HEC Security & Compliance SAP Security, Risk & Compliance Office November, 2014 Public Version 2.0
Details Introduction Overview Security Offering Approach Certifications
Introduction Dear Customer, Information Security is not just a buzzword for the SAP Security, Risk & Compliance Office it s our daily work, our passion, and the principle that drives us. We strive to provide the best security and data protection possible to SAP and our customers. Each customer is treated as if they were our only customer. That s the kind of commitment and importance we work to achieve - every single day. We have consistently certified to internationally recognized standards such as ISO 9001 for Quality Management or ISO 27001 for Information Security, provide SOC1 and SOC2 reports twice a year along with using industry accepted best practices such as COBIT or the ISF Standard of Good Practice for Information Security to assure the best possible security and risk management approach. You can rest assured that your information is in good, experienced hands. Additional information about HANA Enterprise Cloud can be found at http://www.sap.com/hec Regards, Ralph Salomon Chief IT & Cloud Security Officer; CRISC SAP Security, Risk & Compliance Office SAP SE Dietmar-Hopp-Allee 16 69190 Walldorf, Germany 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 3
Details Introduction Overview Security Offering Approach Certifications
HANA Enterprise Cloud (HEC) High Level Overview Corporate HANA ENTERPRISE CLOUD Admin Firewall Administrative Jump Hosts Shared Administrative Infrastructure Management Networks Public Internet Access #3 #2 #1 MPLS MPLS VPN Customer #3 Customer #2 Customer #1 The fundamental security architecture of the HEC infrastructure is the principal of a private cloud. This means customer will receive an isolated, logical grouping of several Virtual Machines and physical systems. All customer networks are completely isolated from each other. HEC administrative tasks will be done using management networks #<no>: Refers to one customer MPLS: Multiprotocol Label Switching VPN: Virtual Private Network 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 5
HANA Enterprise Cloud (HEC) High Level Overview Integration HEC SAP HEC is isolated from the SAP Corporate Network Access to HEC is only possible with a 2- factor authentication Corporate HANA ENTERPRISE CLOUD Admin Firewall Administrative Jump Hosts Shared Administrative Infrastructure Management Networks Public Internet Access #3 #2 #1 MPLS MPLS VPN Customer #3 Customer #2 HEC administration HEC administration is done using shared administrative infrastructure and management networks Customer Isolation Each HEC customer receives their own isolated landscape HEC customer landscape is fully integrated into the customer corporate network using WAN or VPN links Customer #1 #<no>: Refers to one customer MPLS: Multiprotocol Label Switching VPN: Virtual Private Network WAN: Wide Area Network 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 6
HANA Enterprise Cloud (HEC) Details Details for Customer Landscapes Corporate HANA ENTERPRISE CLOUD Admin Firewall Administrative Jump Hosts Shared Administrative Infrastructure Management Networks Customer Landscape Customer Landscape consists of physical servers running the HANA database and virtual machines running additional components (e.g. SAP Application Servers) Only logical separation within a customer landscape Security hardened system configurations #1 Physical Server HANA, e.g. 3 TB Virtual Machines SAP Appl. Server SAP Cloud Frame Manager Orchestration HANA-Cell of physical HANA Servers Provisioning Storage Virtualization Orchestration Virtualization Server Nodes 1 2 n 3 Provisioning 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 7
HANA Enterprise Cloud (HEC) Details Details for Network Integration HANA ENTERPRISE CLOUD Corporate Admin Firewall Administrative Jump Hosts Shared Administrative Infrastructure #2 VLAN for #2 VPN Router VPN for #2 Customer #2 Network Integration Customer Landscapes can be connected using IPSEC VPN and MPLS Customers can have multiple customer landscapes that are joined in one customer routing domain (#1.1 and #1.2) Network filtering can be requested between Customer Landscape and Customer Corporate Network Management Networks #1.1 #1.2 VLAN for #1 MPLS Router MPLS for #1 Customer #1 #<no>: Refers to one customer IPSEC: Internet Protocol Security MPLS: Multiprotocol Label Switching VLAN: Virtual Local Area Network VPN: Virtual Private Network 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 8
