Intelligent driven Security at SAP Good Practice Maximilian Adrian IT Security & Risk Office, SAP AG. July 2013

(1)

Intelligent driven Security at SAP –

Good Practice

Maximilian Adrian

IT Security & Risk Office, SAP AG

(2)

Agenda

1. Introduction

2. SAP IT Security & Risk Office

(3)

2. IT Security & Risk Office

(4)

SAP a global company –

... Our focus area ... IT Security for ...

ONE Global Network



> 70 countries,



> 220 subsidiaries

...connecting



72.267 end-user



95.000 PCs/laptops



8.500 SAP systems



>30.000 server



mobile devices:

16.000 Blackberries,

19.000 iPads,

20.000 iPhones

3.500 Androids

5.000 BYOD



a highly centralized segment of

core business systems

(5)

SAP Global IT – Global Coverage & Site Leads

-3h

-6h

-1h

0h

+5,5h

-9h

CET

+7h

+8h

Vancouver Palo Alto Mexico City (Offshore hub) Newtown Square

(Regional Key Hub)

Buenos Aires (Service Desk) Dublin (Service Desk) Paris Walldorf

(HQ & Regional Key Hub)

Ra‘anana

Bangalore

(Offshore hub)

Singapore

(Regional Key Hub)

Shanghai

(Service Desk)

19 Global IT Site Leads

represent every Global IT location (HC>10) in a Site Lead network to foster team spirit and improve cross-team communication.

Headquarters

Offshore Location Regional Key Hub Location > 20 FTE

(6)

SAP Global IT and IT Security & Risk Office

Organization overview

Business

Information

Officers

Regional

ORG Units

IT

Application

Services

IT

Infrastructure

Services

IT

Enterprise

Architecture

IT

Management

Office

IT

Security & Risk

Office

R. Salomon

CIO

CIO Office

IT Security

Services

IT Risk & Quality

Management, Audits

M. Adrian

Assistant

Regional Security

Officer EMEA

Regional Security

Officer AMER

Regional Security

Officer APJ

Business

Information

Officers

Business

Information

Officers

Business

Information

Officers

Business

Information

Officers

Business

Information

Officers

Business

Information

Officers

Business IT

Security

Representative

Business

ORG Units

(7)

Achievements

_Requirements



Global IT AS Process Landscape



IT Security Framework cross SAP



IT Security Strategy 2012 and 2013-2015



ISO 9001 certification (Global IT Corporate & Americas)



ISO 27001 certification (Global IT Corporate & Americas)



ISO 22301 (Global IT Corporate) – first company in Germany



SOX compliance of Global IT



Strategic & Operational Risk Management



Effective IT Security Governance Structure & Process



Global Security Monitoring Center



IT Security Award 2012 for Integrated Management System



Ovum BYOX Strategy Award 2013



Achieve KonTraG / SOX compliance of Global IT



Achieve adequate Security Implementation for main infrastructure, systems &

applications



Establish unique IT Security level across SAP

IT Governance Tools



Quality: ISO9001



Security: BS7799 / ISO27001



IT SCM: ISO22301



Service Management: ITIL / ISO20000



Overall Framework: COBIT, ISACA

2005

• Set-up global

unified Security

& Quality Mgmt.

• Realign IT

processes

• Operation

Support

• Project Support

• Process

Definition

• IT Audits

2006

• Develop and

Implement an

Integrated Infor-

mation Security

Mgmt. System

• Certificates

• ISO9001

(Corporate &

Americas)

• ISO27001

(Corporate)

2007

• New SoA on

detailed risk

level

• ISO27001 Certi-

ficate (Americas)

• Improved docu-

mentation

• Process

Management

added

2008

• Integrated Risk-

Control-Mapping

• Improved

Process

Map (AS)

• Initiate IT

Process

Efficiency

Program

• Processes

improved

• Internal Control

System improved

2010

• Establish IT Risk

& Security Gov.

across SAP

• Support Product

Security Initiative

• Streamline

operational

Risk Mgmt.

• Restructure Team

• Re-focus IT Sec.

Strategy

2011

• Establish IT

Sec. Monitoring

Center

• Establish

Digital Rights

Mgmt. Service

• Establish

federated

Risk Mgmt.

SAP Global IT Security & Risk Office

Where we come from … Global IT Security, Quality, Risk & Process Approach

2009

• Initiate Process

Efficiency Prg.

• Restructure/

Build

Performance

Measurement

• Expand IISMS

on functional

level

• State of the art

BCM

2012

• Increase

Awareness

• ISO22301

Certificate

(Corporate)

• Launch IT Sec.

Strategy 2015

• Establish

Cross LoB

IT Risk Mgmt.

• IT Security Award

2012 at it-sa

2013

• Sec. relevant

processes

across SAP

• Finalize

Network

Admission

Control

• Strengthen

Vulnerability

& Threat Mgmt.

