SAP Cloud: Data Center Security SAP Cloud Data Center Strategy and Security Whitepaper Customer V5.0/2014
Tableofcontent SAP CLOUD DATA CENTER STRATEGY... 4 SAP DATA CENTER AVAILABILITY REQUIREMENTS (TIER LEVEL)... 5 Tier Level Definition... 5 SAP DATA CENTER SECURITY REQUIREMENTS... 6 Data Center Location... 6 Perimeter Security... 6 Building Entry Points... 6 Building Security... 6 Access control... 7 Power supply... 7 Fire protection... 8 Protection against water... 8 SAP DATA CENTER COMPLIANCE REQUIREMENTS... 9 Compliance Definitions & Requirements... 9 SAP Data Center Audit Process... 9 SAP DATA CENTER SECURITY SERVICE LEVEL AGREEMENTS (S-SLA)...10 SAP DATA CENTER SECURITY INCIDENT HANDLING...11 ABOUT SAP...12 Customer 2
In the past, business software for everything from HR management to accounting and customer relationship management was accessible only to companies with deep pockets firms that were capable of making massive up-front investments. Today, technology has leveled the playing field. But has security caught up with the new playbook? At SAP, we believe it has. Thanks to cloud computing, core business applications are now available to everyone, from the largest enterprises to small and midsize businesses. Simply put, the applications and their associated data are delivered over the Internet or dedicated (leased) telecommunication lines. Cloud Computing (or simply Cloud) has become a business model as well as an application delivery model. Cloud Computing offers the unique quality of multi-tenancy, which primarily differentiates it from the application service provider (ASP) model or from in-house applications. Depending on the technology layer the service is delivered Cloud Computing distinguishes Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). All delivery types have in common, that they are operated out of an SAP Data Center that fulfills highest security and data protection demands. Security concerns in a Cloud model are similar to those for the ASP model. Will people steal information? Will leaks compromise confidential data? Who can access the customer data in the Data Center? Is the data stored or transferred into other countries? The top security concerns for the Cloud model focus on identity management, data storage location, system operations and data transmission and flow controls. SAP understands the critical importance of information protection and recognizes the contribution that information security makes to an organization s strategic initiatives and overall risk management. In Cloud solutions from SAP, there are security controls and practices for its offerings that are designed to protect the confidentiality, integrity, and availability of customer information. These controls also apply to any Data Center sub-contractors (Co-Location Strategy) that provision services for SAP. This paper explores how SAP secures the Cloud Data Centers and which processes are in place to maintain the required security and compliance level. Customer 3
SAP CLOUD DATA CENTER STRATEGY SAP Cloud uses a Co-Location strategy by using SAP owned Data Centers in combination with rented private space at external Data Center Providers around the world. This ensures a global reach and fast growth into various countries. SAP only uses well known Data Center providers that can fulfill the minimum SAP Data Center Service Availability (at least SAP Tier Level III) and baseline physical security measures as outlined in this document. Additionally SAP demands industry standard certifications to support the external cloud business and to show our customers the secure and reliable operations and control framework of our Data Center Partner. The following picture shows the available and planned Data Center locations based on the SAP Cloud powered by HANA (formerly known as SAP Cloud). SAP tracks for each Data Center the corresponding Tier Level and available certifications. Additionally SAP also plans on-site audits to validate the security measures outlined in this paper. The customer can choose in which region (Americas, EMEA, APJ ) the data should be stored and processed. SAP ensures that the Backup Data Centers are also in the same region and work based on the applicable law of the hosting country. For example the SAP Cloud systems in St. Leon Rot Germany use the Backup Data Center in Amsterdam. German and EU laws apply here. A Similar setup is implemented for US customers that use the Data Center locations on the east and west coast. SAP does not transfer customer data outside the pre-defined region or shares it with unauthorized third parties. The Data Center Partner has no administrative access to the SAP Cloud Servers; The Co-Location Partner services focus only on provisioning of power, cooling, and Data Center space. Customer 4
SAP DATA CENTER AVAILABILITY REQUIREMENTS (TIER LEVEL) SAP only uses Data Center Providers that fulfill at least the Tier Level III requirements. Some Data Centers are even compliant to Tier Level III+ or IV. SAP checks against these requirements in the initial RFP / Onboarding of new Data Centers and also verifies the setup on-site with the Data Center Provider on a regular base. SAP implements additional sensors and monitors the Data Center situation to ensure the compliance to the SLAs and overall system availability. Tier Level Definition SAP has defined the following Tier Levels and corresponding requirements regarding the power supply, cooling, incident response times or network connectivity. Minimum availability requirements Tier I Tier II Tier III Tier III+ Tier IV Stand-alone Data Center building necessary no no no yes yes Amount of external electrical power suppliers 