HANA Enterprise Cloud (HEC) Details Details for Public Internet Access HANA ENTERPRISE CLOUD Inbound Public Internet Access Corporate Inbound Public Internet Access with normal security requirements If required, customers can request public Internet Access Shared reverse proxy farm based on F5 technology is used Web Application Firewall provides basic security that can be extended on customer request #<no>: Refers to one customer DMZ: Demilitarized Zone VPN: Virtual Private Network Admin Firewall Administrative Jump Hosts Shared Administrative Infrastructure Management Networks Customer #1 Customer #2 #2 Router VLAN for #2 VLAN for #1 #1 #1.DMZ (optional) Reverse Proxy Farm with Web Application Firewall Inbound Public Internet Access with high security requirements Usage of a dedicated customer landscape as DMZ segment (#1.DMZ) Limited connectivity from #1.DMZ to customer landscape with customer backend (#1) 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 9
Details Introduction Overview Security Offering Approach Certifications
Hana Enterprise Cloud Security Secure Operations Asset Management Change Management Incident Management Anti Virus & Malware Management Backup / Restore Management Identity & Access Management Security Awareness Trainings Network Security Network Filtering Intrusion Prevention Systems Web Application Firewall 2-factor Authentication Network Admission Control Proxies with Content Filtering Advanced threat management Advanced IT Security Architecture Isolated, separated Landscape per Customer Security hardened Systems Customer data flow control Regional Data Storage (e.g. EU-, US-Cloud) European data protection and privacy policy Security measures are audited and confirmed through various Certifications & Attestations ISO Certificates o o Threat & Vulnerability Management Security Patch Management Penetration Testing Vulnerability Scanning 24 x 7 Security Monitoring Center ISO9001 Quality Management System ISO27001 Information Security Management System SOC1 (ISAE3402/SSAE16) Type I & Type II SOC2 Type I & Type II Industry specific Certificates (on demand with business case foundation) Secure Product Development Lifecycle Physical Security Video and Sensor Surveillance Access Logging Security Guards Fire Detection and Extinguishing System Uninterruptible Power Supply Biometric Access Control in certain Locations 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 11
Data Center Security Requirements SAP Cloud Solutions and Customer Data needs to be operated in a: SAP Tier Level III, III+ or IV classified Data Center. SAP checks on site the compliance to the SAP Data Center minimum physical security standard that covers topics like: Perimeter & Location security Building entry point security Building Security Access Controls & Monitoring General access and Access to dedicated SAP areas Fire Protection Electrical Power supply Certifications of the DC Provider Minimum availability requirements Tier I Tier II Tier III Tier III+ Tier IV Stand-alone Data Center building necessary no no no yes yes Amount of external electrical power suppliers 1 1 1 1 2 Amount of transformers to power the Data Center n n n+1 n+1 2n UPS Battery System necessary no yes yes yes yes Minutes UPS must provide power 0 5 >10 >10 >10 Amount of UPS Systems necessary n n n+1 n+1 2n (Diesel-) Generators needed no no yes yes yes Amount of cooling systems needed n n n+1 n+1 2n Server cooling is independent from an office AC no no yes yes yes Fire detection system needs to be installed yes yes yes yes yes Fire extinguishing system must be installed no yes yes yes yes On-site response time of Data Center personnel <48h <8h <1h <1h <1h Available WAN network connection lines 1 n+1 n+1 n+1 2n Available LAN network connection lines n n+1 n+1 2n 2n 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 12
HEC Data Centers Current Status Tier Level & Certifications Americas EMEA + Russia APJ US, Eastcoast Europe 1 Europe 2 Russia China Japan 2 Japan 1 Ready Data Center reach Data Centers in this geography are in planning or build phase. US, Westcoast Australia US, Westcoast US, Eastcoast Europe 1 Europe2 Japan 1 Japan 2 Australia Tier Level IV III+ III+ IV III+ III III+ Certifications & Attestations SSAE16 PCI DSS SSAE16 ISO 27001 ISO 9001 PCI DSS ISO 27001 ISO 9001 SSAE 16 ISO 27001 SSAE16 ISO 27001 SSAE16 ISO 27001 SSAE16 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 13
