HEC Security & Compliance

HEC Security & Compliance

SAP Security, Risk & Compliance Office

Details

•

Introduction

•

Overview

•

Security Offering

•

Approach

•

Certifications

Introduction

Dear Customer,

Information Security is not just a buzzword for the SAP Security, Risk & Compliance Office – it‘s our daily work, our passion, and the principle that drives us. We strive to provide the best security and data protection possible to SAP and our customers. Each customer is treated as if they were our only customer.

That‘s the kind of commitment and importance we work to achieve - every single day.

We have consistently certified to internationally recognized standards such as ISO 9001 for Quality Management or ISO 27001 for Information Security, provide SOC1 and SOC2 reports twice a year along with using industry accepted best practices such as COBIT or the ISF Standard of Good Practice for Information Security to assure the best possible security and risk management approach.

You can rest assured that your information is in good, experienced hands.

Additional information about HANA Enterprise Cloud can be found at http://www.sap.com/HEC

Regards,

Ralph Salomon

Chief IT & Cloud Security Officer; CRISC

SAP Security, Risk & Compliance Office

SAP SE

Dietmar-Hopp-Allee 16 69190 Walldorf, Germany

Details

•

Introduction

•

Overview

•

Security Offering

•

Approach

•

Certifications

HANA Enterprise Cloud (HEC) – High Level Overview

H

ANA

E

NTERPRISE

C

LOUD

#<no>: Refers to one customer MPLS: Multiprotocol Label Switching VPN: Virtual Private Network

The fundamental security architecture of the HEC infrastructure is the principal of a private cloud. This means customer will receive an isolated, logical grouping of several Virtual Machines and physical systems. All customer networks are completely isolated from each other.

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 6

HANA Enterprise Cloud (HEC) – High Level Overview

Customer Isolation

 Each HEC customer receives their own isolated landscape  HEC customer landscape is fully integrated into the

customer corporate network using WAN or VPN links

HEC administration

 HEC administration is done using shared administrative infrastructure and management networks

Corporate A dm in Fi re w a ll _{Administrative} Jump Hosts Shared Administrative Infrastructure Management Networks Customer #3 Customer #2

H

ANA

E

NTERPRISE

C

LOUD

Integration HEC – SAP

 HEC is isolated from the SAP Corporate Network

 Access to HEC is only possible with a 2-factor authentication

#<no>: Refers to one customer MPLS: Multiprotocol Label Switching VPN: Virtual Private Network WAN: Wide Area Network

HANA Enterprise Cloud (HEC) – Details

Details for Customer Landscapes

#1 Corporate A dm in Fi re w a ll _{Administrative} Jump Hosts Shared Administrative Infrastructure Management Networks

H

ANA

E

NTERPRISE

C

LOUD

SAP Cloud Frame Manager Orchestration HANA-Cell of physical HANA Servers Virtualization Orchestration Virtualization Server Nodes 1 2 n 3 Provisioning Physical Server SAP Appl. Server Virtual Machines HANA, e.g. 3 TB Provisioning

Customer Landscape

 Customer Landscape consists of physical servers

running the HANA database and virtual machines running additional components (e.g. SAP Application Servers)

 Only logical separation within a customer landscape

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 8

Network Integration

 Customer Landscapes can be connected using IPSEC VPN and MPLS

 Customers can have multiple customer landscapes that are joined in one

customer routing domain (#1.1 and #1.2)

 Network filtering can be requested between Customer Landscape and Customer Corporate Network

HANA Enterprise Cloud (HEC) – Details

Details for Network Integration

Corporate A dm in Fi re w a ll _{Administrative} Jump Hosts Shared Administrative Infrastructure Management Networks Customer #2

H

ANA

E

NTERPRISE

C

LOUD

#<no>: Refers to one customer IPSEC: Internet Protocol Security MPLS: Multiprotocol Label Switching VLAN: Virtual Local Area Network VPN: Virtual Private Network

