SAP Financial Services NetworkSecurity and Compliance2016

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a

purchase decision. This presentation is not subject to your license agreement or any other agreement

with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to

develop or release any functionality mentioned in this presentation. This presentation and SAP's

strategy and possible future developments are subject to change and may be changed by SAP at any

time for any reason without notice. This document is provided without a warranty of any kind, either

express or implied, including but not limited to, the implied warranties of merchantability, fitness for a

particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this

document, except if such damages were caused by SAP intentionally or grossly negligent.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 3

SAP Financial Services Network – Security and ComplianceContent

• Physical Security

• Network and logical Perimeter Protection

• Isolation and Multi-Tenancy

• Availability

• Compliance

• Global Distribution

• Business Continuity and Disaster Recovery

• Data Protection and Privacy

• Authentication and Access Control

• Encryption and Digital Signatures

• Tamper Protection

• Security Key Management and -Storage

• Use of VPNs

• Audit Logging

• Vulnerability Assessments and Penetration

Tests

• Secure Development

• System Changes

• Operations Model

• Handling and Reporting of Security Incidents

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 4

Physical Security

• World-class data centers in Rot, Germany (SAP-owned) and Ashburn, US, VA (3rd-party collocated)

• Redundant power supplies (diesel engines), aspirating smoke detectors (ASD), fingerprint access control

and 24-hour surveillance

• Ceilings, walls, and doors provide 90 minutes of fire resistance; a fire extinguishing system based on gas

(INERGEN) is in place

• Various certifications such as ISO27001 (certification for the operation of software) and ISO22301 (Business

Continuity management) and SSAE 16 (U.S. equivalent of ISAE 3402)

Network and logical Perimeter Protection

• External facing network is divided into multiple demilitarized zones (DMZ)

• A multi-level firewall and an intrusion prevention system is in place

• Load balancer (vendor F5) terminates SSL and distributes the requests

SAP Financial Services Network – Security and CompliancePhysical Security / Network and logical Perimeter Protection

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 5

• Each customer gets its own tenant assigned

• Message processing runtimes of different customers are located on different virtual

machines

• One database schema per customer

• It is technically enforced that only HTTPs communication between tenants is possible

• Internal components of SAP FSN are placed in different network segments

• SAP FSN landscapes that serve different purposes, e.g. Test and Prod are isolated from

each other

SAP Financial Services Network – Security and ComplianceIsolation and Multi-Tenancy

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 6

Availability

• Guaranteed uptime of 99,5%

• System is setup for high-availability that includes redundant software- and infrastructure components

• Capacity planning ensures needed resources are available in time

Compliance

• ISO27001-Certified

• Compliant with various SAP-internal policies, procedures, directives and guidelines

• Compliant with SAP-Security product standard

SAP Financial Services Network – Security and ComplianceAvailability / Compliance

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 7

Global Distribution

• SAP FSN is offered out of the SAP Data center in St. Leon-Rot, Germany

• An additional data center is located in the US, Ashburn, VA. This additional data center is used as a

secondary site for disaster recovery.

Business Continuity and Disaster Recovery

• Business Impact Analysis regularly performed and results considered

• Disaster Recovery is offered with Ashburn as secondary data center

• Ashburn secondary data center is operated as a hot-site for FSN

• In Q1/2015 an additional data center in Europe (Amsterdam, Netherlands) is planed to be the DR secondary

site

• Recovery Time Objective (RTO) which is the time until the service is up after a disaster is 2 hours

• Recovery Point Objective (RPO) which is the point in time until data might be lost that was processed

previously to the disaster is 30 minutes

• Disaster recovery is regularly tested and test reports can be provided to customers on request. Customers

can connect their own systems to such tests on request.

SAP Financial Services Network – Security and ComplianceGlobal Distribution / Business Continuity and Disaster Recovery

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 8

• Primary data center in St. Leon-Rot is subject to the data protection and privacy law of

Germany

• Customer data processed by FSN is classified as confidential

• SAP FSN does not process personally identifiable information (PII) as part of message

content

• SAP’s development approach and system operating procedures take data protection and

privacy into account

• New European data protection regulation is upcoming. It will mainly affect European

customers.

SAP Financial Services Network – Security and ComplianceData Protection and Privacy

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 9

• Authentication of incoming messages is performed at the load balancer

• SSL is terminated and the X.509 client certificate is checked

• A defined set of CAs is supported. New CAs can be applied after an approval process.