HANA Enterprise Cloud Security START 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 14
Details Introduction Overview Security Offering Approach Certifications
Why HANA Enterprise Cloud (HEC) is better SAP has a long-standing tradition in security of its solutions and takes demands from customers on cloud security very seriously. The key differentiator of HEC: A. B. Strong collaboration between Security, Operations and Product Development team Multi Layers of defense to protect our Customer s data C. D. Holistic Security & Compliance approach: integrated, monitored and validated by external audits Customer can select the region of data storage 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 16
Why HANA Enterprise Cloud (HEC) is better A. Strong Collaboration Strong collaboration of Product Security team and Operations Security team ensures proper security and compliance implemented in HEC products. Identified issues are directly communicated into Product Development team to ensure immediate fixes. Strong collaboration of Security team and Operations team ensures proper definition of security requirements individually per Cloud product within HEC. Security team consults the Operations team in defining and implementing the security measures per asset individually. Regular monitoring ensures timely identification of issues. 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 17
Why HANA Enterprise Cloud (HEC) is better B. Multi Layers of Defense Internet DMZ - External Intrusion Prevention White Hat Hacker Penetration Tests HDMZ - Perimeter Firewall & Router ACL Protection Data Center Internal Administration Network Internal Intrusion Detection White Hat Hacker Penetration Tests Customer A Data IPS* Security Implementation Audit & Security Reviews Admin VPN / WTS Access Control & Logging Customer B Data Customer C Data Operations Multi-factor Authentication SMC** / SIEM*** *IPS = Network Intrusion Prevention System **SMC = Security Monitoring Center (7*24) ***SIEM = Security Information and Event Management 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 18
Why HANA Enterprise Cloud (HEC) is better C. Holistic Security & Compliance Approach (1/2) HEC leverages a multi-dimensional security and compliance approach to establish and maintain state-of-the-art Security & Compliance. The following two slides describe the key aspects of the holistic Security & Compliance Approach. Protection Goal Security (CIA) HEC focuses on confidentiality and integrity of data as well as availability of customer systems and central infrastructure. Data Protection HEC is fully committed to data protection and privacy. SAP is a global company with its headquarters in Germany, which is a member of the European Union (EU). Therefore our Policy is based on definitions of European Data Protection legislation and defines the basic principles applicable for every SAP entity *). HEC respects data protection and privacy rights and safeguards any Personal Data of our customers. IP Protection HEC in addition focuses on the protection of your intellectual property. Access to data is strictly limited according the need-to-know-principle. Strict separation of customer systems is understood! Scoping Protection Goal Technology Processes People *) If local (i.e. country specific) or other applicable laws require stricter standards, Personal Data will be handled in accordance with those stricter laws. 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 19
Why HANA Enterprise Cloud (HEC) is better C. Holistic Security & Compliance Approach (2/2) Demands & Enforcement Requirements / Measures SAP has a strict policy framework which is broken down into detailed technical procedures for operations. Monitoring Regular monitoring ensures timely identification of deviations and initiates fixes quickly. Audits During the Compliance & Certification Audits we ask external experts to verify our security effectiveness. Through regular supplier audits, we ensure the security effectiveness of suppliers and sub-contractors. Scoping Technology Secure operability of HEC products is monitored. Issues are directly addressed to Product Development team. Our security scope covers all infrastructure components and tools required to operate and manage HEC. Processes All relevant processes for cloud product development and cloud operations are within the security scope. People Regular training and evaluation is key to ensure proper operations of HEC. Scoping Protection Goal Technology Processes People 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 20