HANA Enterprise Cloud (HEC) – Details

Details for Public Internet Access

Corporate A dm in Fi re w a ll _{Administrative} Jump Hosts Shared Administrative Infrastructure Management Networks

H

ANA

E

NTERPRISE

C

LOUD

Internet Access #1 #1.DMZ (optional) #2 Reverse Proxy Farm with Web Application Firewall VLAN for #2 Customer #1 Customer #2 Router VLAN for #1

#<no>: Refers to one customer DMZ: Demilitarized Zone VPN: Virtual Private Network

Inbound Public Internet Access

with normal security requirements

public Internet Access

 Shared reverse proxy farm based on F5 technology is used

 Web Application Firewall provides basic security that can be extended on

customer request

Inbound Public Internet

Access with high security

requirements

 Usage of a dedicated customer landscape as DMZ segment (#1.DMZ)

 Limited connectivity from #1.DMZ to customer landscape with

Details

•

Introduction

•

Overview

•

Security Offering

•

Approach

•

Certifications

 Physical Security

– Video and Sensor Surveillance

– Access Logging

– Security Guards

– Fire Detection and Extinguishing System

– Uninterruptible Power Supply

– Biometric Access Control in certain Locations

 Network Security

– Network Filtering

– Intrusion Prevention Systems

– Web Application Firewall

– 2-factor Authentication

– Network Admission Control

– Proxies with Content Filtering

– Advanced threat management

 Secure Operations

– Asset Management

– Change Management

– Incident Management

– Anti Virus & Malware Management

– Backup / Restore Management

– Identity & Access Management

– Security Awareness Trainings

 Threat & Vulnerability Management

– Security Patch Management

– Penetration Testing

– Vulnerability Scanning

– 24 x 7 Security Monitoring Center

 Advanced IT Security Architecture

– Isolated, separated Landscape per Customer

– Security hardened Systems

 Secure Product Development Lifecycle  Security measures are audited and confirmed

through various Certifications & Attestations

– ISO Certificates

o ISO9001 Quality Management System

o ISO27001 Information Security Management System

– SOC1 (ISAE3402/SSAE16) Type I & Type II

– SOC2 Type I & Type II

– Industry specific Certificates

(on demand with business case foundation)

 Customer data flow control

– Regional Data Storage (e.g. EU-, US-Cloud)

– European data protection and privacy policy

Security

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 12

Data Center – Security Requirements



SAP Cloud Solutions and Customer Data

needs to be operated in a:

SAP Tier Level III, III+ or IV

classified Data Center.



SAP checks on site the compliance to the

SAP Data Center minimum physical security

standard that covers topics like:

–

Perimeter & Location security

–

Building entry point security

–

Building Security

–

Access Controls & Monitoring

–

General access and

–

Access to dedicated SAP areas

–

Fire Protection

–

Electrical Power supply

–

Certifications of the DC Provider

Minimum availability requirements Tier I Tier II Tier III Tier III+ Tier IV

Stand-alone Data Center building

necessary no no no yes yes

Amount of external electrical power

suppliers 1 1 1 1 2

Amount of transformers to power the Data

Center n n n+1 n+1 2n

UPS Battery System necessary no yes yes yes yes

Minutes UPS must provide power 0 5 >10 >10 >10

Amount of UPS Systems necessary n n n+1 n+1 2n

(Diesel-) Generators needed no no yes yes yes

Amount of cooling systems needed n n n+1 n+1 2n

Server cooling is independent from an

office AC no no yes yes yes

Fire detection system needs to be installed yes yes yes yes yes Fire extinguishing system must be installed no yes yes yes yes On-site response time of Data Center

personnel <48h <8h <1h <1h <1h

Available WAN network connection lines 1 n+1 n+1 n+1 2n

HEC Data Centers

Current Status Tier Level & Certifications

Americas EMEA + Russia APJ

Ready China Europe 2 Europe 1 US, Eastcoast US, Westcoast

Data Center reach

Russia

US, Westcoast US, Eastcoast Europe 1 Europe2 Japan 1 Japan 2 Australia

Tier Level IV III+ III+ IV III+ III III+

Certifications &

Attestations PCI DSS SSAE16 SSAE16

ISO 27001 ISO 9001 PCI DSS ISO 27001 ISO 9001 SSAE 16 ISO 27001

SSAE16 ISO 27001 SSAE16 ISO 27001 SSAE16

Japan 2 Japan 1

Australia

Data Centers in this geography are in planning –or build– phase.

