Data Privacy, SAP

Blog: Taking Our Microsoft Partnership to New Heights with SAP Data Custodian

SAP and Microsoft have enjoyed a long-standing and successful partnership, with our latest advancements geared to helping give businesses more choices around customer trust, as many are looking to move next-generation applications to the public cloud.

When storing and processing mission-critical data in the cloud, trust, transparency, security, and regulatory compliance are paramount for our customers. In today’s age, enterprises need to follow strict customer-driven data protection requirements and comply with regulations around the world. As part of a broader governance, risk, and compliance (GRC) strategy, this includes managing unauthorized access risks and following strict local and regional data localization laws.

We share a common goal with Microsoft in helping companies hurdle these obstacles to provide a high level of trust, transparency, and regulatory compliance. As a solution, we are excited to expand our partnership in an effort to develop and deliver SAP Data Custodian to customers using Azure.

SAP Data Custodian

With strong expertise in governance, risk, and compliance, we have a proven track record of helping customers manage, govern, and secure their mission-critical data. On the flip side, Microsoft Azure offers robust security capabilities, 85 compliance certifications, and extensive compliance with public cloud security and privacy standards.

So what are we doing here? Through SAP Data Custodian, we intend to combine our strengths, so you can benefit not only from flexibility and scalability of a public cloud, but also experience transparency and control you may have had with your on-premise systems. SAP Data Custodian is therefore planned to bring together information from the Azure infrastructure and SAP solutions into one single place to provide end-to-end visibility around data.

Why are we doing this? There are three key reasons: shared responsibility model, segregation of duty, and trust with verification:

1. Shared Responsibility Model

Microsoft has been a big proponent of the shared responsibility model, where both Azure and customers are responsible for different portions of security and compliance in the cloud. Broadly speaking, Azure is responsible for making the cloud secure, while customers are responsible for security and compliance requirements for their data in the cloud.

This makes a lot of sense to us. We already said that Azure has built very strong security products. The next logical question is: How do you, as a customer, fulfill your responsibility around data protection and governance needs in the public cloud? This is where SAP Data Custodian is expected to help.

Driven by regulations, or specific technology needs, you can define geo-location and role-based policies with SAP Data Custodian. In turn, the SAP Data Custodian software plans to enforce these policies, continuously monitor and provide risk and compliance reporting, and help manage policy violations as needed. This solution will help ensure that there is no unauthorized access by internal employees, and will provide full visibility when cloud provider access occurs.

2. Segregation of Duty

In addition to the shared responsibility model, SAP Data Custodian is based on the segregation of duty (SoD) concept. SoD in this scenario would require that more than one entity is overseeing a customer’s data in the public cloud to reduce data protection risks. As an example, a safety deposit box at a bank would require both customer and bank official’s key to access the box. SAP Data Custodian will be your second pair of keys. It aims to provide the extra oversight, so you can ensure that your data is stored in your prescribed geo-boundaries and access to the data — whether by internal or cloud provider employees — is only made according to your defined policies.

3. Trust with Verification

Now for the third reason. In diplomacy, the concept of “trust but verify,” is a familiar approach used to build confidence when forging mutually beneficial relationships. Because of compliance, data protection or your own business-driven requirements, you may have a need to trust but verify, or as we like to call it: “trust with verification.” Your Board, with higher compliance fines and increasing security risks, may require independent transparency and control of your data in the public cloud. To fulfill this need, acting as an independent verifier, SAP Data Custodian will help you feel even more confident that your data is accessed and stored in compliance with your data protection policies.

So now you must be eager to know, when is SAP Data Custodian planned to be available?

The answer is: very soon! Microsoft and SAP are excited to provide this extra layer of auditability and control, so customers can move their SAP applications to Azure with that extra feeling of trust and openness.

How Do I Learn More?

Customers can sign up for the upcoming public preview access by sending an email to For a working demo on how to leverage SAP Data Custodian on Azure for your data governance needs, visit us at the SAP on Azure booth at Microsoft Ignite or attend THR2255 session.