HEC Security & Compliance
SAP Security, Risk & Compliance Office
Details
•
Introduction
•
Overview
•
Security Offering
•
Approach
•
Certifications
Introduction
Dear Customer,
Information Security is not just a buzzword for the SAP Security, Risk & Compliance Office – it‘s our daily work, our passion, and the principle that drives us. We strive to provide the best security and data protection possible to SAP and our customers. Each customer is treated as if they were our only customer.
That‘s the kind of commitment and importance we work to achieve - every single day.
We have consistently certified to internationally recognized standards such as ISO 9001 for Quality Management or ISO 27001 for Information Security, provide SOC1 and SOC2 reports twice a year along with using industry accepted best practices such as COBIT or the ISF Standard of Good Practice for Information Security to assure the best possible security and risk management approach.
You can rest assured that your information is in good, experienced hands.
Additional information about HANA Enterprise Cloud can be found at http://www.sap.com/HEC
Regards,
Ralph Salomon
Chief IT & Cloud Security Officer; CRISC
SAP Security, Risk & Compliance Office
SAP SE
Dietmar-Hopp-Allee 16 69190 Walldorf, Germany
Details
•
Introduction
•
Overview
•
Security Offering
•
Approach
•
Certifications
HANA Enterprise Cloud (HEC) – High Level Overview
Corporate A dm in Fi re w a ll Administrative Jump Hosts Shared Administrative Infrastructure Management Networks Customer #3 Customer #2H
ANA
E
NTERPRISE
C
LOUD
MPLS MPLS VPN Public Internet Access #1 #2 #3 Customer #1
#<no>: Refers to one customer MPLS: Multiprotocol Label Switching VPN: Virtual Private Network
The fundamental security architecture of the HEC infrastructure is the principal of a private cloud. This means customer will receive an isolated, logical grouping of several Virtual Machines and physical systems. All customer networks are completely isolated from each other.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 6
HANA Enterprise Cloud (HEC) – High Level Overview
Customer Isolation
Each HEC customer receives their own isolated landscape HEC customer landscape is fully integrated into the
customer corporate network using WAN or VPN links
HEC administration
HEC administration is done using shared administrative infrastructure and management networks
Corporate A dm in Fi re w a ll Administrative Jump Hosts Shared Administrative Infrastructure Management Networks Customer #3 Customer #2
H
ANA
E
NTERPRISE
C
LOUD
MPLS MPLS VPN Public Internet Access #1 #2 #3 Customer #1
Integration HEC – SAP
HEC is isolated from the SAP Corporate Network
Access to HEC is only possible with a 2-factor authentication
#<no>: Refers to one customer MPLS: Multiprotocol Label Switching VPN: Virtual Private Network WAN: Wide Area Network
HANA Enterprise Cloud (HEC) – Details
Details for Customer Landscapes
#1 Corporate A dm in Fi re w a ll Administrative Jump Hosts Shared Administrative Infrastructure Management Networks
H
ANA
E
NTERPRISE
C
LOUD
S tor ag e
SAP Cloud Frame Manager Orchestration HANA-Cell of physical HANA Servers Virtualization Orchestration Virtualization Server Nodes 1 2 n 3 Provisioning Physical Server SAP Appl. Server Virtual Machines HANA, e.g. 3 TB Provisioning
Customer Landscape
Customer Landscape consists of physical servers
running the HANA database and virtual machines running additional components (e.g. SAP Application Servers)
Only logical separation within a customer landscape
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 8
Network Integration
Customer Landscapes can be connected using IPSEC VPN and MPLS
Customers can have multiple customer landscapes that are joined in one
customer routing domain (#1.1 and #1.2)
Network filtering can be requested between Customer Landscape and Customer Corporate Network
HANA Enterprise Cloud (HEC) – Details
Details for Network Integration
Corporate A dm in Fi re w a ll Administrative Jump Hosts Shared Administrative Infrastructure Management Networks Customer #2
H
ANA
E
NTERPRISE
C
LOUD
Customer #1 VPN Router VPN for #2 #2 VLAN for #2 #1.1 #1.2 MPLS Router VLAN for #1 MPLS for #1
#<no>: Refers to one customer IPSEC: Internet Protocol Security MPLS: Multiprotocol Label Switching VLAN: Virtual Local Area Network VPN: Virtual Private Network
HANA Enterprise Cloud (HEC) – Details
Details for Public Internet Access
Corporate A dm in Fi re w a ll Administrative Jump Hosts Shared Administrative Infrastructure Management Networks
