SAP CLOUD DATA CENTER STRATEGY ... 4
SAP DATA CENTER AVAILABILITY REQUIREMENTS (TIER LEVEL) ... 5
Tier Level Definition ... 5
SAP DATA CENTER SECURITY REQUIREMENTS ... 6
Data Center Location ... 6
Perimeter Security ... 6
Building Entry Points... 6
Building Security ... 6
Access control ... 7
Power supply ... 7
Fire protection... 8
Protection against water... 8
SAP DATA CENTER COMPLIANCE REQUIREMENTS ... 9
Compliance Definitions & Requirements ... 9
SAP Data Center Audit Process ... 9
SAP DATA CENTER SECURITY SERVICE LEVEL AGREEMENTS (S-SLA) ...10
SAP DATA CENTER SECURITY INCIDENT HANDLING ...11
In the past, business software for everything from HR management to accounting and customer relationship management was accessible only to companies with deep pockets—firms that were capable of making massive up-front investments. Today, technology has leveled the playing field. But has security caught up with the new playbook? At SAP, we believe it has.
Thanks to cloud computing, core business applications are now available to everyone, from the largest enterprises to small and midsize businesses. Simply put, the applications—and their associated data—are delivered over the Internet or dedicated (leased) telecommunication lines. Cloud Computing (or simply Cloud) has become a business model as well as an application delivery model. Cloud Computing offers the unique quality of multi-tenancy, which primarily differentiates it from the application service provider (ASP) model or from in-house applications. Depending on the technology layer the service is delivered Cloud Computing distinguishes Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). All delivery types have in common, that they are operated out of an SAP Data Center that fulfills highest security and data protection demands.
Security concerns in a Cloud model are similar to those for the ASP model. Will people steal information? Will leaks compromise confidential data? Who can access the customer data in the Data Center? Is the data stored or transferred into other countries?
The top security concerns for the Cloud model focus on identity management, data storage location, system operations and data transmission and flow controls.
SAP understands the critical importance of information protection and recognizes the contribution that information security makes to an organization’s strategic initiatives and overall risk management. In Cloud solutions from SAP, there are security controls and practices for its offerings that are designed to protect the confidentiality, integrity, and availability of customer information. These controls also apply to any Data Center sub-contractors (Co-Location Strategy) that provision services for SAP.
This paper explores how SAP secures the Cloud Data Centers and which processes are in place to maintain the required security and compliance level.
SAP CLOUD DATA CENTER STRATEGY
SAP Cloud uses a Co-Location strategy by using SAP owned Data Centers in combination with rented private space at external Data Center Providers around the world. This ensures a global reach and fast growth into various countries. SAP only uses well known Data Center providers that can fulfill the minimum SAP Data Center Service Availability (at least SAP Tier Level III) and baseline physical security measures as outlined in this document. Additionally SAP demands industry standard certifications to support the external cloud business and to show our customers the secure and reliable operations and control framework of our Data Center Partner.
The following picture shows the available and planned Data Center locations based on the SAP Cloud powered by HANA (formerly known as SAP Cloud).
SAP tracks for each Data Center the corresponding Tier Level and available certifications. Additionally SAP also plans on-site audits to validate the security measures outlined in this paper.
The customer can choose in which region (Americas, EMEA, APJ …) the data should be stored and processed. SAP ensures that the Backup Data Centers are also in the same region and work based on the applicable law of the hosting country. For example the SAP Cloud systems in St. Leon Rot Germany use the Backup Data Center in Amsterdam. German and EU laws apply here. A Similar setup is implemented for US customers that use the Data Center locations on the east and west coast.
SAP does not transfer customer data outside the pre-defined region or shares it with unauthorized third parties.
The Data Center Partner has no administrative access to the SAP Cloud Servers; The Co-Location Partner services focus only on provisioning of power, cooling, and Data Center space.
SAP DATA CENTER AVAILABILITY REQUIREMENTS (TIER LEVEL)
SAP only uses Data Center Providers that fulfill at least the Tier Level III requirements. Some Data Centers are even compliant to Tier Level III+ or IV.
SAP checks against these requirements in the initial RFP / Onboarding of new Data Centers and also verifies the setup on-site with the Data Center Provider on a regular base.
SAP implements additional sensors and monitors the Data Center situation to ensure the compliance to the SLAs and overall system availability.
Tier Level Definition
SAP has defined the following Tier Levels and corresponding requirements regarding the power supply, cooling, incident response times or network connectivity.
