Meet the Authors

Key Takeaways

  • RISE with SAP and SAP Business Technology Platform change how SAP data is accessed and governed across cloud and hybrid environments.

  • Distributed SAP landscapes weaken traditional perimeter security and role-based access controls.

  • Data-centric Zero Trust security, including attribute-based access control and dynamic authorization, is becoming essential for SAP cloud deployments.

RISE with SAP and SAP Business Technology Platform are changing how enterprise SAP environments are built and operated. Cloud-based, distributed, and integration-driven architectures erode traditional perimeter-based security assumptions.

This shift turns security into an architectural requirement.

NextLabs, which provides data-centric Zero Trust security for SAP environments through dynamic authorization, attribute-based access control, and centralized policy enforcement, addresses this challenge by protecting sensitive data directly.

Explore related questions

RISE with SAP and SAP BTP Redefine the Security Perimeter

RISE with SAP delivers SAP S/4HANA Cloud as a managed service under the shared responsibility model. SAP operates the infrastructure, while customers retain accountability for data protection, access controls, and compliance.

SAP Business Technology Platform extends ERP through integrations, analytics, and custom applications, shifting SAP environments from self-contained systems to hybrid, distributed architectures built around services and APIs.

This model changes how SAP data is created, shared, and reused.

Core financial, supply chain, and manufacturing data increasingly intersects with personal, regulated, and intellectual property information across the SAP landscape, then flows into non-production systems, analytics platforms, integration layers, and SAP Business Technology Platform applications to support downstream use cases.

As SAP environments become more connected, the effective security perimeter expands.

Data now moves across production and non-production systems, APIs, reports, and downstream applications, often outside the transaction flows traditional SAP security models were designed to govern. The result is a more dynamic ecosystem that sets the stage for new security and governance challenges in cloud and hybrid SAP deployments.

Data Security Challenges in RISE with SAP and SAP BTP Environments

Expanded connectivity introduces a broader attack surface. Cloud access, third-party integrations, APIs, and non-human system access increase the number of paths into SAP data, while hybrid landscapes make consistent enforcement harder to maintain.

Traditional Role-based Access Control (RBAC) shows its limits in this environment. Static roles grant broad permissions that fail to reflect changing business context, project boundaries, or data sensitivity, making over-privileged access harder to detect and unwind.

Identity, access, and authorization complexity compounds the problem. Federated identity services, segregation-of-duties requirements, and integrated cloud platforms increase configuration risk, where small errors can expose sensitive data at scale.

Data exposure also extends beyond core ERP transactions. Financial and operational information surfaces through reports, analytics, CDS views, APIs, non-production systems, data exports, and downstream applications, while RISE with SAP’s managed infrastructure can limit direct customer visibility into logs and access activity. This reduces insight into who accessed sensitive data, when, and under what conditions.

Together, these factors expose the gap between traditional SAP security models and the operating realities introduced by RISE with SAP.

Applying Zero Trust and Data-Centric Security to SAP Landscapes

RISE with SAP changes the trust assumptions that traditional SAP security models rely on.

Users, systems, and integrations can no longer be implicitly trusted based on network location or static role assignment. Access decisions must reflect who is requesting data, what they are requesting, and the context in which that request occurs.

Zero Trust security principles provide a framework for this shift. Zero Trust requires explicit verification of every user and application attempting to access data, enforces least-privileged access based on contextual factors, and assumes breach conditions to strengthen prevention, monitoring, and response.

A data-centric security model operationalizes Zero Trust inside enterprise systems. Sensitive fields are protected in real time through techniques such as segregation, masking, or encryption while preserving referential integrity. Controls apply consistently across production and non-production systems, analytics, integrations, and extensions.

Attribute-based Access Control (ABAC) plays a central role. Access decisions evaluate user, device, location, and data attributes to enforce fine-grained, need-to-know access aligned with how the business operates. Dynamic authorization and centralized policy enforcement extend these controls across hybrid SAP environments.

NextLabsZero Trust Data-Centric Security for SAP provides this enforcement layer, enabling attribute-based access control and dynamic authorization across RISE with SAP, SAP Business Technology Platform applications, and connected systems.

How LyondellBasell Applied Zero Trust Security in RISE with SAP

LyondellBasell operates one of the world’s largest plastics, chemicals, and refining businesses, with SAP environments supporting joint ventures, licensed technologies, and highly sensitive operational data.

In 2020, the company entered a 50/50 polyethylene joint venture that required strict protection of third-party licensed technologies, while ensuring only authorized users could access joint venture–specific data. At the same time, LyondellBasell began migrating SAP ERP and SAP Business Warehouse systems to RISE with SAP.

This created a dual challenge: protecting sensitive data across on-premises and cloud environments without disrupting joint venture operations or transformation timelines. The company addressed this in two phases.

First, LyondellBasell implemented a data-centric security and dynamic authorization model using NextLabs’ Data Access Enforcer to enforce least-privileged, need-to-know access for joint venture data. Second, as systems moved to RISE with SAP, the same Zero Trust and data-centric protections were extended into the cloud.

The result was a secure foundation for SAP modernization, reducing insider and compliance risk while preserving operational continuity.

What This Means for SAPinsiders

SAP cloud security shifts toward data-centric protection models. RISE with SAP dissolves traditional perimeters by distributing data across services, integrations, and non-production systems. NextLabs aligns with this reality by enforcing policy at the data layer rather than relying on network location or static system boundaries.

Dynamic authorization replaces role design as the control plane. As SAP environments scale users, APIs, and automated processes, static roles become brittle and over-permissive. NextLabs shifts access decisions to runtime evaluation, encoding business context directly into enforcement instead of role maintenance.

Security decisions increasingly determine transformation speed. LyondellBasell’s experience shows that embedding data-centric controls early avoids migration delays caused by late-stage compliance or access redesign. NextLabs enables this by applying consistent policy across on-premises and RISE with SAP environments without rearchitecting processes.

Upcoming Events

SAPinsider Las Vegas 2026
Mar 16-19, 2026Las Vegas, Nevada, NV