sap product stewardship network security and compliance at sap€¦ · sap product stewardship...
TRANSCRIPT
SAP Product Stewardship Network
Security and Compliance at SAP
August 15, 2013 Public
© 2013 SAP AG. All rights reserved. 2 Public
SAP Product Stewardship Network Security and
Compliance at SAP
Contents
Introduction to Relevant Standards and Certificates
Cloud Security and Compliance
Physical Security
Network Security
Backup and Recovery
Support of Compliance
Confidentiality & Integrity
Summary
SAP Business Cloud
© 2013 SAP AG. All rights reserved. 3 Public
SAP Product Stewardship Network Security – Standards
and Certificates
Overview
High Availability
International Accounting Regulations
Quality Management
Energy Efficiency
IT Operations
*formerly SAS 70 Type II
Physical Security Network Security Backup & Recovery Compliance
ISAE3402 TESTIFIED*
SSAE16 TESTIFIED*
BS25999 CERTIFIED
GREEN IT CERTIFIED
ISO 27001 CERTIFIED
ISO 9001 CERTIFIED
Our Offerings
SAP Business
Cloud offers:
© 2013 SAP AG. All rights reserved. 4 Public
SAP Product Stewardship Network – Standards and
Certificates
Details
Certified Energy efficient
SAP NEWSBYTE - April 12, 2010 -
Two SAP AG (NYSE: SAP) data
centers in Germany have been
certified as “energy efficient” by TÜV
Rheinland, a German organization that
documents the safety and quality of
business and technology systems to
establish sustainability in social and
industrial development. To date, only
10 data centers from various
companies have received this
certification. Out of those, the SAP
data center in St. Leon-Rot, Germany,
achieved the highest ratings.
International Standard on
Assurance Engagements
(ISAE) No. 3402 Type B
This standard is a globally recognized
assurance report on controls at a
service organization. It has been put
forth by the International Auditing and
Assurance Standards Board (IAASB).
The focus of this quality standard lies
in controls that have a potential impact
on financial reporting.
ISAE 3402 is an "assurance" standard.
It is the international successor of the
SAS 70 standard.
International Standard Organization
(ISO) 27001
This standard specifies how an
information security management
system (ISMS) has to be set up and
operated. It defines an overall
management and control framework
for managing an organization's
information security risks.
Statement on Standards for
Attestation Engagements (SSAE)
No. 16
This is the US equivalent to
international standard ISAE 3402.
SSAE16 is an "attestation" standard.
Physical Security Network Security Backup & Recovery Compliance
British Standards Institution (BS)
25999
The BS 25999 is a standard in the field
of business continuity management
(BCM) to ensure continued operation
in critical situations. This standard sets
the requirements for how a data center
must be built and operated to
guarantee the highest availability.
International Organization for
Standardization (ISO) 9001
This standard specifies requirements
for a quality management (QM)
system. Within the definition of the QM
system itself, it is important to aim for
continuous improvement.
Our Offerings
© 2013 SAP AG. All rights reserved. 5 Public
SAP Product Stewardship Network – Physical Security
Overview (2012)
World-class Tier-3 and 4 data center
SAP-managed data center and selected
partners operating according to SAP standards
Physical Security Network Security Backup & Recovery Confidentiality & Integrity
Data Center
BS25999 CERTIFIED
ISO 27001 CERTIFIED
Our Offerings
SAP Business
Cloud offers:
© 2013 SAP AG. All rights reserved. 6 Public
SAP Product Stewardship Network Security – Physical
Security
Details
BU
ILD
ING
P
OW
ER
F
IRE
+
FL
OO
D
CO
OL
-
ING
Reinforced concrete construction
Hundreds of surveillance cameras with digital recording
Fully monitored doors
Tens of thousands of environmental sensors
Security guards and facility support team onsite 24x7x365
Biometric sensors + card readers to access secured areas
Multiple redundant Internet connections from multiple carriers
Redundant power sources
Hundreds of UPS units with additional capabilities of 20 minutes
Auxiliary, expandable diesel power supply, online within minutes
Diesel fuel storage sufficient for 48 hours of operations without refueling
Contracts with external diesel suppliers to guarantee continuous operation
Fire and flood protection
Redundant, environmentally friendly Inergen fire extinguisher system
Thousands of fire and flood surveillance sensors
100% redundant air conditioning
Auxiliary cooling capacity
Physical Security Network Security Backup & Recovery Confidentiality & Integrity Our Offerings
© 2013 SAP AG. All rights reserved. 7 Public
SAP Product Stewardship Network Security – Network
Security
Overview
IDS
Physical Security Network Security Backup & Recovery Confidentiality & Integrity
Rev.
Proxy F
IRE
WA
LL
S
Datacenter
Our Offerings
Reverse Proxy Farms
Multiple Redundant Internet Connections
Data Encryption
Intrusion Detection System (IDS)
Multiple Firewalls
Third Party Audits and Penetration Tests
© 2013 SAP AG. All rights reserved. 8 Public
SAP Product Stewardship Network Security – Network
Security
Details Physical Security Network Security Backup & Recovery Confidentiality & Integrity Our Offerings
* formerly known as Secure Sockets Layer
Reverse Proxy Farms Hide network topology
Multiple redundant Internet Connections Limit the effect of denial of service (DOS) attacks
Data Encryption Highest level of protection with up to 256-Bit Data encryption protocols using
Transport Layer Security*
Intrusion Detection System Monitor web traffic 24 x 7 x 365
Multiple Firewalls Shield internal network from hackers
Third Party Audits and Penetration Tests Early and independent detection of security issues (for example, program backdoors
or network vulnerabilities)
© 2013 SAP AG. All rights reserved. 9 Public
SAP Product Stewardship Network Security – Backup and
Recovery
Overview
Primary Storage
Production Data Center
Secondary Storage
in Offsite Backup Location
Most recent
snapshot on
primary storage
Multiple snapshots
on retention policy
Global Performance Monitoring of Backups
Physical Security Network Security Backup & Recovery Confidentiality & Integrity Our Offerings
ISO 27001 CERTIFIED
© 2013 SAP AG. All rights reserved. 10 Public
SAP Product Stewardship Network Security – Backup and
Recovery
Details
Snapshots: Backups are created with snapshots from disk to disk. This ensures fast creation,
backups, and, if required, fast restoration.