Minimum availability requirements Tier I Tier II Tier III Tier III+ Tier IV
Stand-alone Data Center building necessary no no no yes yes Amount of external electrical power suppliers 1 1 1 1 2 Amount of transformers to power the Data Center n n n+1 n+1 2n
UPS Battery System necessary no yes yes yes yes
Minutes UPS must provide power 0 5 >10 >10 >10
Amount of UPS Systems necessary n n n+1 n+1 2n
(Diesel-) Generators needed no no yes yes yes
Amount of cooling systems needed n n n+1 n+1 2n
Server cooling is independent from an office AC no no yes yes yes Fire detection system needs to be installed yes yes yes yes yes Fire extinguishing system must be installed no yes yes yes yes On-site response time of Data Center personnel <48h <8h <1h <1h <1h Available WAN network connection lines 1 n+1 n+1 n+1 2n Available LAN network connection lines n n+1 n+1 2n 2n Legend:
‘1’ = exactly one item or component of this type is needed; no redundancy in place;
‘n’ = no redundancy in place; no spare or standby component available; all components (n) are in use and if one fails, the whole system (power, cooling, network) goes down;
‘n+1’ = if you required 'n' items of equipment for something to work, you would have one additional spare item. If any one item of equipment breaks down, everything can still work as intended; ‘2n‘ = you have twice as many items as you need. Therefore ‘n’ items can fail without interruption.
Cloud hosted customer environments need to be operated in an SAP Tier Level III, III+ or IV classified Data Center to meet the physical security and operational compliance requirements of the customer industries.
SAP DATA CENTER SECURITY REQUIREMENTS
Besides the availability requirements outlined in the Tier Level III definition, SAP demands additional
location, building and access specific security measures as baseline for a SAP Cloud Data Center. Therefore the items listed in this chapter summarize the minimum requirements which we implement and audit. Our Co-Location Data Center Providers (sub-contractors) are chosen based on this requirements list. It is part of the initial RFP Data Center selection and later on part of the ongoing operation.
Data Center Location
The Data Center location shall not be subject to increased environmental threats like storms, blizzards, earthquakes or flooding.
Perimeter Security
The Data Center should have a fence surrounding the building. In case there are no fences, the wall of the Data Center rooms shall not be located against the outside walls of the building.
If fences are used, they must have a height of at least 2 meters (7 feet).
A Perimeter Intrusion Detection System must be deployed based on e.g. motion sensors, passive infrared, microwaves or ultrasonic detection.
A CCTV System must be deployed to monitor the perimeter and access points.
Access to the CCTV management system and stored videos shall be restricted on need-to-do principles.
Building Entry Points
The Data Center provider will take special measures to protect against unauthorized entry into rooms or areas housing systems that perform central functions necessary to provide the internal and external services under the system support contract.
All doors must be solid core; hollow core doors are not acceptable, because they provide only minor protection against intruders.
Doors must have the same fire-resistance rating as the adjacent walls to ensure that the whole room or compartment resist a fire for the same time span. This applies to the outer doors as well as the internal server room or SAP private area doors.
Lighting in doorways shall always be implemented.
Exterior doors that open out should have sealed (welded) hinge pins and dog bolts so that they can't be removed.
The loading area, which is used to transport e.g. the IT equipment into the Data Center, must follow the same access controls and CCTV requirements like the other main entry points (see access control chapter).
Building Security
Core Components of the Data Center shall not be older than 15 years or in or in derelict condition therefore the risk of poor electrical wiring, deteriorating materials, and rusted plumbing is reduced. The Data Center room or hall should not have any outer windows.
In case the Data Center Building has no fences but outer windows installed, they must be fitted with intrusion detection and glass breaking sensors.
Internal intrusion detection systems and CCTV must be deployed and monitored 7x24. CCTV footage must be archived for at least 90 days, unless legal restrictions exist. Private SAP areas (e.g. cages) must have access controls (see access control chapter).
Private SAP areas shall have physical separation to other Data Center customers. Walls, fences or cages must have a height of at least 2 meters (7 feet) and must be monitored by CCTV.
Ensure continuous lighting or deploy infrared/night vision lighting for continuous CCTV monitoring capabilities.
Wiring closets, utility or power rooms must be locked and shall follow the same access controls like server rooms.
A Security Monitoring Center / Room must be operated and staffed 7x24.
A burglar alarm and intrusion detection system must be installed, monitored 7x24 and shall be linked to notify a security service or the local police.
Wireless LANs in the Data Center shall be either deactivated or (if not possible) be secured by using strong encryption (e.g. WPA2 with AES-256), strong authentication (e.g. protected EAP) and activate basic logging (e.g. for login events).