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 14

HANA Enterprise Cloud Security

Details

•

Introduction

•

Overview

•

Security Offering

•

Approach

•

Certifications

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 16

Why HANA Enterprise Cloud (HEC) is better…

SAP has a long-standing tradition in security of its solutions and takes demands from

customers on cloud security very seriously.

The key differentiator of HEC:

Strong collaboration

between Security, Operations

and Product Development team

A.

Multi Layers of defense

to protect our Customer’s data

B.

Holistic Security & Compliance approach:

integrated,

monitored and validated by external audits

C.

Customer can select

the region of data storage

D.

Why HANA Enterprise Cloud (HEC) is better…

A. Strong Collaboration



Strong collaboration of Product Security team and Operations Security team ensures proper security and

compliance implemented in HEC products.



Identified issues are directly communicated into Product Development team to ensure immediate fixes.



Strong collaboration of Security team and Operations team ensures proper definition of security requirements

individually per Cloud product within HEC.



Security team consults the Operations team in defining and implementing the security measures per asset

individually.

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 18

Why HANA Enterprise Cloud (HEC) is better…

B. Multi Layers of Defense

*IPS = Network Intrusion Prevention System **SMC = Security Monitoring Center (7*24)

DMZ - External Intrusion Prevention

HDMZ - Perimeter Firewall & Router ACL Protection

Data Center

Internal Administration Network – Internal Intrusion Detection

Customer A Data Customer B Data Customer C Data White Hat Hacker Penetration Tests White Hat Hacker Penetration Tests Operations Multi-factor Authentication Security Implementation Audit

& Security Reviews Access

Control & Logging Admin VPN / WTS

SMC** / SIEM***

IPS*

Internet

Why HANA Enterprise Cloud (HEC) is better…

C. Holistic Security & Compliance Approach (1/2)

 HEC leverages a multi-dimensional security and compliance approach to establish and maintain state-of-the-art Security & Compliance.

 The following two slides describe the key aspects of the holistic Security & Compliance Approach.

*) If local (i.e. country specific) or other applicable laws require stricter standards, Personal Data will be handled in accordance with those stricter laws.

Protection Goal

S

c

opi

ng

Protection Goal

HEC focuses on confidentiality and integrity of data as well as availability of customer systems and central infrastructure.

 Data Protection

HEC is fully committed to data protection and privacy.

SAP is a global company with its headquarters in Germany, which is a member of the European Union (EU). Therefore our Policy is based on definitions of European Data Protection legislation and defines the basic principles applicable for every SAP entity *). HEC respects data protection and privacy rights and safeguards any Personal Data of our customers.

 IP Protection

HEC in addition focuses on the protection of your intellectual property. Access to data is strictly limited according the need-to-know-principle. Strict separation of customer systems is

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 20

Why HANA Enterprise Cloud (HEC) is better…

C. Holistic Security & Compliance Approach (2/2)

Demands & Enforcement

 Requirements / Measures

SAP has a strict policy framework which is broken down into detailed technical procedures for operations.

 Monitoring

Regular monitoring ensures timely identification of deviations and initiates fixes quickly.

 Audits

– During the Compliance & Certification Audits we ask external experts to verify our security effectiveness.

– Through regular supplier audits, we ensure the security effectiveness of suppliers and sub-contractors.

Scoping

 Technology

– Secure operability of HEC products is monitored. Issues are directly addressed to Product Development team.

– Our security scope covers all infrastructure components and tools required to operate and manage HEC.