1 1 1 1 2 Amount of transformers to power the Data Center n n n+1 n+1 2n UPS Battery System necessary no yes yes yes yes Minutes UPS must provide power 0 5 >10 >10 >10 Amount of UPS Systems necessary n n n+1 n+1 2n (Diesel-) Generators needed no no yes yes yes Amount of cooling systems needed n n n+1 n+1 2n Server cooling is independent from an office AC no no yes yes yes Fire detection system needs to be installed yes yes yes yes yes Fire extinguishing system must be installed no yes yes yes yes On-site response time of Data Center personnel <48h <8h <1h <1h <1h Available WAN network connection lines 1 n+1 n+1 n+1 2n Available LAN network connection lines n n+1 n+1 2n 2n Legend: 1 = exactly one item or component of this type is needed; no redundancy in place; n = no redundancy in place; no spare or standby component available; all components (n) are in use and if one fails, the whole system (power, cooling, network) goes down; n+1 = if you required 'n' items of equipment for something to work, you would have one additional spare item. If any one item of equipment breaks down, everything can still work as intended; 2n = you have twice as many items as you need. Therefore n items can fail without interruption. Cloud hosted customer environments need to be operated in an SAP Tier Level III, III+ or IV classified Data Center to meet the physical security and operational compliance requirements of the customer industries. Customer 5
SAP DATA CENTER SECURITY REQUIREMENTS Besides the availability requirements outlined in the Tier Level III definition, SAP demands additional location, building and access specific security measures as baseline for a SAP Cloud Data Center. Therefore the items listed in this chapter summarize the minimum requirements which we implement and audit. Our Co-Location Data Center Providers (sub-contractors) are chosen based on this requirements list. It is part of the initial RFP Data Center selection and later on part of the ongoing operation. Data Center Location The Data Center location shall not be subject to increased environmental threats like storms, blizzards, earthquakes or flooding. Perimeter Security The Data Center should have a fence surrounding the building. In case there are no fences, the wall of the Data Center rooms shall not be located against the outside walls of the building. If fences are used, they must have a height of at least 2 meters (7 feet). A Perimeter Intrusion Detection System must be deployed based on e.g. motion sensors, passive infrared, microwaves or ultrasonic detection. A CCTV System must be deployed to monitor the perimeter and access points. Access to the CCTV management system and stored videos shall be restricted on need-to-do principles. Building Entry Points The Data Center provider will take special measures to protect against unauthorized entry into rooms or areas housing systems that perform central functions necessary to provide the internal and external services under the system support contract. All doors must be solid core; hollow core doors are not acceptable, because they provide only minor protection against intruders. Doors must have the same fire-resistance rating as the adjacent walls to ensure that the whole room or compartment resist a fire for the same time span. This applies to the outer doors as well as the internal server room or SAP private area doors. Lighting in doorways shall always be implemented. Exterior doors that open out should have sealed (welded) hinge pins and dog bolts so that they can't be removed. The loading area, which is used to transport e.g. the IT equipment into the Data Center, must follow the same access controls and CCTV requirements like the other main entry points (see access control chapter). Building Security Core Components of the Data Center shall not be older than 15 years or in or in derelict condition therefore the risk of poor electrical wiring, deteriorating materials, and rusted plumbing is reduced. The Data Center room or hall should not have any outer windows. Customer 6
In case the Data Center Building has no fences but outer windows installed, they must be fitted with intrusion detection and glass breaking sensors. Internal intrusion detection systems and CCTV must be deployed and monitored 7x24. CCTV footage must be archived for at least 90 days, unless legal restrictions exist. Private SAP areas (e.g. cages) must have access controls (see access control chapter). Private SAP areas shall have physical separation to other Data Center customers. Walls, fences or cages must have a height of at least 2 meters (7 feet) and must be monitored by CCTV. Ensure continuous lighting or deploy infrared/night vision lighting for continuous CCTV monitoring capabilities. Wiring closets, utility or power rooms must be locked and shall follow the same access controls like server rooms. A Security Monitoring Center / Room must be operated and staffed 7x24. A burglar alarm and intrusion detection system must be installed, monitored 7x24 and shall be linked to notify a security service or the local police. Wireless LANs in the Data Center shall be either deactivated or (if not possible) be secured by using strong encryption (e.g. WPA2 with AES-256), strong authentication (e.g. protected EAP) and activate basic logging (e.g. for login events). Access control The Data Center provider must make sure that only a defined group of persons can physically access the Data Center core IT Infrastructure (e.g. access control servers, CCTV data storage) required to provide the services under the support contract. It must be ensured that this access is granted only to those employees with appropriate training. The