H
ANA
E
NTERPRISE
C
LOUD
Inbound Public
Internet Access #1 #1.DMZ (optional) #2 Reverse Proxy Farm with Web Application Firewall VLAN for #2 Customer #1 Customer #2 Router VLAN for #1
#<no>: Refers to one customer DMZ: Demilitarized Zone VPN: Virtual Private Network
Inbound Public Internet Access
with normal security requirements
If required, customers can requestpublic Internet Access
Shared reverse proxy farm based on F5 technology is used
Web Application Firewall provides basic security that can be extended on
customer request
Inbound Public Internet
Access with high security
requirements
Usage of a dedicated customer landscape as DMZ segment (#1.DMZ)
Limited connectivity from #1.DMZ to customer landscape with
Details
•
Introduction
•
Overview
•
Security Offering
•
Approach
•
Certifications
Physical Security
– Video and Sensor Surveillance
– Access Logging
– Security Guards
– Fire Detection and Extinguishing System
– Uninterruptible Power Supply
– Biometric Access Control in certain Locations
Network Security
– Network Filtering
– Intrusion Prevention Systems
– Web Application Firewall
– 2-factor Authentication
– Network Admission Control
– Proxies with Content Filtering
– Advanced threat management
Secure Operations
– Asset Management
– Change Management
– Incident Management
– Anti Virus & Malware Management
– Backup / Restore Management
– Identity & Access Management
– Security Awareness Trainings
Threat & Vulnerability Management
– Security Patch Management
– Penetration Testing
– Vulnerability Scanning
– 24 x 7 Security Monitoring Center
Advanced IT Security Architecture
– Isolated, separated Landscape per Customer
– Security hardened Systems
Secure Product Development Lifecycle Security measures are audited and confirmed
through various Certifications & Attestations
– ISO Certificates
o ISO9001 Quality Management System
o ISO27001 Information Security Management System
– SOC1 (ISAE3402/SSAE16) Type I & Type II
– SOC2 Type I & Type II
– Industry specific Certificates
(on demand with business case foundation)
Customer data flow control
– Regional Data Storage (e.g. EU-, US-Cloud)
– European data protection and privacy policy
Security
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 12
Data Center – Security Requirements
SAP Cloud Solutions and Customer Data
needs to be operated in a:
SAP Tier Level III, III+ or IV
classified Data Center.
SAP checks on site the compliance to the
SAP Data Center minimum physical security
standard that covers topics like:
–
Perimeter & Location security
–
Building entry point security
–
Building Security
–
Access Controls & Monitoring
–
General access and
–
Access to dedicated SAP areas
–
Fire Protection
–
Electrical Power supply
–
Certifications of the DC Provider
Minimum availability requirements Tier I Tier II Tier III Tier III+ Tier IV
Stand-alone Data Center building
necessary no no no yes yes
Amount of external electrical power
suppliers 1 1 1 1 2
Amount of transformers to power the Data
Center n n n+1 n+1 2n
UPS Battery System necessary no yes yes yes yes
Minutes UPS must provide power 0 5 >10 >10 >10
Amount of UPS Systems necessary n n n+1 n+1 2n
(Diesel-) Generators needed no no yes yes yes
Amount of cooling systems needed n n n+1 n+1 2n
Server cooling is independent from an
office AC no no yes yes yes
Fire detection system needs to be installed yes yes yes yes yes Fire extinguishing system must be installed no yes yes yes yes On-site response time of Data Center
personnel <48h <8h <1h <1h <1h
Available WAN network connection lines 1 n+1 n+1 n+1 2n
HEC Data Centers
Current Status Tier Level & Certifications
Americas EMEA + Russia APJ
Ready China Europe 2 Europe 1 US, Eastcoast US, Westcoast
Data Center reach
Russia
US, Westcoast US, Eastcoast Europe 1 Europe2 Japan 1 Japan 2 Australia
Tier Level IV III+ III+ IV III+ III III+
Certifications &
Attestations PCI DSS SSAE16 SSAE16
ISO 27001 ISO 9001 PCI DSS ISO 27001 ISO 9001 SSAE 16 ISO 27001
SSAE16 ISO 27001 SSAE16 ISO 27001 SSAE16
Japan 2 Japan 1
Australia
Data Centers in this geography are in planning –or build– phase.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 14
HANA Enterprise Cloud Security
Details
•
Introduction
•
Overview
•
Security Offering
•
Approach
•
Certifications
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 16
Why HANA Enterprise Cloud (HEC) is better…
SAP has a long-standing tradition in security of its solutions and takes demands from
customers on cloud security very seriously.