Why HANA Enterprise Cloud (HEC) is better D. Customer can select storage region A. The physical storage of customer B. The general rule is: data is crucial to numerous enterprises. Therefore, our HEC customers can choose if their data is stored in cloud data centers located in the USA or in Europe. We have clear and company-wide guidelines in place that define how we respond to requests for customer data coming from law enforcement authorities and regarding national security concerns. We take our commitment to our customers and legal compliance very seriously. Customer data is only shared if the request is legally valid. Our legal department evaluates every inquiry in detail. In addition, we will question a request if there are grounds for assuming that they are not in conformity with the law. 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 21
Details Introduction Overview Security Offering Approach Certifications
Cloud Security Governance / Build One Delivery Internal Controls Compliance & Processes Integrated Information Security Management System (acc. ISO27001) Controls embedded into operational processes and procedures Compliance- Processes Process Managers located within the delivery unit Training is provided on regular basis to ensure proper implementation Control effectiveness is regularly tested Compliance audits performed twice per year ISO audits performed on annual basis 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 23
Cloud Security Governance / Build One Delivery Internal Controls Certification Overview & Roadmap SAP Cloud Offering SAP Business by Design SAP Cloud for Customer SAP Cloud for Financials SAP Cloud for Sales Certifications and Attestations SOC1/ISAE3402 SOC 2 ISO27001 Type I Type II Type I Type II Others Certifications / Attestations SOC1 / ISAE 3402 / SSAE16 SOC 2 Purpose Report on a service organizations internal controls that are likely to be relevant to an audit of a customer s financial statements. (former SAS 70) Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. Can be handed out to customers and prospects, use/distribution may be restricted. SAP Cloud for Service SOC 3 Trust Services Report for Service Organizations. Used for marketing purposes, unrestricted use/distribution. Certifications/ Attestations Roadmap SAP Cloud for Social Engagement SAP Cloud for Travel & Expense HANA Enterprise Cloud Ariba cloud solutions from SAP 1) Ariba - Quadrem cloud solutions from SAP SuccessFactors cloud solutions from SAP 2) SAP People Cloud Solutions - Employee Central SAP People Cloud Solutions - Employee Central Payroll SAP HANA Cloud Platform & Portal SAP HANA Cloud Portal ISO9001; planned for Q4/2014: ISO22301 PCI-DSS, Webtrust, SafeHarbor WebTrust SafeHarbor SafeHarbor SafeHarbor ISO 27001 ISO 9001 PCI-DSS Certification available: Certification planned for 2014: Certification planned for 2016: Certification not applicable: May be added in future: Certification of a Information Security Management System. Used for marketing purposes, certification can be officially published. Certification of a Quality Management System Used for marketing purposes, certification can be officially published. Required for customers: who handle cardholder information for debit, credit, prepaid, e-purse, ATM, and POS cards 1) Ariba Network / Ariba Sourcing Pro / Ariba Contract Management / Ariba Spend Visibility / Ariba Procure to Pay / Ariba Analysis / Ariba Category Management / Ariba Supplier Management / Ariba Travel and Expense / Ariba Invoice 2) SuccessFactors Performance & Goals / SuccessFactors Succession & Development / SuccessFactors Learning / SuccessFactors Onboarding / SuccessFactors Recruiting Marketing / SuccessFactors Workforce Planning / SuccessFactors Workforce Analytics / SAP Jam 2014 SAP SE or an SAP affiliate company. All rights reserved. Public - Version 2.0 24
Thank you! Contact information: Ralph R. Salomon VP Security, Risk & Compliance Office; CRISC Chief IT & Cloud Security Officer SAP SE E-mail: ralph.salomon@sap.com Phone: +49 6227 / 7-60479