service provider is obliged to log the names and times of persons entering the private SAP areas. Therefore an access request workflow to the SAP Cloud Data Center facilities must be implemented and aligned with SAP. Requests are approved by at least the SAP HR Manager or the SAP Cost Center Manager or the SAP Data Center Security Manager. Additionally a Data Center revoke access process must be implemented and aligned with SAP. At least every year the user access list must be reviewed with the SAP Data Center Infrastructure Team. Users that do not need access any more must be revoked. The Data Center access logs and visitor logs must be kept for at least 3 months. The Data Center access control system must use electronic key cards or biometrics. Mantraps must be used at least on the main Data Center access points. Turnstiles are not sufficient. Access logs to the SAP private area must be made available to SAP. An interface must be defined e.g. to exchange these logs manually or via an automated process or tool-based workflow. If physical keys and locks are used e.g. for emergency access, these keys must be stored in a guarded secure place and all usage shall be documented. Power supply The Data Center provider is obliged to take measures to ensure that power is continuously supplied to all systems required to provide the internal and external services under the system support contract. In this respect, the SAP Data Center Tier Level III (or higher) availability requirements shall be met. Customer 7
Fire protection The SAP Cloud Data Center will ensure adequate fire protection in rooms or areas housing systems that perform central functions necessary to provide the internal and external services under the system support contract. When using portable fire extinguishers, it must be ensured that they are suitable for use in a Data Center area or server room containing technical equipment and those are regularly maintained and inspected. When using automatic extinguishing systems, it must be ensured that only those systems are used that do not damage the computer systems if they have to be activated. Possible solutions are gas like INERGEN, FM200, Argon or water mist dispensing or sprinkler systems in compliance to local applicable laws. The use of water sprinkler systems is not preferred by SAP, because it will damage the SAP equipment and therefore impact the cloud service s availability and maybe even the customer data integrity. It must be ensured that adequate fire alarm systems are installed in the rooms and areas described. Fire resistant materials in walls, floor, ceiling and doors must be used. Fire detection sensors like gas, smoke or heat sensors must be installed. The entire system must be maintained and inspected at regular intervals recommended by the manufacturer. Protection against water Water-carrying pipes of any description must be avoided in rooms or areas housing systems that perform central functions necessary to provide the internal and external services under the system support contract. If it is not possible to avoid water-carrying pipes, precautions must be taken to ensure that any leaks are detected as soon as possible and to minimize the negative impact thereof. Customer 8
SAP DATA CENTER COMPLIANCE REQUIREMENTS Compliance Definitions & Requirements Based on the services SAP is delivering out of the Data Center, the provider is required to regularly provide SAP with a valid SOC 1 (SSAE 16 or ISAE 3402) Type II and/or SOC 2 Type II Report (at least annually). Additionally a valid ISO 27001 certification shall be provided to SAP regularly. SAP delivers services out of the Data Center that have a material impact on financial reporting do not have a material impact on financial reporting SOC 1 Type II / SSAE 16 / ISAE 3402 X SOC 2 Type II X X The following control objectives shall be assured by the SOC 1 (SSAE 16 or ISAE 3402) and/or SOC 2 Report audit reports (part of the mandatory requirements in Sections 1.1 1.9): Access request workflow to the SAP private area, incl. approval step through SAP Access control system for the SAP private area with electronic access cards, including access logging. Access to SAP private area is revoked timely. An intrusion detection system monitors SAP private area for unexpected access. The intrusion detection system is maintained at least annually. Video cameras monitor the surrounding area of the SAP private area. Video cameras are maintained at least annually. Backup power supply is available for the SAP private area. Backup power generators are maintained at least annually. The SAP private area is equipped with appropriate fire emergency systems. Fire emergency systems are maintained at least annually. The SAP private area is equipped with air conditioning systems. Air conditioning systems are maintained at least annually. A grace period of 12 month is granted after contract closure to provide respective reports, if the Data Center Provider does not hold an ISAE3402 / SSAE16 / SOC1 Type 2 attestation or an ISO 27001 certification at the time of the contract closure. The Data Center Provider should provide SAP with a valid PCI DSS if needed by the SAP Cloud Solution or obtain a PCI certification in this caser within 3 months. SAP Data Center Audit Process SAP requests the above mentioned compliance reports and certifications from the Data Center Provider as also performs on-site reviews at least every 2 years to validate and check the security measures as outlined in this document. These on-site audits are performed by SAP employees and planned with the Data Center Manager / Provider. In general 2 days are scheduled for the on-site visit of the Data Center, the SAP Server Rooms (private area, cages). The SAP Auditors fill out a report based on the Data Center security requirements checklist to document any deviations and findings. Pictures and additional evidences are archived as well. If mandatory security requirements are not fulfilled, the SAP Auditors will discuss the risk and potential countermeasures immediately with the SAP Cloud Data Center Manager and the SAP Cloud Security & Risk Office. Risks are managed in the SAP Corporate Operational Risk Management System to ensure transparency to the SAP senior management. Findings should be fixed within 3 months after the audit. Customer 9