The key differentiator of HEC:
Strong collaboration
between Security, Operations
and Product Development team
A.
Multi Layers of defense
to protect our Customer’s data
B.
Holistic Security & Compliance approach:
integrated,
monitored and validated by external audits
C.
Customer can select
the region of data storage
D.
Why HANA Enterprise Cloud (HEC) is better…
A. Strong Collaboration
Strong collaboration of Product Security team and Operations Security team ensures proper security and
compliance implemented in HEC products.
Identified issues are directly communicated into Product Development team to ensure immediate fixes.
Strong collaboration of Security team and Operations team ensures proper definition of security requirements
individually per Cloud product within HEC.
Security team consults the Operations team in defining and implementing the security measures per asset
individually.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 18
Why HANA Enterprise Cloud (HEC) is better…
B. Multi Layers of Defense
*IPS = Network Intrusion Prevention System **SMC = Security Monitoring Center (7*24)
DMZ - External Intrusion Prevention
HDMZ - Perimeter Firewall & Router ACL Protection
Data Center
Internal Administration Network – Internal Intrusion Detection
Customer A Data Customer B Data Customer C Data White Hat Hacker Penetration Tests White Hat Hacker Penetration Tests Operations Multi-factor Authentication Security Implementation Audit
& Security Reviews Access
Control & Logging Admin VPN / WTS
SMC** / SIEM***
IPS*
Internet
Why HANA Enterprise Cloud (HEC) is better…
C. Holistic Security & Compliance Approach (1/2)
HEC leverages a multi-dimensional security and compliance approach to establish and maintain state-of-the-art Security & Compliance.
The following two slides describe the key aspects of the holistic Security & Compliance Approach.
*) If local (i.e. country specific) or other applicable laws require stricter standards, Personal Data will be handled in accordance with those stricter laws.
Protection Goal
Technology Processes PeopleS
c
opi
ng
Protection Goal
Security (CIA)HEC focuses on confidentiality and integrity of data as well as availability of customer systems and central infrastructure.
Data Protection
HEC is fully committed to data protection and privacy.
SAP is a global company with its headquarters in Germany, which is a member of the European Union (EU). Therefore our Policy is based on definitions of European Data Protection legislation and defines the basic principles applicable for every SAP entity *). HEC respects data protection and privacy rights and safeguards any Personal Data of our customers.
IP Protection
HEC in addition focuses on the protection of your intellectual property. Access to data is strictly limited according the need-to-know-principle. Strict separation of customer systems is
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 20
Why HANA Enterprise Cloud (HEC) is better…
C. Holistic Security & Compliance Approach (2/2)
Demands & Enforcement
Requirements / Measures
SAP has a strict policy framework which is broken down into detailed technical procedures for operations.
Monitoring
Regular monitoring ensures timely identification of deviations and initiates fixes quickly.
Audits
– During the Compliance & Certification Audits we ask external experts to verify our security effectiveness.
– Through regular supplier audits, we ensure the security effectiveness of suppliers and sub-contractors.
Scoping
Technology
– Secure operability of HEC products is monitored. Issues are directly addressed to Product Development team.
