The continued focus from SAP towards cloud solutions underlines a defining shift in enterprise management systems. The capability gap between on-premise systems – some over 20 years old – and current technology solutions is widening, prompting numerous organizations to rethink how they operate. Further, the withdrawal of mainstream maintenance for SAP ERP Central Component (SAP ECC), due in less than two years’ time, is prompting many organizations to accelerate transformation programs—often under significant time pressure and perhaps without fully considering strategic opportunities or evolving operational requirements.

      While some organisations are moving away from SAP ECC by adopting S/4HANA on-premise, many are opting for cloud-based ERP solutions, including SAP Cloud ERP and SAP Cloud ERP Private. SAP’s emphasis on Cloud ERP is redefining industry best practice by creating opportunities to streamline processes, integrate systems, data, and applications within simplified or cross-functional workflows and to accelerate automation with artificial intelligence (AI). It helps drive business transformation, not just technical change, reshaping how core enterprise data is used in systems that will directly interface with partners, customers and suppliers. This represents a significant departure from the SAP modules traditionally managed by dedicated internal teams and introduces new complexities for the governance and security management of systems and data. Roles and authorization frameworks should be adapted for the new applications and shared responsibility for security controls should be structured and monitored across multiple third parties delivering these systems—the cloud provider, hyperscalers, applications, and others. Access to new features, particularly SAP’s Joule solution and its capacity to spin up AI assistants and agents, is likely to require tightened authorization frameworks as it will be much easier to navigate and gain access to systems and resources by issuing a chat prompt, for example, compared to navigating a 20-year old GUI. While some organizations are moving away from SAP ECC by adopting S/4 HANA on-premise, many are opting for cloud-based ERP solutions, including SAP Cloud ERP and SAP Cloud ERP Private.

      Exposures poorly understood

      On-premise SAP systems are typically buried deep in the corporate network, and as noted above are largely managed by stand- alone teams outside the purview of core IT and cyber security functions. These teams have generally been able to rely on perimeter-based cybersecurity defenses, leaving gaps in understanding of vulnerabilities specific to SAP. Weaknesses in customized code or processes, for example, can persist for years, while the attacks targeting SAP systems demonstrate that cyber criminals are uncovering new ways to compromise them. Public documented exploits and vulnerabilities are enabling a wider range of threat actors to target SAP environments. These compromises can cause significant operational disruption and financial impact for organizations that rely on SAP to run critical business functions. While migration to SAP’s Cloud ERP solutions can offer opportunities for improved security posture and visibility, risks remain – particularly on the application side of the shared responsibility model, where customers retain control and governance. Organizations should ensure that risk awareness, response, and planning remain at the forefront, as exposures in areas such as custom code, user access, and application-layer configurations may not yet be fully appreciated or prioritized within SAP transformation programs. In practice, there can be an instinct to lift and shift current, customized practices and systems into the cloud as an initial step, and the prioritized focus is often on coming to grips with new cloud or hybrid architectures and managing licensing models.

      Pursue the value

      Organizations that approach ERP modernization as a strategic initiative – rather than simply responding to an IT-focused deadline – are better positioned to understand the risks and capture the value needed to justify what is a substantial transformation project. The move to SAP Cloud ERP should be rooted in the opportunities for change and an understanding of the journey toward an SAP landscape aligned to how the organization will evolve. This brings prospects for strengthening overall risk and security posture and driving new efficiencies as previously siloed ERP systems and processes are reengineered within the overall IT architecture. Bringing SAP into the enterprise security operations center, rather than leaving it as a monitoring blind spot, is both more secure and achievable. Transformation programs can be aligned with broader digital transformation initiatives covering, for example, CRM, HR, procurement and logistics. This presents possibilities for consolidating identity management, integrating SAP into enterprise single sign-on and multi-factor authentication frameworks, and aligning access governance across SAP and non-SAP systems. The overall effort should invite broad, executive-level engagement from finance, cyber and information security, governance risk and compliance, and other digital transformation leaders. Given the magnitude of the change, it is essential to plan a comprehensive review of risk and control frameworks and establish a dedicated security and governance workstream – which we observe can represent 5% to 10% of project spend.


      Modernizing SAP on Azure becomes a force multiplier when paired with Microsoft Entra ID and fraud protection—bringing Zero Trust identity, intelligent threat detection, and financial fraud safeguards together to protect the business at every layer.

      Saira Mohammed

      Chief Security Advisor – Americas Leader

      Microsoft


      Navigating the complexities

      KPMG has developed the Trusted SAP Framework to support migrations to SAP Cloud ERP with a structured approach for adapting risk and compliance management. The Framework addresses authentication, authorization and security management, and the integration of controls required to maintain integrity of functions and data across the landscape.



      The Enhanced SAP Secure Operations Map complements this Framework outlining deeper considerations for procedural, organizational and technical cybersecurity risks. Managed Detection and Response for SAP (MDR/S) assists clients’ ability to enhance visibility of compromises from the growing number of SAP attacks. 

      These tools can help organizations realize varied opportunities for new efficiencies as they navigate the complexities ahead, supporting: 

      • A process analysis and road map for integrating controls with existing systems’ architecture, including the use of intelligence tools like SAP Signavio to analyze the processes, and tools to automate monitoring of the effectiveness of the controls.
      • Reviewing designing and implementing authorization frameworks including: optimizing for the new approaches introduced by SAP Fiori, such as Catalog and OData service management, adapting backend authorizations in SAP S/4HANA Cloud, implementing segregation of duties and understanding where authorizations may need to be more restricted than the current rule set.
      • Survey of the state of security in the entire SAP landscape (on-premises and cloud systems) and threat modelling to uncover new attack paths, estimate related risks, and inform negotiation for shared responsibility across security management.
      • Selection of suitable tools for monitoring the security status across all platforms, covering the core system, the hyperscaler, business technology platform, business data cloud, and more.
      • Plan the transformation of legacy custom code, including a review of the code with regard to relevancy, quality and especially security.
      • Assuring foundations for governance and compliance are maintained, particularly the need to assure segregation of duties, as new functionality and the often fast-paced introduction of more integrated workflows impact authorization and control frameworks.
      • Identity management and access control across the complete application landscape, including preventative, AI supported role assignment capacities.

      SAP transformation projects can bring significant opportunity for organizations to modernize and adapt to market changes in an increasingly agile digital business landscape. As organizations pursue this transformation, it is critical they do so with a clear understanding of the changing dynamics for cyber security and assurance frameworks upholding governance, risk and compliance. A dedicated security and governance workstream can add significant value to the migration team, optimizing opportunities to not only address concerns, but also improve overall risk and security posture.

      KPMG firms are available to help you secure your transformation journey.


      Our insights

      KPMG has once again been named a Leader in the 2026 Gartner® Magic Quadrant™ for Cloud ERP Services.

      KPMG helped DISCORDIA transform its operations with SAP Cloud ERP Private —standardizing processes, unifying data, and enabling scalable growth.

      Get the best from your cloud technology.

      Building trust and enabling innovation in a dynamic world

      Contact us

      Jan Stoelting

      Partner, Consulting

      KPMG in Germany

      Mick McGarry

      US Offering Leader, Cybersecurity Protection Services

      KPMG in the U.S.