SAP DATA CENTER SECURITY SERVICE LEVEL AGREEMENTS (S-SLA) The following list contains the minimum SLA s for security relevant components within the SAP Data Centers and must be seen complementary to the overall SLA s that focus e.g. on power or cooling availabilities. Topic Details Operations Max. Repair duration CCTV CCTV footage must be archived for at least 30 days Monitoring room to be staffed 7x24 7x24 5 working days Availability Inspections Other comments 99,98% At least annually Availability refers to the whole camera system, not to a single camera only. Intrusion Detection System The system must be deployed based on e.g. motion sensors, passive infrared, microwaves or ultrasonic detection 7x24 5 working days 99,98% At least annually installed, monitored 7x24 linked to notify a security service or the local police Access Control System System refers to the access control system and components providing access to the SAP private area Data Center access logs and visitor logs must be kept for at least 3 months Badge swipes are automatically recorded in a log file. 7x24 5 working days 99,98% At least annually If not renewed via the Request Access workflow, permanent access is terminated automatically after a maximum time frame of one year. (see CISOR PS3) Fire Protection Includes Automatic extinguishing systems Fire/smoke/gas sensors 7x24 5 working days 99,98% At least annually Fire extinguishers are to be inspected annually, too. Customer 10
SAP DATA CENTER SECURITY INCIDENT HANDLING The following incidents examples are security-related (the list does not claim to be complete): - Infrastructure-related incidents Access control system incidents o Key card system down/broken; o Loss of access logs or visitor logs; o Malfunctioning mantraps or doors leading to the SAP private area; o Malfunction of the two-factor access controls (if applicable). Security system incidents o CCTV camera outage; o Malfunction of the fire detection system; o Malfunction of the Intrusion Detection System; o Loss of physical keys that allow access to the Data Center or even SAP private area. Integrity of the Data Center building detected o Holes in the walls; o Broken doors; o Construction work affecting the security of the SAP private area. - Mission-critical incidents Fire outbreak in the Data Center affecting the SAP private area; Burglary detected; Stolen SAP equipment detected; Unplanned / Unauthorized move of SAP equipment; Terrorist attacks (e.g. car bomb near the Data Center building); Natural disasters impacting the Data Center operations. Customer 11
All listed security-related incident types listed are considered critical and are to be dealt with as described: Measure Occurs for Response Time/Frequency Immediate notification Notification Report Infrastructurerelated incidents Missioncritical incidents All incident types Within 24h after detection of incident. As soon as alarm is initiated (e.g. if fire alarm is initiated, the fire department & SAP must be called immediately). Monthly Details Inform SAP via mail to: gds_team@sap.com. Use Subject line: Security Incident: <Location Name> <Type of Security Incident> In the Mail-Body describe the Incident; the current status; the next steps and the contact persons on DC Provider site. The SAP GDS (Global Data Center Services) Team will forward the Incident to the SAP Security Team and follow up with the DC Provider Inform SAP immediately via 7x24 Hotline: +49 6227 7 41313 or +1 610-661-1633 Inform SAP also via mail to: gds_team@sap.com. Use Subject line: Security Incident: <Location Name> <Type of Security Incident> In the Mail-Body describe the Incident; the current status; the next steps and the contact persons on DC Provider site. The SAP GDS (Global Data Center Services) Team will forward the Incident to the SAP Security Team and follow up with the DC Provider Purpose: documentation of all incidents Content of the report o Nature of the incident (incident description) o Current status (has the incident been solved or are still actions to be done?) o Root cause (why did this incident occur?) o Improvements (actions to be undertaken in order to prevent further incidents of same nature). ABOUT SAP SAP is at the center of today s technology revolution, developing innovations that not only help businesses run like never before, but also improve the lives of people everywhere. As the market leader in enterprise application software, we help companies of all sizes and industries run better. From back office to boardroom, warehouse to storefront, desktop to mobile device SAP empowers people and organizations to work together more efficiently and use business insight more effectively to stay ahead of the competition. SAP applications and services enable more than 248,500 customers to operate profitably, adapt continuously, and grow sustainably. For more information, go to www.sap.com. Customer 12
www.sap.com 2013 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ( SAP Group ) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.