– Our security scope covers all infrastructure components and tools required to operate and manage HEC.
Processes
All relevant processes for cloud product development and cloud operations are within the security scope.
People
Regular training and evaluation is key to ensure proper operations of HEC.
Protection Goal
Technology Processes PeopleS
c
opi
ng
Why HANA Enterprise Cloud (HEC) is better…
D. Customer can select storage region
The physical storage of customer
data is crucial to numerous
enterprises.
Therefore, our HEC customers
can choose if their data is stored
in cloud data centers located in
the USA or in Europe.
A.
The general rule is:
We have clear and company-wide guidelines
in place that define how we respond to
requests for customer data coming from law
enforcement authorities and regarding national
security concerns. We take our commitment to
our customers and legal compliance very
seriously. Customer data is only shared if the
request is legally valid. Our legal department
evaluates every inquiry in detail. In addition,
we will question a request if there are grounds
for assuming that they are not in conformity
with the law.
Details
•
Introduction
•
Overview
•
Security Offering
•
Approach
•
Certifications
Cloud Security Governance / Build One Delivery – Internal Controls
Compliance & Processes
Compliance- Processes
Integrated Information Security Management System (acc. ISO27001)
Controls embedded into operational processes and procedures
Process Managers
located within the delivery unit
Training is provided on regular basis to ensure proper implementation
Control effectiveness is regularly tested
Compliance audits
performed twice per year
ISO audits performed on annual basis
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 24
Cloud Security Governance / Build One Delivery – Internal Controls
Certification Overview & Roadmap
Certifications/ Attestations Roadmap Certifications / Attestations Purpose SOC1 / ISAE 3402 / SSAE16
Report on a service organizations internal controls that are likely to be relevant to an audit of a customer’s financial statements. (former SAS 70)
SOC 2 Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. Can be handed out to customers and prospects, use/distribution may be restricted.
SOC 3 Trust Services Report for Service Organizations. Used for marketing purposes, unrestricted use/distribution.
ISO 27001 Certification of a Information Security Management System. Used for marketing purposes, certification can be officially published.
ISO 9001 Certification of a Quality Management System
Used for marketing purposes, certification can be officially published.
PCI-DSS Required for customers: who handle cardholder information for debit, credit, prepaid, e-purse, ATM, and POS cards
Type I Type II Type I Type II
SAP Business by Design SAP Cloud for Customer SAP Cloud for Financials SAP Cloud for Sales SAP Cloud for Service
SAP Cloud for Social Engagement SAP Cloud for Travel & Expense
HANA Enterprise Cloud ISO9001; planned for Q4/2014: ISO22301
Ariba cloud solutions from SAP 1) PCI-DSS, Webtrust, SafeHarbor
Ariba - Quadrem cloud solutions from SAP
WebTrust SuccessFactors cloud solutions
from SAP 2)
SafeHarbor SAP People Cloud Solutions -
Employee Central
SafeHarbor SAP People Cloud Solutions -
Employee Central Payroll
SafeHarbor SAP HANA Cloud Platform &
Portal
SAP HANA Cloud Portal
SAP Cloud Offering SOC1/ISAE3402 Certifications and AttestationsSOC 2 ISO27001 Others
1) Ariba Network / Ariba Sourcing Pro / Ariba Contract Management / Ariba Spend Visibility / Ariba Procure to Pay / Ariba Analysis / Ariba Category Management / Ariba Supplier Management / Ariba Travel and Expense / Ariba Invoice 2) SuccessFactors Performance & Goals / SuccessFactors Succession & Development / SuccessFactors Learning / SuccessFactors Onboarding / SuccessFactors Recruiting Marketing / SuccessFactors Workforce Planning / SuccessFactors Workforce Analytics / SAP Jam
May be added in future:
Certification planned for 2014: Certification available: Certification planned for 2016:
Thank you!
Contact information:
Ralph R. Salomon
VP Security, Risk & Compliance Office; CRISC Chief IT & Cloud Security Officer
SAP SE
E-mail: ralph.salomon@sap.com