Intelligent driven Security at SAP Good Practice Maximilian Adrian IT Security & Risk Office, SAP AG. July 2013

Intelligent driven Security at SAP Good Practice Maximilian Adrian IT Security & Risk Office, SAP AG July 2013

2. IT Security & Risk Office History/Organization/Relationships

SAP a global company... Our focus area... IT Security for... ONE Global Network > 70 countries, > 220 subsidiaries...connecting 72.267 end-user 95.000 PCs/laptops 8.500 SAP systems >30.000 server mobile devices: 16.000 Blackberries, 19.000 ipads, 20.000 iphones 3.500 Androids 5.000 BYOD a highly centralized segment of core business systems (incl. ERP, HR, CRM, BW) 2013 SAP AG. All rights reserved. Customer 4

SAP Global IT Global Coverage & Site Leads CET -9h -6h -3h -1h 0h +5,5h +7h +8h Vancouver Dublin (Service Desk) Paris Walldorf (HQ & Regional Key Hub) Palo Alto Mexico City (Offshore hub) Newtown Square (Regional Key Hub) Ra anana Bangalore (Offshore hub) Singapore (Regional Key Hub) Shanghai (Service Desk) Headquarters Regional Key Hub Offshore Location Location > 20 FTE Buenos Aires (Service Desk) 19 Global IT Site Leads represent every Global IT location (HC>10) in a Site Lead network to foster team spirit and improve cross-team communication. 2013 SAP AG. All rights reserved. Customer 5

SAP Global IT and IT Security & Risk Office Organization overview CIO CIO Office Business Business Business Information Information Officers Officers Officers Officers IT Application Services IT Infrastructure Services IT Enterprise Architecture IT Management Office IT Security & Risk Office R. Salomon Assistant Business Business IT Information Information Security Officers Officers Officers Representative IT Risk & Quality Management, Audits M. Adrian IT Security Services Business ORG Units Regional ORG Units Regional Security Officer EMEA Regional Security Officer AMER Regional Security Officer APJ 2013 SAP AG. All rights reserved. Customer 6

SAP Global IT Security & Risk Office Where we come from Global IT Security, Quality, Risk & Process Approach 2005 2006 2007 2008 2009 2010 2011 2012 2013 Set-up global unified Security & Quality Mgmt. Realign IT processes Operation Support Project Support Process Definition IT Audits Achievements Develop and Implement an Integrated Information Security Mgmt. System Certificates ISO9001 (Corporate & Americas) ISO27001 (Corporate) New SoA on detailed risk level ISO27001 Certificate (Americas) Improved documentation Process Management added Integrated Risk- Control-Mapping Improved Process Map (AS) Initiate IT Process Efficiency Program Processes improved Internal Control System improved Initiate Process Efficiency Prg. Restructure/ Build Performance Measurement Expand IISMS on functional level State of the art BCM Requirements Establish IT Risk & Security Gov. across SAP Support Product Security Initiative Streamline operational Risk Mgmt. Restructure Team Re-focus IT Sec. Strategy Establish IT Sec. Monitoring Center Establish Digital Rights Mgmt. Service Establish federated Risk Mgmt. Increase Awareness ISO22301 Certificate (Corporate) Launch IT Sec. Strategy 2015 Establish Cross LoB IT Risk Mgmt. IT Security Award 2012 at it-sa Sec. relevant processes across SAP Finalize Network Admission Control Strengthen Vulnerability & Threat Mgmt. Ovum BYOX Strategy Award 2013 Global IT AS Process Landscape IT Security Framework cross SAP IT Security Strategy 2012 and 2013-2015 ISO 9001 certification (Global IT Corporate & Americas) ISO 27001 certification (Global IT Corporate & Americas) ISO 22301 (Global IT Corporate) first company in Germany SOX compliance of Global IT Strategic & Operational Risk Management Effective IT Security Governance Structure & Process Global Security Monitoring Center IT Security Award 2012 for Integrated Management System Ovum BYOX Strategy Award 2013 2013 BYOX Strategy award Achieve KonTraG / SOX compliance of Global IT Achieve adequate Security Implementation for main infrastructure, systems & applications Establish unique IT Security level across SAP IT Governance Tools Quality: ISO9001 Security: BS7799 / ISO27001 IT SCM: ISO22301 Service Management: ITIL / ISO20000 Overall Framework: COBIT, ISACA 2013 SAP AG. All rights reserved. Customer 7

Security House of Services IT Security & Risk Office Global IT SRO Vision - Mission - Goals Services IT Security Management Applications - Infrastructure - Interface Advisories Process Portfolio Management Concepts Project Support Research Vulnerabilities Reporting Process Design Security Monitoring Center CERT / CSIRT IT Security Governance Strategic Tactical Operational Certifications ISO 27001 ISO 9001 Audits SOX Compliance ISO 22301 ISO ISO 27001 ISO ISO 9001 Projects Processes SOX Compliance Supplier Pen.-testing Systems/Apps. IT Service Continuity Management Emergency Communication Service Recovery Plan IT Compliance Management Internal Control System Data Classification & Access Procedures Compliance Monitoring IT Risk Management Strategic Operational Vulnerabilities Quality IT Security Requirements Laws & Regulations Policies & Standards & Good Practices Management Framework [IISMS] 2013 SAP AG. All rights reserved. Customer 8

