SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship...

17
SAP Product Stewardship Network Security and Compliance at SAP August 15, 2013 Public

Transcript of SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship...

Page 1: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

SAP Product Stewardship Network

Security and Compliance at SAP

August 15, 2013 Public

Page 2: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 2 Public

SAP Product Stewardship Network Security and

Compliance at SAP

Contents

Introduction to Relevant Standards and Certificates

Cloud Security and Compliance

Physical Security

Network Security

Backup and Recovery

Support of Compliance

Confidentiality & Integrity

Summary

SAP Business Cloud

Page 3: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 3 Public

SAP Product Stewardship Network Security – Standards

and Certificates

Overview

High Availability

International Accounting Regulations

Quality Management

Energy Efficiency

IT Operations

*formerly SAS 70 Type II

Physical Security Network Security Backup & Recovery Compliance

ISAE3402 TESTIFIED*

SSAE16 TESTIFIED*

BS25999 CERTIFIED

GREEN IT CERTIFIED

ISO 27001 CERTIFIED

ISO 9001 CERTIFIED

Our Offerings

SAP Business

Cloud offers:

Page 4: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 4 Public

SAP Product Stewardship Network – Standards and

Certificates

Details

Certified Energy efficient

SAP NEWSBYTE - April 12, 2010 -

Two SAP AG (NYSE: SAP) data

centers in Germany have been

certified as “energy efficient” by TÜV

Rheinland, a German organization that

documents the safety and quality of

business and technology systems to

establish sustainability in social and

industrial development. To date, only

10 data centers from various

companies have received this

certification. Out of those, the SAP

data center in St. Leon-Rot, Germany,

achieved the highest ratings.

International Standard on

Assurance Engagements

(ISAE) No. 3402 Type B

This standard is a globally recognized

assurance report on controls at a

service organization. It has been put

forth by the International Auditing and

Assurance Standards Board (IAASB).

The focus of this quality standard lies

in controls that have a potential impact

on financial reporting.

ISAE 3402 is an "assurance" standard.

It is the international successor of the

SAS 70 standard.

International Standard Organization

(ISO) 27001

This standard specifies how an

information security management

system (ISMS) has to be set up and

operated. It defines an overall

management and control framework

for managing an organization's

information security risks.

Statement on Standards for

Attestation Engagements (SSAE)

No. 16

This is the US equivalent to

international standard ISAE 3402.

SSAE16 is an "attestation" standard.

Physical Security Network Security Backup & Recovery Compliance

British Standards Institution (BS)

25999

The BS 25999 is a standard in the field

of business continuity management

(BCM) to ensure continued operation

in critical situations. This standard sets

the requirements for how a data center

must be built and operated to

guarantee the highest availability.

International Organization for

Standardization (ISO) 9001

This standard specifies requirements

for a quality management (QM)

system. Within the definition of the QM

system itself, it is important to aim for

continuous improvement.

Our Offerings

Page 5: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 5 Public

SAP Product Stewardship Network – Physical Security

Overview (2012)

World-class Tier-3 and 4 data center

SAP-managed data center and selected

partners operating according to SAP standards

Physical Security Network Security Backup & Recovery Confidentiality & Integrity

Data Center

BS25999 CERTIFIED

ISO 27001 CERTIFIED

Our Offerings

SAP Business

Cloud offers:

Page 6: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 6 Public

SAP Product Stewardship Network Security – Physical

Security

Details

BU

ILD

ING

P

OW

ER

F

IRE

+

FL

OO

D

CO

OL

-

ING

Reinforced concrete construction

Hundreds of surveillance cameras with digital recording

Fully monitored doors

Tens of thousands of environmental sensors

Security guards and facility support team onsite 24x7x365

Biometric sensors + card readers to access secured areas

Multiple redundant Internet connections from multiple carriers

Redundant power sources

Hundreds of UPS units with additional capabilities of 20 minutes

Auxiliary, expandable diesel power supply, online within minutes

Diesel fuel storage sufficient for 48 hours of operations without refueling

Contracts with external diesel suppliers to guarantee continuous operation

Fire and flood protection

Redundant, environmentally friendly Inergen fire extinguisher system

Thousands of fire and flood surveillance sensors

100% redundant air conditioning

Auxiliary cooling capacity

Physical Security Network Security Backup & Recovery Confidentiality & Integrity Our Offerings

Page 7: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 7 Public

SAP Product Stewardship Network Security – Network

Security

Overview

IDS

Physical Security Network Security Backup & Recovery Confidentiality & Integrity

Rev.

Proxy F

IRE

WA

LL

S

Datacenter

Our Offerings

Reverse Proxy Farms

Multiple Redundant Internet Connections

Data Encryption

Intrusion Detection System (IDS)

Multiple Firewalls

Third Party Audits and Penetration Tests

Page 8: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 8 Public

SAP Product Stewardship Network Security – Network

Security

Details Physical Security Network Security Backup & Recovery Confidentiality & Integrity Our Offerings

* formerly known as Secure Sockets Layer

Reverse Proxy Farms Hide network topology

Multiple redundant Internet Connections Limit the effect of denial of service (DOS) attacks

Data Encryption Highest level of protection with up to 256-Bit Data encryption protocols using

Transport Layer Security*

Intrusion Detection System Monitor web traffic 24 x 7 x 365

Multiple Firewalls Shield internal network from hackers

Third Party Audits and Penetration Tests Early and independent detection of security issues (for example, program backdoors

or network vulnerabilities)

Page 9: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 9 Public

SAP Product Stewardship Network Security – Backup and

Recovery

Overview

Primary Storage

Production Data Center

Secondary Storage

in Offsite Backup Location

Most recent

snapshot on

primary storage

Multiple snapshots

on retention policy

Global Performance Monitoring of Backups

Physical Security Network Security Backup & Recovery Confidentiality & Integrity Our Offerings

ISO 27001 CERTIFIED

Page 10: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 10 Public

SAP Product Stewardship Network Security – Backup and

Recovery

Details

Snapshots: Backups are created with snapshots from disk to disk. This ensures fast creation,

backups, and, if required, fast restoration.