Access control
The Data Center provider must make sure that only a defined group of persons can physically access the Data Center core IT Infrastructure (e.g. access control servers, CCTV data storage) required to provide the services under the support contract. It must be ensured that this access is granted only to those employees with appropriate training.
The service provider is obliged to log the names and times of persons entering the private SAP areas. Therefore an access request workflow to the SAP Cloud Data Center facilities must be implemented and aligned with SAP. Requests are approved by at least the SAP HR Manager or the SAP Cost Center Manager or the SAP Data Center Security Manager.
Additionally a Data Center revoke access process must be implemented and aligned with SAP. At least every year the user access list must be reviewed with the SAP Data Center Infrastructure Team. Users that do not need access any more must be revoked.
The Data Center access logs and visitor logs must be kept for at least 3 months. The Data Center access control system must use electronic key cards or biometrics.
Mantraps must be used at least on the main Data Center access points. Turnstiles are not sufficient. Access logs to the SAP private area must be made available to SAP. An interface must be defined e.g. to exchange these logs manually or via an automated process or tool-based workflow.
If physical keys and locks are used e.g. for emergency access, these keys must be stored in a guarded secure place and all usage shall be documented.
Power supply
The Data Center provider is obliged to take measures to ensure that power is continuously supplied to all systems required to provide the internal and external services under the system support contract. In this
Fire protection
The SAP Cloud Data Center will ensure adequate fire protection in rooms or areas housing systems that perform central functions necessary to provide the internal and external services under the system support contract.
When using portable fire extinguishers, it must be ensured that they are suitable for use in a Data Center area or server room containing technical equipment and those are regularly maintained and inspected.
When using automatic extinguishing systems, it must be ensured that only those systems are used that do not damage the computer systems if they have to be activated. Possible solutions are gas like INERGEN, FM200, Argon or water mist dispensing or sprinkler systems in compliance to local applicable laws.
The use of water sprinkler systems is not preferred by SAP, because it will damage the SAP equipment and therefore impact the cloud service’s availability and maybe even the customer data integrity.
It must be ensured that adequate fire alarm systems are installed in the rooms and areas described. Fire resistant materials in walls, floor, ceiling and doors must be used.
Fire detection sensors like gas, smoke or heat sensors must be installed.
The entire system must be maintained and inspected at regular intervals recommended by the manufacturer.
Protection against water
Water-carrying pipes of any description must be avoided in rooms or areas housing systems that perform central functions necessary to provide the internal and external services under the system support contract. If it is not possible to avoid water-carrying pipes, precautions must be taken to ensure that any leaks are detected as soon as possible and to minimize the negative impact thereof.
SAP DATA CENTER COMPLIANCE REQUIREMENTS Compliance Definitions & Requirements
Based on the services SAP is delivering out of the Data Center, the provider is required to regularly provide SAP with a valid SOC 1 (SSAE 16 or ISAE 3402) Type II and/or SOC 2 Type II Report (at least annually). Additionally a valid ISO 27001 certification shall be provided to SAP regularly.
SOC 1 – Type II / SSAE 16 / ISAE 3402 SOC 2 –Type II SAP delivers services out of the Data Center that
have a material impact on
financial reporting X X
do not have a material impact on
financial reporting X
The following control objectives shall be assured by the SOC 1 (SSAE 16 or ISAE 3402) and/or SOC 2 Report audit reports (part of the mandatory requirements in Sections 1.1 – 1.9):
Access request workflow to the SAP private area, incl. approval step through SAP
Access control system for the SAP private area with electronic access cards, including access logging. Access to SAP private area is revoked timely.
An intrusion detection system monitors SAP private area for unexpected access. The intrusion detection system is maintained at least annually.
Video cameras monitor the surrounding area of the SAP private area. Video cameras are maintained at least annually.
Backup power supply is available for the SAP private area. Backup power generators are maintained at least annually.
The SAP private area is equipped with appropriate fire emergency systems. Fire emergency systems are maintained at least annually.
The SAP private area is equipped with air conditioning systems. Air conditioning systems are maintained at least annually.
A grace period of 12 month is granted after contract closure to provide respective reports, if the Data Center Provider does not hold an ISAE3402 / SSAE16 / SOC1 Type 2 attestation or an ISO 27001 certification at the time of the contract closure. The Data Center Provider should provide SAP with a valid PCI DSS if needed by the SAP Cloud Solution or obtain a PCI certification in this caser within 3 months.
SAP Data Center Audit Process
SAP requests the above mentioned compliance reports and certifications from the Data Center Provider as also performs on-site reviews at least every 2 years to validate and check the security measures as outlined in this document. These on-site audits are performed by SAP employees and planned with the Data Center Manager / Provider. In general 2 days are scheduled for the on-site visit of the Data Center, the SAP Server Rooms (private area, cages).