 Processes

All relevant processes for cloud product development and cloud operations are within the security scope.

 People

Regular training and evaluation is key to ensure proper operations of HEC.

Protection Goal

S

c

opi

ng

Why HANA Enterprise Cloud (HEC) is better…

D. Customer can select storage region

The physical storage of customer

data is crucial to numerous

enterprises.

Therefore, our HEC customers

can choose if their data is stored

in cloud data centers located in

the USA or in Europe.

A.

The general rule is:

We have clear and company-wide guidelines

in place that define how we respond to

requests for customer data coming from law

enforcement authorities and regarding national

security concerns. We take our commitment to

our customers and legal compliance very

seriously. Customer data is only shared if the

request is legally valid. Our legal department

evaluates every inquiry in detail. In addition,

we will question a request if there are grounds

for assuming that they are not in conformity

with the law.

Details

•

Introduction

•

Overview

•

Security Offering

•

Approach

•

Certifications

Cloud Security Governance / Build One Delivery – Internal Controls

Compliance & Processes

Compliance- Processes

 Integrated Information Security Management System (acc. ISO27001)

 Controls embedded into operational processes and procedures

 Process Managers

located within the delivery unit

 Training is provided on regular basis to ensure proper implementation

 Control effectiveness is regularly tested

 Compliance audits

performed twice per year

 ISO audits performed on annual basis

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 24

Cloud Security Governance / Build One Delivery – Internal Controls

Certification Overview & Roadmap

Certifications/ Attestations Roadmap Certifications / Attestations Purpose SOC1 / ISAE 3402 / SSAE16

Report on a service organizations internal controls that are likely to be relevant to an audit of a customer’s financial statements. (former SAS 70)

SOC 2 Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. Can be handed out to customers and prospects, use/distribution may be restricted.

SOC 3 Trust Services Report for Service Organizations. Used for marketing purposes, unrestricted use/distribution.

ISO 27001 Certification of a Information Security Management System. Used for marketing purposes, certification can be officially published.

ISO 9001 Certification of a Quality Management System

Used for marketing purposes, certification can be officially published.

PCI-DSS Required for customers: who handle cardholder information for debit, credit, prepaid, e-purse, ATM, and POS cards

Type I Type II Type I Type II

SAP Business by Design SAP Cloud for Customer SAP Cloud for Financials SAP Cloud for Sales SAP Cloud for Service

SAP Cloud for Social Engagement SAP Cloud for Travel & Expense

HANA Enterprise Cloud ISO9001; planned for Q4/2014: ISO22301

Ariba cloud solutions from SAP 1) PCI-DSS, Webtrust, SafeHarbor

Ariba - Quadrem cloud solutions from SAP

WebTrust SuccessFactors cloud solutions

from SAP 2)

SafeHarbor SAP People Cloud Solutions -

Employee Central

SafeHarbor SAP People Cloud Solutions -

Employee Central Payroll

SafeHarbor SAP HANA Cloud Platform &

Portal

SAP HANA Cloud Portal

SAP Cloud Offering SOC1/ISAE3402 Certifications and AttestationsSOC 2 _{ISO27001 Others}

1) Ariba Network / Ariba Sourcing Pro / Ariba Contract Management / Ariba Spend Visibility / Ariba Procure to Pay / Ariba Analysis / Ariba Category Management / Ariba Supplier Management / Ariba Travel and Expense / Ariba Invoice 2) SuccessFactors Performance & Goals / SuccessFactors Succession & Development / SuccessFactors Learning / SuccessFactors Onboarding / SuccessFactors Recruiting Marketing / SuccessFactors Workforce Planning / SuccessFactors Workforce Analytics / SAP Jam

May be added in future:

Certification planned for 2014: Certification available: Certification planned for 2016:

Thank you!

Contact information:

Ralph R. Salomon

VP Security, Risk & Compliance Office; CRISC Chief IT & Cloud Security Officer

SAP SE

E-mail: ralph.salomon@sap.com