SAP Cloud Solution – Security

1

About me

• Rasmi Swain

• Enterprise IT Consulting & Delivery

• Enterprise IT architecture

• SAP ECC 6.0 , SAP BW, BO–BI

• HANA Analytics, HANA Cloud

• SAP Mobility ( SMP 3.0, FIORI, MDM, Mobile Security)

• Information Security (Cloud Security, GRC, ISO 2700K)

• E-Governance & Smart City

SAP Cloud Security2

Contents

• SAP Cloud Solutions

• Security Regulations

• Security Requirements

• Data Center Security• Physical Security

• Network Security

• Data Security

• Backup/Recovery & Compliance

• Identity management

SAP Cloud Security3

SAP a Cloud Company

• SAP + HANA+SF+ARIBA+ Sybase

• Most Comprehensive cloud portfolio solutions

• Data security and data privacy is part of the DNA

SAP Cloud Security4

Source : SAP

SAP Cloud Portfolio

SAP Cloud Security5

Source : SAP Cloud Documents in Public

Trust the #1 asset in cloud business

- Security, data protection, and data privacy became more important.

- And a single case of data loss hits the whole industry.

- If a single company fails in the cloud, no vendor in this service can bet on more subscribers. It´s a loss-loss.

- handle data with the utmost discretion and allow business-critical processes to run securely.

- Protect customer against unauthorized data access and misuse, confidential data disclosure

SAP Cloud Security6

Source : SAP

Security Regulations

• HIPAA• PCI-DSS, ISO 27002, BS7799,

• ISO 27001/27017

• PII/ Privacy

• EU Data Protection 95/46/EC

• e-Privacy Directive 2002/58/EC• ASIO-4, FIPS Moderate,

• BS10012, SSAE-16/SOC2

SAP Cloud Security7

Security Requirements

• CSP (Cloud Partner) must be complaint

• US-EU safe Harbor

• Employee Background check

• Physical Security

• Physical data location

• Unauthorized data access (credential steals)

SAP Cloud Security8

• Data steal from insiders

• Firewalls to prevent 3rd party attacks

• Operational compliance

• Shallow security

• Data Portability

• Business Continuity Security

Data Center Security

SAP Cloud Security9

DB Security

Network Security

Compliance

Back up & Business

ContinuitySOC2

Privacy

TrustCriteria

BS10012Privacy Standard used

internationally

SAP Cloud Security 9

Location & Physical

Security

BS25999CERTIFIED

ISO 9001CERTIFIED

ISO 27001CERTIFIED

SSAE16TESTIFIED

ISAE3402TESTIFIED*

SAP Cloud Security – Physical Security

SAP Cloud Security

BU

ILD

ING

PO

WER

FIR

E +

FLO

OD

CO

OL

ING

Reinforced concrete construction Hundreds of surveillance cameras with digital recording Fully monitored doors Tens of thousands of environmental sensors Security guards and facility support team onsite 24x7x365 Biometric sensors + card readers to access secured areas Multiple redundant internet connections from multiple carriers

Redundant power sources Hundreds of UPS units with additional capabilities of 20 min Auxiliary, expandable diesel power supply, online within minutes Diesel fuel storage sufficient for 48-hours of operations without refueling Contracts with external diesel suppliers to guarantee continuous operation

Fire and flood protection Redundant, environmentally friendly, Inergen fire extinguisher System Thousands Fire and Flood Surveillance Sensors

100% redundant air conditioning Auxiliary cooling capacity

Source – SAP

SAP Cloud Network Security

SAP Cloud Security11

Multi-tiered Network Architecture

End-user traffic is limited to the front Demilitarized Zone (DMZ) tier of Web servers only.

Each single tier in the hosting environment is organized into a DMZ-like pattern.

This allows a firewall or Virtual Local Area Networks (VLAN) separation between each tier.

A request is individually validated before creating the next tier independent request.

SSAE16-SOC2 Type II auditing twice a year.

* formerly known as

Secure Sockets Layer

Reverse Proxy Farms

Hide network topology

Multiple redundant Internet Connections

Limit the effect of denial of service (DOS) attacks

Data Encryption

Highest level of protection with up to 256-Bit Dataencryption protocols using Transport Layer Security*

Intrusion Detection System

Monitor web traffic 24 x 7 x 365

Multiple Firewalls

Shield internal network from hackers

Third Party Audits/Penetration Tests

Early and independent detection of security issues(e.g. program backdoors, network vulnerabilities,…)

11

Communication between client and SAP leverages Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption.

