents identified comprehensive monitoring as a key requirement for their ERP transformation. Furthermore, 79% cited the need for best-practice compliance checks that avoid outages.
Layer Seven Security’s Cybersecurity Extension for SAP is positioned as a direct response to these findings. The solution helps organizations operationalize their security responsibilities by providing continuous visibility into configuration posture. This capability is essential for preventing the gradual degradation of controls known as drift.
By automating checks against SAP’s evolving security baselines, the solution allows technology teams to move away from manual, point-in-time audits toward a model of real-time assurance. This approach not only reduces the risk profile of SAP landscapes but also strengthens audit readiness. The full findings were recently presented by SAPinsider Vice President Robert Holland in a webinar on January 13.
What This Means for SAPinsiders
Automated monitoring transforms security from periodic audit to daily assurance. For technology executives, this shift requires moving away from the "set and forget" mentality of ERP implementation toward a continuous governance model. Your day-to-day operations may benefit from integrating solutions such as the Layer Seven Cybersecurity Extension for SAP to establish real-time compliance dashboards that flag deviations from SAP hardening standards as they occur, rather than waiting for annual audits.
The market context is defined by a growing responsibility gap. As the RISE with SAP 2025 report indicates, 55% of your peers are failing to fully uphold their security obligations, struggling with compliance drift where systems gradually become less secure. Adopting automated enforcement tools places your organization in the top tier of maturity, differentiating you from competitors who may face operational downtime or regulatory fines due to preventable configuration errors.
When evaluating solutions, prioritize vendors offering native integration with SAP’s hardening guides. A critical evaluation criterion should be the vendor's ability to automatically update their rule sets within days of SAP releasing new security notes, ensuring your defense remains synchronized with the vendor's baseline. Best practices dictate integrating these tools into your Change Control Board processes, requiring a green compliance status before any transport moves to production.