• Ovum BYOX

Strategy Award

2013

BYOX Strategy award 2013

(8)

Quality

Security

Management Framework

[IISMS]

Services

Global IT SRO

Vision - Mission - Goals

ISO 27001 ISO 9001 SOX Compliance ISO 27001 ISO 9001

SOX Compliance

IT Compliance Management

Data Classification & Access

Procedures

Compliance Monitoring

Internal Control System

IT Security Governance

Strategic Tactical ISO 27001 ISO 9001

Audits

Supplier

Certifications

ISO 27001 ISO 9001 SOX Compliance

Policies & Standards & Good Practices

Laws & Regulations

Vulnerabilities Vulnerabilities

IT Risk Management

Strategic Operational Process Design

Process Portfolio Management

Process Design Process Portfolio Management

IT Security Management

Applications - Infrastructure - Interface

Advisories Concepts Project Support Research Security Monitoring Center CERT / CSIRT

Vulnerabilities Reporting Processes ISO 22301 Systems/Apps. Pen.-testing

IT Security Requirements

Operational Projects

House of Services – IT Security & Risk Office

IT Service Continuity Management

(9)

(10)

SOX-Relevant IT Processes

ISO 27001

ISO 22301

Integrated Information Security Management System

Laws & Regulations – Standards & Best Practices for Global IT

COSO Framework

SOX / KonTraG *)

PDCA

ITIL 3.0

COBIT

ISO 9001

Central MIC

Team

Corporate SOX

Processes

Laws & Regulations

Corporate

Global IT

Best Practices

GR C 1 0 .0 A R IS T ool

*) Others:

ADA (USA/California), ISO 20000, EU Guideline 8 etc.

Supporting Best Practice

IT Process Landscape

Standards

IT Process Management

Process Design

Process Governance

Process Portfolio Management

SAP

Process

Landscape

Optimize Global IT

Process Landscape

to support

a

simplified,

efficient, and secure work environment

Global IT

(11)

What is “The Right Security”?

- Keep the right balance & Enable risk based decisions…

Security involves everyone & everything



Security is a quality aspect of all of our businesses, not a separate Line

of Business



Security needs trust, not fear



Security has four dimensions: People / Processes / Technology /

Organization Design/Strategy

Business decisions are about taking

risks



There is an inherent conflict in “secure business”



100% Security is not the goal for a software business like ours

–

100% Security prevents business

–

100% Security is not affordable

Goal: We need to find the right

balance



Basis is risk transparency!



Security implications (costs, embarrassment, control)



Awareness, process enforcement, technology enabling



Business priorities, speed, innovation

Our Values

e.g. Integrity, Excellence, Trusted Advisor, Innovation

Risk Management

Quality Management

Efficiency &

Effectiveness

Compliance / IT

Security Governance /

Business Continuity

(12)

IT Security & Risk- approach @ SAP

For continuous improvement of the IT Security Strategy multi aspects need to be considered

Stay tuned…

To ensure up-to-date information on the IT Security

risk status the risk evolution & technology evolution

is reviewed at least two times a year.

Best Practices

Cross checks with international

standards ensures completeness

of the measures and activity

areas. Reviews by IT Security

strategy consultants ensure

staying focused.

Consumable

IT Security must not be a burden for

the end user. Find ways to make

IT Security more digestible and usable.

Demand driven

Synchronization with the

business roadmaps and the

technology roadmaps enables

proactive research and planning.

Risk oriented

Regular risk management enables

identification of key priorities.

(13)

IT Security & Risk- approach @ SAP

Defense against a changing threat environment

Focus on protection of the key assets...



Company boundaries vanish. Complete protection of all data is too expensive and difficult to assure.



Security teams have to work closely with the business to identify the organization‘s most critical information and systems (“key assets”) in

order to protect them.



A hundred percent protection for all systems and information can not be guaranteed anymore!

Anti-

virus

Alarming

System

Anti-

virus

Alarming

System

Change to

A

(14)

Data Leakage Prevention – Strategy @ SAP

Defense against a changing threat environment

Focus on protection of the key assets/information...

(15)

IT Security & Risk- approach @ SAP

Defense against a changing threat environment

Holistic, situational IT security concepts

1. Advancement of the IT Security Strategy:

Operational: combination of the object to be protected – vulnerabilities – threat – risk situation

2. Establish new monitoring methods

3. Strengthening access controls

4. Increasing employees’ awareness

5. Raising awareness among the top management

6. Rethinking IT-architecture

IT SRO

(16)

IT Security & Risk- approach @ SAP

Defense against a changing threat environment leveraging SAP runs SAP

Holistic, situational IT security – Top Technology measures

Technology

Tactical Measures

Strategic Measures

Data/Information



_

Data Classification

_{Email Encryption (PGP)}



Service & Tool classification



Digital Rights Management to

protect sensitive Documents



DLP for Partner Access (e.g.

