Why SAP RISE Customers Need to Take Malware Protection Seriously
Jun 4, '25 by Joerg Schneider-Simon
What “Shared Security Responsibility” Means for SAP RISE Customers
Economies of scale are driving business transformation in the cloud. But when it comes to cyber security, the cloud also provides more opportunities for hackers due to application vulnerabilities, multiple access points, unsecured third-party networks, rogue devices (Internet of Things), and distributed environments.
This is why cyber security is a critical aspect of any digital transformation. And, in the case of SAP RISE, security is a shared responsibility between you and SAP. In this article, I’ll explain what that means for SAP RISE customers and why it’s important.
First, an overview… SAP RISE is a cloud-based service that streamlines cloud adoption to simplify and enhance the business transformation-as-a-service experience for S/4 HANA private cloud customers. Specifically, SAP bundles cloud infrastructure powered by AWS, Microsoft Azure, or Google Cloud to offer ERP customers a privately-managed, single-tenanted version of SAP S/4HANA private cloud, delivered by SAP Enterprise Cloud Services (ECS).
While the SAP RISE shared security responsibility can lead to better security, compliance, and management of the SAP application infrastructure (“technical basis”); success depends on customers doing their share as part of the transition.
Who Secures What Exactly?
In general, SAP, the cloud service provider, secures the infrastructure, while you, the ERP customer, secure the application layer in your private cloud.
To elaborate, you are responsible for application layer security, which includes everything from extending your organization’s security policies and regulations to the cloud, to managing user access and roles, to ensuring compliance, and protecting your applications, users, files, and data from malware.
For its part, SAP secures the underlying infrastructure that supports your private cloud instance. This includes the hardware, hypervisor software (virtual machines), network, data storage, the operating system (OS), the HANA database, and the core application infrastructure.
But what exactly does OS-layer security do in SAP RISE?
Application-Layer Content Security is Not Covered in SAP RISE
At the OS layer, SAP is responsible for OS updates, vulnerability patching, and configuration management. The RISE offering also includes anti-malware at the OS-layer, meaning no malware-ridden files can be written to the server’s file-system. However, this does not help with file transfers in SAP applications, because the files are never written to the server’s file system.
For example, files are handled in the SAP work process memory, transferred to a backend system, and stored in the database or a document management system like SAP Content Server. At no time during this process is a file written to a local file system and; therefore, files completely bypass the OS-layer anti-malware.
How bowbridge Hybrid SaaS Security Protects Users and Apps on Private Clouds
Traditional approaches to cybersecurity often fall short during cloud migration because the tools commonly deployed are not designed with the shared responsibility model in mind. This results in significant security management challenges and additional expense, as the service provider must be invoked for even the tiniest configuration change. Unfortunately, this leads to many SAP customers faltering and going with a “one-size-fits-all” security policy, instead of one that best protects their critical SAP applications.
By contrast, bowbridge Anti-Virus Cloud 4.0, which is designed for S/4 HANA private cloud and other private cloud environments, provides advanced content security to protect your apps and users. It is simply managed via SAP customization and the bowbridge customer portal, granting customers the full granularity of security settings without ever requiring OS-level access. The solution does not spawn any local processes, and does not require any OS-level configuration files. How does that work?
bowbridge Anti-Virus Cloud is the only anti-malware that secures your SAP applications in S/4 HANA private cloud by integrating with the SAP Virus Scan Interface (VSI)—an SAP kernel-level API with a cloud based, high-performance scan infrastructure-as-a-service. The use of SAP VSI also means that all your applications benefit from security seamlessly without requiring changes to the ABAP or Java application code, as soon as the VSI is activated.
Advanced Content Security Designed for SAP Enterprise Cloud Services
Download our detailed product sheet to learn more about bowbridge Antivirus 4.0 - Cloud for SAP® Solutions.

bowbridge Anti-Virus Cloud hybrid SaaS offers the advanced content security capabilities that you need to protect your users and applications from malware on SAP RISE and other Private Cloud Environments. Only bowbridge delivers the granular control of MIME types, active content detection, and scan settings critical for enterprise-grade content security on SAP ECS and PCE.
In addition, bowbridge advanced content security may be integrated with SIEM platforms for threat monitoring and alerts, enabling security teams to detect potential vulnerabilities faster.
bowbridge is ready to help you meet your shared security responsibility on SAP RISE.
Ready to protect your business-critical data in a cloud-based environment?
Schedule a consultation with bowbridge’s experts to explore your specific needs.
Share this on social: