Upload
rasmi-swain
View
798
Download
0
Embed Size (px)
Citation preview
SAP Cloud Solution – Security
1
About me
• Rasmi Swain
• Enterprise IT Consulting & Delivery
• Enterprise IT architecture
• SAP ECC 6.0 , SAP BW, BO–BI
• HANA Analytics, HANA Cloud
• SAP Mobility ( SMP 3.0, FIORI, MDM, Mobile Security)
• Information Security (Cloud Security, GRC, ISO 2700K)
• E-Governance & Smart City
SAP Cloud Security2
Contents
• SAP Cloud Solutions
• Security Regulations
• Security Requirements
• Data Center Security• Physical Security
• Network Security
• Data Security
• Backup/Recovery & Compliance
• Identity management
SAP Cloud Security3
SAP a Cloud Company
• SAP + HANA+SF+ARIBA+ Sybase
• Most Comprehensive cloud portfolio solutions
• Data security and data privacy is part of the DNA
SAP Cloud Security4
Source : SAP
SAP Cloud Portfolio
SAP Cloud Security5
Source : SAP Cloud Documents in Public
Trust the #1 asset in cloud business
- Security, data protection, and data privacy became more important.
- And a single case of data loss hits the whole industry.
- If a single company fails in the cloud, no vendor in this service can bet on more subscribers. It´s a loss-loss.
- handle data with the utmost discretion and allow business-critical processes to run securely.
- Protect customer against unauthorized data access and misuse, confidential data disclosure
SAP Cloud Security6
Source : SAP
Security Regulations
• HIPAA• PCI-DSS, ISO 27002, BS7799,
• ISO 27001/27017
• PII/ Privacy
• EU Data Protection 95/46/EC
• e-Privacy Directive 2002/58/EC• ASIO-4, FIPS Moderate,
• BS10012, SSAE-16/SOC2
SAP Cloud Security7
Security Requirements
• CSP (Cloud Partner) must be complaint
• US-EU safe Harbor
• Employee Background check
• Physical Security
• Physical data location
• Unauthorized data access (credential steals)
SAP Cloud Security8
• Data steal from insiders
• Firewalls to prevent 3rd party attacks
• Operational compliance
• Shallow security
• Data Portability
• Business Continuity Security
Data Center Security
SAP Cloud Security9
DB Security
Network Security
Compliance
Back up & Business
ContinuitySOC2
Privacy
TrustCriteria
BS10012Privacy Standard used
internationally
SAP Cloud Security 9
Location & Physical
Security
BS25999CERTIFIED
ISO 9001CERTIFIED
ISO 27001CERTIFIED
SSAE16TESTIFIED
ISAE3402TESTIFIED*
SAP Cloud Security – Physical Security
SAP Cloud Security
BU
ILD
ING
PO
WER
FIR
E +
FLO
OD
CO
OL
ING
Reinforced concrete construction Hundreds of surveillance cameras with digital recording Fully monitored doors Tens of thousands of environmental sensors Security guards and facility support team onsite 24x7x365 Biometric sensors + card readers to access secured areas Multiple redundant internet connections from multiple carriers
Redundant power sources Hundreds of UPS units with additional capabilities of 20 min Auxiliary, expandable diesel power supply, online within minutes Diesel fuel storage sufficient for 48-hours of operations without refueling Contracts with external diesel suppliers to guarantee continuous operation
Fire and flood protection Redundant, environmentally friendly, Inergen fire extinguisher System Thousands Fire and Flood Surveillance Sensors
100% redundant air conditioning Auxiliary cooling capacity
Source – SAP
SAP Cloud Network Security
SAP Cloud Security11
Multi-tiered Network Architecture
End-user traffic is limited to the front Demilitarized Zone (DMZ) tier of Web servers only.
Each single tier in the hosting environment is organized into a DMZ-like pattern.
This allows a firewall or Virtual Local Area Networks (VLAN) separation between each tier.
A request is individually validated before creating the next tier independent request.
SSAE16-SOC2 Type II auditing twice a year.
* formerly known as
Secure Sockets Layer
Reverse Proxy Farms
Hide network topology
Multiple redundant Internet Connections
Limit the effect of denial of service (DOS) attacks
Data Encryption
Highest level of protection with up to 256-Bit Dataencryption protocols using Transport Layer Security*
Intrusion Detection System
Monitor web traffic 24 x 7 x 365
Multiple Firewalls
Shield internal network from hackers
Third Party Audits/Penetration Tests
Early and independent detection of security issues(e.g. program backdoors, network vulnerabilities,…)
11
Communication between client and SAP leverages Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption.