3. IT Security Approach@SAP

GRC 10.0 ARIS Tool Integrated Information Security Management System Laws & Regulations Standards & Best Practices for Global IT Global IT Integrated Information Security Management System [IISMS] Supporting Best Practice ITIL 3.0 Best Practices Optimize Global IT Process Landscape to support a simplified, efficient, and secure work environment IT Process Management Process Portfolio Management Process Design IT Process Landscape SAP Process Landscape ISO 27001 ISO 22301 Process Governance COBIT Supporting Best Practice SOX-Relevant IT Processes COSO Framework Corporate SOX Processes Central MIC Team PDCA ISO 9001 SOX / KonTraG *) Standards Laws & Regulations Global IT Corporate 2013 SAP AG. All rights reserved. *) Others: ADA (USA/California), ISO 20000, EU Guideline 8 etc. Customer 10

What is The Right Security? - Keep the right balance & Enable risk based decisions Security involves everyone & everything Security is a quality aspect of all of our businesses, not a separate Line of Business Security needs trust, not fear Security has four dimensions: People / Processes / Technology / Organization Design/Strategy Business decisions are about taking risks There is an inherent conflict in secure business 100% Security is not the goal for a software business like ours 100% Security prevents business 100% Security is not affordable End-User role Quality Management Efficiency & Effectiveness Risk Management Advisory role Compliance / IT Security Governance / Business Continuity Our Values e.g. Integrity, Excellence, Trusted Advisor, Innovation Goal: We need to find the right balance Basis is risk transparency! Security implications (costs, embarrassment, control) Awareness, process enforcement, technology enabling Business priorities, speed, innovation 2013 SAP AG. All rights reserved. Customer 11

IT Security & Risk- approach @ SAP For continuous improvement of the IT Security Strategy multi aspects need to be considered Risk oriented Regular risk management enables identification of key priorities. Best Practices Cross checks with international standards ensures completeness of the measures and activity areas. Reviews by IT Security strategy consultants ensure staying focused. Demand driven Synchronization with the business roadmaps and the technology roadmaps enables proactive research and planning. Stay tuned To ensure up-to-date information on the IT Security risk status the risk evolution & technology evolution is reviewed at least two times a year. Consumable IT Security must not be a burden for the end user. Find ways to make IT Security more digestible and usable. 2013 SAP AG. All rights reserved. Customer 12

IT Security & Risk- approach @ SAP Defense against a changing threat environment A Focus on protection of the key assets... Company boundaries vanish. Complete protection of all data is too expensive and difficult to assure. Security teams have to work closely with the business to identify the organization s most critical information and systems ( key assets ) in order to protect them. A hundred percent protection for all systems and information can not be guaranteed anymore! Change to Antivirus Antivirus Alarming System Alarming System 2013 SAP AG. All rights reserved. Customer 13

IT Security & Risk- approach @ SAP Defense against a changing threat environment B Holistic, situational IT security concepts 1. Advancement of the IT Security Strategy: Operational: combination of the object to be protected vulnerabilities threat risk situation 2. Establish new monitoring methods 3. Strengthening access controls 4. Increasing employees awareness 5. Raising awareness among the top management 6. Rethinking IT-architecture IT SRO 2013 SAP AG. All rights reserved. Customer 15

IT Security & Risk- approach @ SAP Defense against a changing threat environment leveraging SAP runs SAP D Holistic, situational IT security Top Technology measures Technology Tactical Measures Strategic Measures SAP Security Tools Data/Information Application Infrastructure Network Data Classification Email Encryption (PGP) Service & Tool classification Custom Code Scanning December Patch Implementation and Activation IT Security Governance Client Security (e.g. PGP HD encryption) Mobile Device Security (Afaria) IT Security Governance Denial of Service Defender WLAN Security WAN Encryption Digital Rights Management to protect sensitive Documents DLP for Partner Access (e.g. WTS India) Identity & Access Management (esp. role based access control) Mail Malware defense Strong Authentication Secure VoIP Cloud Computing / Virtualization Identity & Access Management Network Access Control Network Separation Threat & Vulnerability Mgmt. / SMC SAP NetWeaver IdM SAP NetWeaver SSO SAP ID Service SAP GRC 10 Risk Management SAP GRC 10 Process Controls SAP GRC 10 Access Request Management SAP Sybase Afaria SAP Sybase Unwired Platform SAP NetWeaver Gateway SAP Solution Manager 2013 SAP AG. All rights reserved. Customer 16