SAP solutions also support dedicated encrypted communication channels (WAN and VPN) for better access and integration.

SAP also provides customers a choice: the management of all security from top to bottom, or the ability to integrate SAP Cloud with their own industry-standard identity management solutions.

.

Data Security - Data Segregation

SaaS Multi-tenant Architecture - example SAP Cloud for People

With cloud solutions from SAP, there is a logical isolation within a SaaS application that extends down to the virtual server layer. In certain environments like the SAP HANA Enterprise Cloud, organizations will also get physical isolation via dedicated SAP HANA database servers that reside in dedicated customer network segments (VLANS).

SAP Cloud Security12

.

Database Tier

Instance A Instance B Instance C Instance D

Application Tier

Service Tier Personal credentials

Optional Single Sign On

Distinct application instance

per customer enforces Memory

segregation

Distinct database schema per

customer enforces data

segregation

3rd party

Application

Core Tenant manager

Instance A Instance B Instance C Instance D

XML Abstraction Layer

WebServices InterfaceGraphical User Interface

Schema• Data• Configurations

Schema• Data• Configurations

Schema• Data• Configurations

Schema Data Configurations

Cloud SaaS delivery model- Data transmission & data flow control

SAP Cloud Security1313

Cloud solutions from SAP segregate heterogeneous data by using the following approach to build the application

architecture and store the data:• Unique database tables:

• Most service providers offering shared Web access have one set of database tables in a normalized database that is shared by many customers. In contrast, organizations that use cloud solutions from SAP share the network security infrastructure, Web servers, application servers, and database instance. However, each customer has its own set of database tables within its own unique database schema, which ensures complete segregation of tenants’ data.

• Dedicated database Servers: • In case of a SAP HANA database, SAP provides a dedicated

physical database server that is located in the customer cloud network segment.

• Encrypted data storage:

• When cloud solutions from SAP support database or file system encryption, all encrypted data is stored on disks using a minimum of AES 128-bit encryption.

• Secure levels:• In SaaS services, the top two tiers (application and Web in later

levels) are completely stateless. Cloud solutions from SAP dramatically reduce the security risk of these two tiers because no sessions are kept in memory or written to disk. This approach simplifies the construction of load-balanced server farms, as there is no need to keep the workloads on any given server.

• Movement of data:

• It is important to remember that data is moving through multiple tiers, and each level must ensure data security. Cloud solutions from SAP use a defense-in-depth strategy to provide segregation of data at all layers.

SAP Cloud Security – Backup/Recovery & Compliance

SAP Cloud Security14

• Compliance features

Journal entries that allow tracingof business transactions to source documents

Number ranges that distinguish journal entries

Accounting-relevant data cannot be deleted from audit trails

Supports IFRS accounting regulations

Solution documentation included

Segregation of duties supported

Snapshots:Backups are created with snapshots from disk to disk. Thisensures fast creation, backups, and, if required, fast restoration.

Frequency: Daily full backup. Log files incrementally backed up every twohours: all changes in database since the last full backup are saved.

Location:Database and log-file backups are stored in a geographicallyseparated data center but stay in the designated region.

Objective:Recovery up to the last transaction is supported within databaserecovery process. Maximum lost time for customer is twohours - if the primary data center is completely destroyed.

Retention times:Backups of the last 3 days are kept on primary and secondarystorage. Previous backups are kept up to 14 days in the geographically separated backup data center.

14

SAP SaaS delivery model- Identity management

SAP Cloud Security15

• Internal authentication:• Cloud solutions from SAP use an internal repository of user profiles when

customers choose not to integrate their identity management product with SAP solutions

• Federated authentication (single sign-on): • The primary transport protocol for this trust mechanism is standard Hypertext

Transfer Protocol Secure (HTTPS). In the SAP HANA® Enterprise Cloud service, a direct integration into the customer network and single-sign-on implementation is possible. Cloud solutions from SAP also use single sign-on features of the SAP NetWeaver® technology platform for system-to-system and administrator authentication.

15

Cloud solutions from SAP support the Lightweight Directory Access Protocol (LDAP) and tokens,

• such as MD5, SHA-1,

• HMAC encryption, DES, and 3DES.

• The solution also supports Security Assertion Markup Language (SAML 1.1, 2.0)

• SAP Supply Network Collaboration with encrypted remote function call (RFC) and client/server personal security environment (PSE) verification.

SAP Cloud Security16

Q & A