The Hidden Risk in RISE with SAP: Why Connectivity Decisions Make or Break Your Migration

As enterprises move SAP ECC to the cloud through RISE with SAP or into S/4HANA environments on hyperscalers, most of the focus goes to the migration journey itself. Infrastructure, timelines, system integrators, and testing plans tend to dominate early conversations.

While focusing on these is crucial for a successful go-live, a successful migration must be balanced with early investment in secure connectivity. All too often, secure connectivity is deferred until core migration decisions are finalized. This deferral, however, is precisely where the success of the entire migration program is most likely to falter.

By connectivity, I refer to the access plane: how employees, partners, and third parties reach SAP applications across hybrid environments—under what policy, with what verification, and with what visibility. It becomes the control point for who can access SAP systems, under what conditions, and how securely the organization operates through user acceptance testing (UAT), cutover, and go-live. When these decisions are deferred, teams end up relying on temporary VPN-based access paths that quickly become permanent, introducing risk and operational complexity at the exact moment the business is least tolerant of disruption.

Getting the access plane right early in the program has an outsized impact on everything that follows downstream: fewer late-stage exceptions, cleaner governance, better troubleshooting, and a smoother transition from ECC to S/4HANA.

The Shared Responsibility Gap

It is often incorrectly assumed that the adoption of RISE automatically transfers all security responsibilities to SAP. While SAP takes responsibility for the "Security of the Cloud" (infrastructure, OS, database, and hypervisor), the customer retains 100% responsibility for "Security in the Cloud," which includes application-level security, data protection, and user management.

This division of responsibility often creates a security gap. Teams frequently assume platform migration inherently improves security, leading them to rely on outdated, legacy access models.

Zscaler addresses this gap by assisting customers in implementing their security obligations with consistent Zero Trust access across hybrid environments. Instead of placing users on the network, Zscaler Private Access enables direct user-to-application connectivity with least privilege and continuous verification. This approach protects the SAP modernization effort from inheriting the risks associated with legacy connectivity.

Why Migrations Falter When Secure Connectivity is Not Addressed Early On

In RISE with SAP migrations, many of the most persistent security and audit challenges center on customer-controlled access and connectivity—identity, third-party access, and consistent policy enforcement—rather than the SAP-managed infrastructure itself.

Teams often default to familiar network-based fixes like extending VPN access, adding tunnels, or relying heavily on IP allowlists. Over time, this can lead to fragmented policy, limited visibility, exception sprawl, and governance issues, especially for third parties.

These temporary access paths often persist post-go-live, expanding privileges and weakening governance when stability is crucial. This introduces long-term issues like performance bottlenecks from backhauling, brittle routing dependencies, and slower troubleshooting.

The highest impact solution is to modernize access early. Before UAT, define application-specific, least-privilege access rules with conditional policies for users and partners. A clean access model upfront reduces late-stage surprises and avoids carrying complex VPN/tunnel dependencies into steady state.

Why VPNs Should Not Be the Default for Modernizing SAP

VPNs are designed to extend network boundaries, not to provide secure access for distributed users to modern applications. Once connected via VPN, users often gain broad network access, which significantly increases the risk of lateral movement across the network. VPN architectures also introduce operational fragility involving difficult-to-manage aspects like tunnels, intricate routing, high availability planning, and capacity management. These are dependencies you do not want to be debugging during a transformation.

A Zero Trust, user-to-application approach completely transforms this model. Applications are not exposed to the public internet. Users connect only to the specific services they are authorized for (e.g., specific SAP services), with continuous validation based on identity and context. The Zscaler Private Access (ZPA) and SAP integration exemplifies this approach, delivering natively-deployed zero trust connectivity. This results in a reduced attack surface, the elimination of lateral movement risk, and consistent SLAs.

Moving to Zero Trust Controls and Experience Visibility 

Modern SAP environments are hybrid by default. Remote users, multi-cloud dependencies, and integrations with non-SAP services are the norm. In that world, it is not enough to say you have security. Leaders need controls that work consistently and can be demonstrated during regulatory compliance checks. A practical approach is to focus on fundamentals. Secure how users access SAP, protect SAP data, and ensure that your end-user SAP experience remains strong.

The Zscaler Zero Trust Exchange platform supports these needs with application-level access controls, data protection and threat mitigation, and digital experience visibility that helps teams quickly isolate whether issues originate from the endpoint, network path, or application. This becomes especially critical during migration windows where minutes matter.

When organizations can reliably answer who accessed what and why it was allowed, security becomes an enabler. It reduces audit friction, builds stakeholder confidence, and allows migration teams to move faster with fewer blockers.

The ROI: Risk Reduction, Predictability, Productivity, and Lower Operational Cost

Modernizing SAP access primarily delivers predictability, reducing late-stage connectivity issues and emergency exceptions. This translates to faster migrations and lower change failure rates when moving from ECC to S/4HANA. From a security standpoint, simplifying the architecture—fewer VPNs, tunnels, and exposed services—reduces misconfiguration risk and operational overhead. Over time, organizations also see productivity gains from improved performance and faster troubleshooting, particularly during go-live periods when stability is critical.

Closing Thought

Adopting RISE with SAP doesn't eliminate the customer's obligation for access and security controls; rather, it underscores the need for a well-defined access security strategy early in the program. The toughest moments in your migration journey are predictable. Pre-migration, cutover and go-live, and steady state.

A Zero Trust, direct user-to-application model helps teams avoid temporary connectivity sprawl, reduce risk during the migration journey, and maintain a strong user experience throughout. With our SAP-validated integration, Zscaler helps enterprises bake secure connectivity into their RISE programs early so security accelerates modernization instead of slowing it down.

Continuing the Conversation

We will be going deeper into this topic in our SAP Insider security webinar “RISE Without Risk: The Zero Trust Blueprint for SAP Transformation” with Zscaler experts Mike Loy and Keith Hontz, where we walk through what is Zero Trust and why are organizations adopting it for RISE with SAP and how teams are sequencing Zero Trust into the RISE program based on real migration scenarios.

We will also be continuing the conversation in person at SAP Sapphire from May 11-13 in Orlando, where many of these challenges are coming up in real time as organizations move from planning into execution, so stop by and meet us at Booth 404.