Frequency: Daily full backup. Log files are incrementally backed up every two hours; all changes

in the database since the last full backup are saved.

Location: Database and log file backups are stored in a geographically separate data center

but stay in the designated region.

Objective: Recovery up to the last transaction is supported within the database recovery

process.

The maximum lost time for a customer is two hours, if the primary data center is

completely destroyed.

Retention times: Backups of the last 3 days are kept in primary and secondary storage.

Previous backups are kept up to 14 days in the geographically separated backup

data center.

Type of Backup Retention Time

Daily incremental 15 days

Weekly cumulative incremental 8 weeks

Monthly full 1 year

Backups on tape are stored in an offsite

vault except for daily backups, which are

stored on site

Information Security Management System ISO 27001 CERTIFIED

ISO 27001 CERTIFIED

Physical Security Network Security Confidentiality & Integrity Our Offerings Backup & Recovery

Page 11: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 11 Public

SAP Product Stewardship Network Security –

Confidentiality & Integrity

Customer View

Role-Based

Access

Activity

Logging

Data

Ownership

On-demand solutions support role-based access

with user profiles to allow segregation of duties.

On-demand solutions log all user activities.

Support for contract termination:

Customer data extraction

Customer data handover in file format

Extended read-only system access after

contract termination

Data deletion only after customer approval

Physical Security Network Security Backup & Recovery Confidentiality & Integrity Our Offerings

Page 12: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 12 Public

SAP Product Stewardship Network Security – Integrity &

Confidentiality

Concept of Support User Access Control

Application and Customer Support* Platform and System Support*

Data integrity and availability is ensured by

proactive automated system monitoring

Physical Security Network Security Backup & Recovery Confidentiality & Integrity

*Variations may exist depending on the cloud offering.

Customer reports incident:

Ticket

One-time user with short-

term password (1 hour)

Personalized log traces

System reports incident:

Ticket

One-time user with short-

term password (4 hours)

Personalized log traces

Our Offerings

Page 13: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 13 Public

SAP Product Stewardship Network Security Offerings –

Identity Management

• SAP Product Stewardship Network relies on strong and secure

authentication schemes.

• SAP’s time-tested Single Sign-On (SSO) mechanisms ensure a

maximum of comfort by securely reusing existing logon sessions

across SAP business sites by using SAP ID Service.

• SAP ID Service provides additional customer value by offering

account management functionality, for example, password

recovery.

• SAP Product Stewardship Network actively protects user

accounts and companies to guarantee a secure separation of

concerns. SAP Product Stewardship Network extensively makes

use of role-based access schemes to implement a “need-to-

know” concept.

Physical Security Network Security Backup & Recovery Confidentiality & Integrity Our Offerings

Page 14: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 14 Public

SAP Product Stewardship Network Security Offerings –

Data Protection and Privacy

Privacy and data protection are taken seriously at SAP.

SAP ensures that all legal standards regarding data protection and

privacy are covered and that unauthorized access is prevented.

SAP ensures that access is granted only to authorized persons

and that you retain full control and ownership of your personal information.

Physical Security Network Security Backup & Recovery Confidentiality & Integrity

As a customer, you have put your valuable

personal information in our hands, and we

respect your trust in us.

Therefore, personal information is stored exclusively for

business purposes and will be completely removed

upon termination of the business relationship.

Our Offerings

Page 15: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 15 Public

SAP Product Stewardship Network Security Offerings –

Communication Security

SAP is committed to providing secure infrastructure and

communication between all systems involved.

Physical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity

In addition, SAP prevents the use of unnecessary

access paths to the server.

Therefore, SAP Product Stewardship Network exclusively uses

encrypted communication channels through Secure Sockets

Layer to and from the application, and from the web browser to

the application server and external systems.

Browser session information is actively secured against

compromising critical user information.

Our Offerings

Page 16: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved. 16 Public

SAP Product Stewardship Network Security – Summary

Certified operations

World-class data centers

Advanced network

security

Reliable data backup

Built-in compliance,

integrity, and

confidentiality

SAP Business

Cloud offers:

Page 17: SAP Product Stewardship Network Security and Compliance at SAP€¦ · SAP Product Stewardship Network Security Offerings – Identity Management • SAP Product Stewardship Network

© 2013 SAP AG. All rights reserved.

© 2013 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the United States and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries.

Oracle and Java are registered trademarks of Oracle and its affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc.

HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.

IOS is a registered trademark of Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited.

Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc.

INTERMEC is a registered trademark of Intermec Technologies Corporation.

Wi-Fi is a registered trademark of Wi-Fi Alliance.

Bluetooth is a registered trademark of Bluetooth SIG Inc.

Motorola is a registered trademark of Motorola Trademark Holdings LLC.

Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.