SAP solutions also support dedicated encrypted communication channels (WAN and VPN) for better access and integration.
SAP also provides customers a choice: the management of all security from top to bottom, or the ability to integrate SAP Cloud with their own industry-standard identity management solutions.
.
Data Security - Data Segregation
SaaS Multi-tenant Architecture - example SAP Cloud for People
With cloud solutions from SAP, there is a logical isolation within a SaaS application that extends down to the virtual server layer. In certain environments like the SAP HANA Enterprise Cloud, organizations will also get physical isolation via dedicated SAP HANA database servers that reside in dedicated customer network segments (VLANS).
SAP Cloud Security12
.
Database Tier
Instance A Instance B Instance C Instance D
Application Tier
Service Tier Personal credentials
Optional Single Sign On
Distinct application instance
per customer enforces Memory
segregation
Distinct database schema per
customer enforces data
segregation
3rd party
Application
Core Tenant manager
Instance A Instance B Instance C Instance D
XML Abstraction Layer
WebServices InterfaceGraphical User Interface
Schema• Data• Configurations
Schema• Data• Configurations
Schema• Data• Configurations
Schema Data Configurations
Cloud SaaS delivery model- Data transmission & data flow control
SAP Cloud Security1313
Cloud solutions from SAP segregate heterogeneous data by using the following approach to build the application
architecture and store the data:• Unique database tables:
• Most service providers offering shared Web access have one set of database tables in a normalized database that is shared by many customers. In contrast, organizations that use cloud solutions from SAP share the network security infrastructure, Web servers, application servers, and database instance. However, each customer has its own set of database tables within its own unique database schema, which ensures complete segregation of tenants’ data.
• Dedicated database Servers: • In case of a SAP HANA database, SAP provides a dedicated
physical database server that is located in the customer cloud network segment.
• Encrypted data storage:
• When cloud solutions from SAP support database or file system encryption, all encrypted data is stored on disks using a minimum of AES 128-bit encryption.
• Secure levels:• In SaaS services, the top two tiers (application and Web in later
levels) are completely stateless. Cloud solutions from SAP dramatically reduce the security risk of these two tiers because no sessions are kept in memory or written to disk. This approach simplifies the construction of load-balanced server farms, as there is no need to keep the workloads on any given server.
• Movement of data:
• It is important to remember that data is moving through multiple tiers, and each level must ensure data security. Cloud solutions from SAP use a defense-in-depth strategy to provide segregation of data at all layers.
SAP Cloud Security – Backup/Recovery & Compliance
SAP Cloud Security14
• Compliance features
Journal entries that allow tracingof business transactions to source documents
Number ranges that distinguish journal entries
Accounting-relevant data cannot be deleted from audit trails
Supports IFRS accounting regulations
Solution documentation included
Segregation of duties supported
Snapshots:Backups are created with snapshots from disk to disk. Thisensures fast creation, backups, and, if required, fast restoration.
Frequency: Daily full backup. Log files incrementally backed up every twohours: all changes in database since the last full backup are saved.
Location:Database and log-file backups are stored in a geographicallyseparated data center but stay in the designated region.
Objective:Recovery up to the last transaction is supported within databaserecovery process. Maximum lost time for customer is twohours - if the primary data center is completely destroyed.
Retention times:Backups of the last 3 days are kept on primary and secondarystorage. Previous backups are kept up to 14 days in the geographically separated backup data center.
14
SAP SaaS delivery model- Identity management
SAP Cloud Security15
• Internal authentication:• Cloud solutions from SAP use an internal repository of user profiles when
customers choose not to integrate their identity management product with SAP solutions
• Federated authentication (single sign-on): • The primary transport protocol for this trust mechanism is standard Hypertext
Transfer Protocol Secure (HTTPS). In the SAP HANA® Enterprise Cloud service, a direct integration into the customer network and single-sign-on implementation is possible. Cloud solutions from SAP also use single sign-on features of the SAP NetWeaver® technology platform for system-to-system and administrator authentication.
15
Cloud solutions from SAP support the Lightweight Directory Access Protocol (LDAP) and tokens,
• such as MD5, SHA-1,
• HMAC encryption, DES, and 3DES.
• The solution also supports Security Assertion Markup Language (SAML 1.1, 2.0)
• SAP Supply Network Collaboration with encrypted remote function call (RFC) and client/server personal security environment (PSE) verification.
SAP Cloud Security16
Q & A