Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
There’s a saying in the cybersecurity industry that only two types of companies exist now; those that have been hacked and know about it and those that have been hacked and don’t know about it.

When a high-profile data breach occurs, we often hear that the attack would have been less damaging if the threat had been identified sooner. Often, the attacker has been lurking on the company network for months or years before detection.

Major data breaches are frequently caused by hackers using compromised identities or by the irresponsible or malicious behaviour of employees. Once a hacker has broken into a network, organizations will need to have additional lines of defence in place to fend off the attack.

Zero trust assumes that hackers have already infiltrated an organization’s network. In response, the zero trust approach requires strict verification of every individual and device that attempts to access the company’s key resources or business applications, whether they are located inside or outside the organization.

This poses questions for organizations using the cloud. How can the zero trust model be extended to the cloud? How can we account for data stored on infrastructure that’s not managed or owned by you and resources that are regularly accessed by people outside of your organization for maintenance or software upgrades?

Zero trust in the cloud using SAP Data Custodian

No single specific technology will deliver a zero trust architecture, since it involves a holistic approach to network security that incorporates several different principles and technologies. SAP Data Custodian is a solution that can contribute to this model and help organizations extend their zero trust approach to the cloud and SAP applications, like SAP S/4HANA, SAP HANA, SAP ECC, and SAP IBP.

SAP Data Custodian is a SaaS application designed to deliver enhanced data protection for users of public cloud infrastructures and SAP applications. It has a number of features that facilitate the extension of zero trust policies to the cloud:

  • Cloud Transparency and Control
    Users of the public cloud and SAP applications, like SAP S/4HANA and SAP ECC, have near real-time transparency into who or what is accessing their data in the cloud and where their data is stored. Users can also configure data protection policies to control data access and storage.

  • Contextual Access Control
    The zero trust approach requires strict verification of every individual and device that attempts to access an organization’s resources. SAP Data Custodian’s contextual access control feature allows users to extend their authentication processes and create access policies, based on user contexts such as geo-location, citizenship, department, employment type, etc. Instead of giving users access to applications based on an ID and password, the access decision can be dependent on specific user attributes like geolocation. Contextual access control can be applied to accesses on hyperscaler resources as well as SAP applications like SAP S/4HANA and SAP ECC.

  • Cloud Provider Access Control
    Cloud providers are regularly required to access enterprises’ cloud resources for maintenance purposes, which presents a security concern. SAP Data Custodian can identify and control the accesses made by cloud infrastructure providers to customer cloud resources. It also manages access approval and ensures that cloud users are notified when providers access their cloud resources.

  • Anomaly Detection
    Artificial intelligence (AI) may ultimately be the greatest weapon organizations can use to deliver zero trust and protect their business data. SAP Data Custodian’s anomaly detection feature uses AI to provide customers with additional layers of defence. For example, if a hacker compromises the identity of an authorized user, the anomaly detector can identify and alert users to suspicious events in their cloud, based on a machine learning analysis of users’ past behaviour patterns.

Cybersecurity, like an onion, is deployed in layers from the outside to the inside of an organization and involves multiple technologies. As part of this structure, zero trust must be extended to the cloud, but this also requires greater transparency and controls over who and what has access to data. SAP Data Custodian’s transparency, access control, and anomaly detection features can help customers implement strong lines of defence and support their zero trust models.



To learn more about SAP Data Custodian, please visit our webpage at or contact us at


Writing credit for this blog goes to Peter Whibley, Senior Solution Manager at SAP.