• SFTP messages are authenticated using SSH

• Authentication of dialog users is performed against the SAP ID Service

• Access to all functions, either invoked manually by dialog users or invoked automatically

(for example, by a scheduler) is protected by a permission check

• A fine-granular permission concept is applied

• The concept is based on different persona, e.g. SaaS-Admin, Tenant-Admin

SAP Financial Services Network – Security and ComplianceAuthentication and Access Control

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 10

• All data in-transit, either exchanged with customers or internal is encrypted

• SSL/TLS and SSH are leveraged; HTTP-based communication uses a key length of minimum

1024 Bits

• SSH is used to protect SFTP communication using a key length of minimum 1024 Bits

• Both SSL/TLS- and SSH-Communication is mutual-authenticated

• At the message layer, data can be encrypted using various algorithms and key lengths

• Among them are AES, DES, RC2 and Camellia

• Strong encryption can be used for AES and Camellia

SAP Financial Services Network – Security and ComplianceEncryption of Data in-transit

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 11

• Data-at-rest is stored encrypted in the DB using AES

• Encryption key is automatically generated, unique per tenant and not-stored in the same database as the

encrypted data

• Data that is stored at the SAP FSN-hosted FTP-Server (vendor Cleo) is encrypted because

the messages are encrypted

• Digital signatures are leveraged to achieve detection of both unintentional - and intentional

message changes

SAP Financial Services Network – Security and ComplianceEncryption of Data at-rest / Digital Signatures

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 12

• Tamper Protection allows the receiver to verify that certain message fields have not been

modified by SAP FSN

• Works even if message mapping is applied within SAP FSN

• Based on digital signatures

SAP Financial Services Network – Security and ComplianceTamper Protection

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 13

• Keys associated with tenants are not stored in the file system. Instead they are stored in a

database, leveraging the platform’s key store service.

• Keys are protected using a strong password

• Keys of the load balancer and the SAP FSN-hosted FTP server are stored securely in the file

system of these components

• Public key material (certificates) is exchanged between SAP and customers during

onboarding to SAP FSN

SAP Financial Services Network – Security and ComplianceSecurity Key Management and Storage

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 14

Use of VPNs

• On request, customers can connect to SAP FSN using an IPSec-based virtual private network (VPN)

• The VPN uses pre-shared keys, works in IP-Sec tunnel mode and is of type Cisco ASA Firewall

• For disaster recovery, the data sync from the data center in Rot, Germany to the data center in the US,

Ashburn, VA is done via an SSL-based VPN (leased line)

Audit Logging

• Audit logs are generated per tenant

• The audit log contains entries for configuration changes and security events, such as failed authentications

• The audit log is stored in a 3rd party audit log system (vendor Splunk)

• Audit logs are retained 18 months

• Audit logs can be provided to customer on request

• The load balancer as well as the intrusion prevention system also log into Splunk.

SAP Financial Services Network – Security and ComplianceUse of VPNs / Audit Logging

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 15

• Done by 3rd parties in request of SAP

• Penetration tests focus on the network- and infrastructure layer

• Performed three times a year

• Vulnerability assessments focus on FSN business functionality

• Performed yearly

• Done by Primeon Inc.: http://www.primeon.com

SAP Financial Services Network – Security and ComplianceVulnerability Assessments and Penetration Tests

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 16

• SAP Security Development Lifecycle (SDC) is applied

• Regular quality gates

• Monthly security code scans and audits

• Security architecture and design

• SAP-internal product standard for security are applied

• Threat Modeling of selected parts

SAP Financial Services Network – Security and ComplianceSecure Development

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 17

System Changes

• All changes to the system must be approved and are performed in a controlled manor

• Several processes are relevant: Authorization Process, Integration Content Lifecycle Process, Correction

Process and Release Deployment Process

Operations Model

• SAP FSN is operated by SAP Cloud Operations and supported by a dedicated FSN Support team

• SAP FSN Cloud Operations & Support are available 24*7*365

• An alerting infrastructure is used to detect any anomaly inside the system

• Access rights of operators are constantly monitored, reviewed and minimized

• Maintenance “windows” are defined at which system updates and changes are applied

SAP Financial Services Network – Security and ComplianceSystem Changes / Operations Model

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 18

• SAP’s Security Incident Reporting is used

• Depending on the criticality, local security staff will be informed or SAP’s Global Security Incident

Management tool will be used

• On request, customers can be provided with a monthly report on security incidents

• SAP FSN security team interacts with customers for the investigation and resolution of

security incidents

SAP Financial Services Network – Security and ComplianceHandling and Reporting of Security Incidents

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

Thank you