IT Security Architecture@SAP Firewalls Spam protection email encryption Intrusion Prevention System Social - SAP JAM AV/PFW HDD encryption Web filtering IP Phone / Messenger Mobile Management SAP Afaria Mobile Data SAP Box, Encryption Viewer Firewalls Zone 4 - DMZ Zone 3 Hidden DMZ Zone 2 Office Net SAP SSO / SAP ID / PKI Certification Management Zone 1 High Secure 2-Factor- Authentication IAM SAP NW IDM & SAP GRC 10.0 Document encryption Share Monitoring Printer 2-Factor- Protection Hardening/Patch Management Code Scanner ABAP, APPs AV Hardening/Patch Management Network Admission Control IT Security & Risk Awareness Campaigns SIEM Solution Hardening/Patch Management/Access Management Data Leakage Prevention VPN Access Protection 2013 SAP AG. All rights reserved. Customer 17

IT Security & Risk- approach @ SAP Defense against a changing threat environment D Information Exchange about threat situation and Security trends Information exchange with IT security teams of customers/ DAX companies Federal Criminal Police Office of Germany (BKA) Federal and State Office for the Protection of the Constitution (in German: BfV/LfV) Federal Office for Information Security (BSI) Symantec, McAfee, Security software companies National and international hacking communities Security Information Broker Information Security Forum (ISF) workgroups Information Sourcing via Gartner, CEB and ISACA 2013 SAP AG. All rights reserved. Customer 18

Contact information: Thank you! Maximilian Adrian Director IT Security & Risk Office; CRISC Global IT SAP AG E-mail: maximilian.adrian@sap.com Phone: +49 6227 / 7-48448

2013 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/vm, z/os, OS/390, zenterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, purescale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the United States and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries. Oracle and Java are registered trademarks of Oracle and its affiliates. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc. HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Apple, App Store, ibooks, ipad, iphone, iphoto, ipod, itunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc. IOS is a registered trademark of Cisco Systems Inc. RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited. Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc. INTERMEC is a registered trademark of Intermec Technologies Corporation. Wi-Fi is a registered trademark of Wi-Fi Alliance. Bluetooth is a registered trademark of Bluetooth SIG Inc. Motorola is a registered trademark of Motorola Trademark Holdings LLC. Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, ianywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company. Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. 2013 SAP AG. All rights reserved. Customer 20

2013 SAP AG. Alle Rechte vorbehalten. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten. Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight und Visual Studio sind eingetragene Marken der Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/vm, z/os, OS/390, zenterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, purescale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix und Smarter Planet sind Marken oder eingetragene Marken der IBM Corporation. Linux ist eine eingetragene Marke von Linus Torvalds in den USA und anderen Ländern. Adobe, das Adobe-Logo, Acrobat, PostScript und Reader sind Marken oder eingetragene Marken von Adobe Systems Incorporated in den USA und/oder anderen Ländern. Oracle und Java sind eingetragene Marken von Oracle und/oder ihrer Tochtergesellschaften. UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame und MultiWin sind Marken oder eingetragene Marken von Citrix Systems, Inc. HTML, XML, XHTML und W3C sind Marken oder eingetragene Marken des W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Apple, App Store, ibooks, ipad, iphone, iphoto, ipod, itunes, Multi-Touch, Objective-C, Retina, Safari, Siri und Xcode sind Marken oder eingetragene Marken der Apple Inc. IOS ist eine eingetragene Marke von Cisco Systems Inc. RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook und BlackBerry App World sind Marken oder eingetragene Marken von Research in Motion Limited. Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik und Android sind Marken oder eingetragene Marken von Google Inc. INTERMEC ist eine eingetragene Marke der Intermec Technologies Corporation. Wi-Fi ist eine eingetragene Marke der Wi-Fi Alliance. Bluetooth ist eine eingetragene Marke von Bluetooth SIG Inc. Motorola ist eine eingetragene Marke von Motorola Trademark Holdings, LLC. Computop ist eine eingetragene Marke der Computop Wirtschaftsinformatik GmbH. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA und weitere im Text erwähnte SAP-Produkte und -Dienst-leistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und anderen Ländern. Business Objects und das Business-Objects-Logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius und andere im Text erwähnte Business-Objects-Produkte und Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der Business Objects Software Ltd. Business Objects ist ein Unternehmen der SAP AG. Sybase und Adaptive Server, ianywhere, Sybase 365, SQL Anywhere und weitere im Text erwähnte Sybase- Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der Sybase Inc. Sybase ist ein Unternehmen der SAP AG. Crossgate, m@gic EDDY, B2B 360, B2B 360 Services sind eingetragene Marken der Crossgate AG in Deutschland und anderen Ländern. Crossgate ist ein Unternehmen der SAP AG. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte können länderspezifische Unterschiede aufweisen. Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, nur mit ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet. 2013 SAP AG. All rights reserved. Customer 21