Frequency: Daily full backup. Log files are incrementally backed up every two hours; all changes
in the database since the last full backup are saved.
Location: Database and log file backups are stored in a geographically separate data center
but stay in the designated region.
Objective: Recovery up to the last transaction is supported within the database recovery
process.
The maximum lost time for a customer is two hours, if the primary data center is
completely destroyed.
Retention times: Backups of the last 3 days are kept in primary and secondary storage.
Previous backups are kept up to 14 days in the geographically separated backup
data center.
Type of Backup Retention Time
Daily incremental 15 days
Weekly cumulative incremental 8 weeks
Monthly full 1 year
Backups on tape are stored in an offsite
vault except for daily backups, which are
stored on site
Information Security Management System ISO 27001 CERTIFIED
ISO 27001 CERTIFIED
Physical Security Network Security Confidentiality & Integrity Our Offerings Backup & Recovery
© 2013 SAP AG. All rights reserved. 11 Public
SAP Product Stewardship Network Security –
Confidentiality & Integrity
Customer View
Role-Based
Access
Activity
Logging
Data
Ownership
On-demand solutions support role-based access
with user profiles to allow segregation of duties.
On-demand solutions log all user activities.
Support for contract termination:
Customer data extraction
Customer data handover in file format
Extended read-only system access after
contract termination
Data deletion only after customer approval
Physical Security Network Security Backup & Recovery Confidentiality & Integrity Our Offerings
© 2013 SAP AG. All rights reserved. 12 Public
SAP Product Stewardship Network Security – Integrity &
Confidentiality
Concept of Support User Access Control
Application and Customer Support* Platform and System Support*
Data integrity and availability is ensured by
proactive automated system monitoring
Physical Security Network Security Backup & Recovery Confidentiality & Integrity
*Variations may exist depending on the cloud offering.
Customer reports incident:
Ticket
One-time user with short-
term password (1 hour)
Personalized log traces
System reports incident:
Ticket
One-time user with short-
term password (4 hours)
Personalized log traces
Our Offerings
© 2013 SAP AG. All rights reserved. 13 Public
SAP Product Stewardship Network Security Offerings –
Identity Management
• SAP Product Stewardship Network relies on strong and secure
authentication schemes.
• SAP’s time-tested Single Sign-On (SSO) mechanisms ensure a
maximum of comfort by securely reusing existing logon sessions
across SAP business sites by using SAP ID Service.
• SAP ID Service provides additional customer value by offering
account management functionality, for example, password
recovery.
• SAP Product Stewardship Network actively protects user
accounts and companies to guarantee a secure separation of
concerns. SAP Product Stewardship Network extensively makes
use of role-based access schemes to implement a “need-to-
know” concept.
Physical Security Network Security Backup & Recovery Confidentiality & Integrity Our Offerings
© 2013 SAP AG. All rights reserved. 14 Public
SAP Product Stewardship Network Security Offerings –
Data Protection and Privacy
Privacy and data protection are taken seriously at SAP.
SAP ensures that all legal standards regarding data protection and
privacy are covered and that unauthorized access is prevented.
SAP ensures that access is granted only to authorized persons
and that you retain full control and ownership of your personal information.
Physical Security Network Security Backup & Recovery Confidentiality & Integrity
As a customer, you have put your valuable
personal information in our hands, and we
respect your trust in us.
Therefore, personal information is stored exclusively for
business purposes and will be completely removed
upon termination of the business relationship.
Our Offerings
© 2013 SAP AG. All rights reserved. 15 Public
SAP Product Stewardship Network Security Offerings –
Communication Security
SAP is committed to providing secure infrastructure and
communication between all systems involved.
Physical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity
In addition, SAP prevents the use of unnecessary
access paths to the server.
Therefore, SAP Product Stewardship Network exclusively uses
encrypted communication channels through Secure Sockets
Layer to and from the application, and from the web browser to
the application server and external systems.
Browser session information is actively secured against
compromising critical user information.
Our Offerings
© 2013 SAP AG. All rights reserved. 16 Public
SAP Product Stewardship Network Security – Summary
Certified operations
World-class data centers
Advanced network
security
Reliable data backup
Built-in compliance,
integrity, and
confidentiality
SAP Business
Cloud offers:
© 2013 SAP AG. All rights reserved.
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the United States and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries.
Oracle and Java are registered trademarks of Oracle and its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc.
HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.
IOS is a registered trademark of Cisco Systems Inc.
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited.
Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc.
INTERMEC is a registered trademark of Intermec Technologies Corporation.
Wi-Fi is a registered trademark of Wi-Fi Alliance.
Bluetooth is a registered trademark of Bluetooth SIG Inc.
Motorola is a registered trademark of Motorola Trademark Holdings LLC.
Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.