The SAP Auditors fill out a report based on the Data Center security requirements checklist to document any deviations and findings. Pictures and additional evidences are archived as well. If mandatory security requirements are not fulfilled, the SAP Auditors will discuss the risk and potential countermeasures
SAP DATA CENTER SECURITY SERVICE LEVEL AGREEMENTS (S-SLA)
The following list contains the minimum SLA’s for security relevant components within the SAP Data Centers and must be seen complementary to the overall SLA’s that focus e.g. on power or cooling availabilities.
Topic Details Operations Max.
Repair duration
Availability Inspections Other comments
CCTV CCTV footage must be archived for at least 30 days Monitoring room to be staffed 7x24 7x24 5 working days 99,98% At least annually Availability refers to the whole camera system, not to a single camera only. Intrusion Detection System
The system must be deployed based on e.g.
motion sensors, passive infrared, microwaves or ultrasonic detection installed, monitored 7x24 linked to notify a security service or the local police
7x24 5 working days 99,98% At least annually Access Control System
System refers to the access control system and components providing access to the SAP private area Data Center access logs
and visitor logs must be kept for at least 3 months Badge swipes are
automatically recorded in a log file. 7x24 5 working days 99,98% At least annually
If not renewed via the Request Access workflow, permanent access is terminated automatically after a maximum time frame of one year. (see CISOR PS3) Fire Protection Includes Automatic extinguishing systems Fire/smoke/gas sensors 7x24 5 working days 99,98% At least annually Fire extinguishers are to be inspected annually, too.
SAP DATA CENTER SECURITY INCIDENT HANDLING
The following incidents examples are security-related (the list does not claim to be complete):
- Infrastructure-related incidents
Access control system incidents o Key card system down/broken; o Loss of access logs or visitor logs;
o Malfunctioning mantraps or doors leading to the SAP private area; o Malfunction of the two-factor access controls (if applicable). Security system incidents
o CCTV camera outage;
o Malfunction of the fire detection system; o Malfunction of the Intrusion Detection System;
o Loss of physical keys that allow access to the Data Center or even SAP private area.
Integrity of the Data Center building detected o Holes in the walls;
o Broken doors;
o Construction work affecting the security of the SAP private area.
- “Mission-critical” incidents
Fire outbreak in the Data Center affecting the SAP private area; Burglary detected;
Stolen SAP equipment detected;
Unplanned / Unauthorized move of SAP equipment;
Terrorist attacks (e.g. car bomb near the Data Center building); Natural disasters impacting the Data Center operations.
All listed security-related incident types listed are considered critical and are to be dealt with as described:
ABOUT SAP
SAP is at the center of today’s technology revolution, developing innovations that not only help businesses run like never before, but also improve the lives of people everywhere. As the market leader in enterprise application software, we help companies of all sizes and industries run better. From back office to
boardroom, warehouse to storefront, desktop to mobile device—SAP empowers people and organizations to work together more efficiently and use business insight more effectively to stay ahead of the competition. SAP applications and services enable more than 248,500 customers to operate profitably, adapt
continuously, and grow sustainably. For more information, go to www.SAP.com.
Measure Occurs for Response
Time/Frequency Details Immediate notification Infrastructure-related incidents Within 24h after detection of incident.
Inform SAP via mail to: [email protected]. Use Subject line: “Security Incident:” <Location
Name> <Type of Security Incident>
In the Mail-Body describe the Incident; the current status; the next steps and the contact persons on DC Provider site.
The SAP GDS (Global Data Center Services) Team will forward the Incident to the SAP Security Team and follow up with the DC Provider Notification “Mission-critical” incidents As soon as alarm is initiated (e.g. if fire alarm is initiated, the fire department & SAP must be called immediately).
Inform SAP immediately via 7x24 Hotline: +49 6227 7 41313 or +1 610-661-1633 Inform SAP also via mail to: [email protected].
Use Subject line: “Security Incident:” <Location Name> <Type of Security Incident>
In the Mail-Body describe the Incident; the current status; the next steps and the contact persons on DC Provider site.
The SAP GDS (Global Data Center Services) Team will forward the Incident to the SAP Security Team and follow up with the DC Provider
Report All incident types
Monthly Purpose: documentation of all incidents Content of the report
o Nature of the incident (incident description) o Current status (has the incident been solved
or are still actions to be done?)
o Root cause (why did this incident occur?) o Improvements (actions to be undertaken in
order to prevent further incidents of same nature).
© 2013 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.