WTS India)

Application



_

Custom Code Scanning

_{December Patch Implementation}

and Activation



IT Security Governance



Identity & Access Management

(esp. role based access control)



Mail Malware defense

Infrastructure



Client Security

_{(e.g. PGP HD encryption)}



Mobile Device Security (Afaria)



IT Security Governance



Denial of Service Defender



Strong Authentication



Secure VoIP



Cloud Computing / Virtualization



Identity & Access Management

Network



_

WLAN Security

_{WAN Encryption}



_

Network Access Control

_{Network Separation}

D

SAP Security Tools



SAP NetWeaver IdM



SAP NetWeaver SSO



SAP ID Service



SAP GRC 10 – Risk

Management



SAP GRC 10 – Process

Controls



SAP GRC 10 – Access

Request Management



SAP Sybase Afaria



SAP Sybase Unwired

Platform



SAP NetWeaver Gateway



SAP Solution Manager



T

h

rea

t

&

V

u

lne

rab

ility

M

g

m

t.

/

S

M

C

(17)

Zone 1 – High Secure

AV

Code Scanner –

ABAP, APPs

Hardening/Patch

Management

Firewalls

Hardening/Patch

Management

VPN Access

Protection

2-Factor-Authentication

Zone 2 – Office Net

SAP SSO / SAP ID /

PKI Certification

Management

IAM – SAP NW

IDM & SAP GRC

10.0 Zone 4 - DMZ

Zone 3 – Hidden DMZ

Network Admission

Control

Intrusion Prevention System

Firewalls

Web filtering

Data Leakage Prevention

Mobile Management– SAP Afaria

Mobile Data – SAP Box, Encryption

Viewer

AV/PFW

Social -

SAP JAM

Spam protection

HDD encryption

eMail encryption

IP Phone / Messenger

Document encryption

Share Monitoring

IT Security Architecture@SAP

Printer –

2-Factor-Protection

IT Security & Risk

Awareness Campaigns

SIEM Solution

Hardening/Patch

Management/Access

Management

(18)

IT Security & Risk- approach @ SAP

Defense against a changing threat environment

Information Exchange about threat situation and Security trends



Information exchange with IT security teams of customers/ DAX companies



Federal Criminal Police Office of Germany (BKA)



Federal and State Office for the Protection of the Constitution (in German: BfV/LfV)



Federal Office for Information Security (BSI)



Symantec, McAfee, Security software companies



National and international hacking

communities



Security Information Broker



Information Security Forum (ISF)

workgroups



Information Sourcing via Gartner,

CEB and ISACA

(19)

Thank you!

Contact information:

Maximilian Adrian

Director IT Security & Risk Office; CRISC

Global IT

SAP AG

E-mail:

[email protected]

Phone:

+49 6227 / 7-48448

(20)

permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the United States and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries.

Oracle and Java are registered trademarks of Oracle and its affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc.

HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.

IOS is a registered trademark of Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited.

Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc. INTERMEC is a registered trademark of Intermec Technologies Corporation.

Wi-Fi is a registered trademark of Wi-Fi Alliance. Bluetooth is a registered trademark of Bluetooth SIG Inc.

Motorola is a registered trademark of Motorola Trademark Holdings LLC. Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

(21)

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten.

Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight und Visual Studio sind eingetragene Marken der Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7,

POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix und Smarter Planet sind Marken oder eingetragene Marken der IBM Corporation.

Linux ist eine eingetragene Marke von Linus Torvalds in den USA und anderen Ländern.

Adobe, das Adobe-Logo, Acrobat, PostScript und Reader sind Marken oder eingetragene Marken von Adobe Systems Incorporated in den USA und/oder anderen Ländern.

Oracle und Java sind eingetragene Marken von Oracle und/oder ihrer Tochtergesellschaften. UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame und MultiWin sind Marken oder eingetragene Marken von Citrix Systems, Inc.

HTML, XML, XHTML und W3C sind Marken oder eingetragene Marken des W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri und Xcode sind Marken oder eingetragene Marken der Apple Inc.

IOS ist eine eingetragene Marke von Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook und BlackBerry App World sind Marken oder eingetragene Marken von Research in Motion Limited.

Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik und Android sind Marken oder eingetragene Marken von Google Inc. INTERMEC ist eine eingetragene Marke der Intermec Technologies Corporation.

Wi-Fi ist eine eingetragene Marke der Wi-Fi Alliance.

Bluetooth ist eine eingetragene Marke von Bluetooth SIG Inc.

Motorola ist eine eingetragene Marke von Motorola Trademark Holdings, LLC. Computop ist eine eingetragene Marke der Computop Wirtschaftsinformatik GmbH.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA und weitere im Text erwähnte SAP-Produkte und -Dienst-leistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und anderen Ländern.

Business Objects und das Business-Objects-Logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius und andere im Text erwähnte Business-Objects-Produkte und Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der Business Objects Software Ltd. Business Objects ist ein Unternehmen der SAP AG.

Sybase und Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere und weitere im Text erwähnte Sybase-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der Sybase Inc. Sybase ist ein Unternehmen der SAP AG.

Crossgate, m@gic EDDY, B2B 360°, B2B 360° Services sind eingetragene Marken der Crossgate AG in Deutschland und anderen Ländern. Crossgate ist ein Unternehmen der SAP AG.

Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte können länderspezifische Unterschiede aufweisen.

Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, nur mit ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet.