Cloud Data Protecteion and Information Security at SAP

922 views
823 views

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
922
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Cloud Data Protecteion and Information Security at SAP

  1. 1. Cloud Data Protection andInformation Security at SAPMay 2013 Public
  2. 2. © 2012 SAP AG. All rights reserved. 2Cloud Data Security and Compliance at SAPAgendaIntroduction of relevant Standards and CertificatesCloud Security and CompliancePhysical SecurityNetwork SecurityBackup and RecoverySupport of ComplianceConfidentiality & IntegritySummary(Helpful Links)SAP Business Cloud
  3. 3. © 2012 SAP AG. All rights reserved. 3SAP Cloud Security – Standards and CertificatesOverviewHigh AvailabilityInternational AccountingRegulationsQuality ManagementEnergy EfficiencyIT Operations*formerly SAS 70 Type IIPhysical Security Network Security Backup & Recovery Compliance Integrity & ConfidentialityISAE3402TESTIFIED*SSAE16TESTIFIED*BS25999CERTIFIEDGREEN ITCERTIFIEDISO 27001CERTIFIEDISO 9001CERTIFIED
  4. 4. © 2012 SAP AG. All rights reserved. 4SAP Cloud Security – Standards and CertificatesDetailsCertified Energy efficientSAP NEWSBYTE - April 12, 2010 -Two SAP AG (NYSE: SAP) datacenters in Germany have beencertified as “energy efficient” by TÜVRheinland, a German group thatdocuments the safety and quality ofbusiness and technology systems toestablish sustainability in social andindustrial development. To date, only10 data centers from variouscompanies have received thiscertification. Out of those, the SAPdata center in St. Leon-Rot, Germany,achieved the highest ratingsInternational Standard onAssurance Engagements(ISAE) No. 3402 Type BIt is globally recognized assurancereport on controls at a serviceorganization. It has been put forth bythe International Auditing andAssurance Standards Board (IAASB).The focus of this quality standard lieson controls that have a potentialimpact on financial reporting.ISAE 3402 is an "assurance" standard.It is the international successorstandard of SAS 70.International Standard Organization(ISO) 27001Specifies how an information securitymanagement system (ISMS) has to beset up and operated. It defines anoverall management and controlframework for managing anorganizations information securityrisks.Statement on Standards forAttestation Engagements (SSAE)No. 16This is the US equivalent tointernational standard ISAE 3402.SSAE16 is an "attestation" standard.Physical Security Network Security Backup & Recovery Compliance Integrity & ConfidentialityBritish Standards Institution (BS)25999Is a standard in the field of businesscontinuity management (BCM) toensure continued operation in case ofcritical situations. This standard setsthe requirements for how a data centermust be built and operated toguarantee the highest availability.International Organization forStandardization (ISO) 9001Specifies requirements for a qualitymanagement (QM) system. Within thedefinition of the QM system itself, it isimportant to aim for continuousimprovement.
  5. 5. © 2012 SAP AG. All rights reserved. 5SAP Cloud Security – Physical SecurityOverview (2013)World-class Tier-3 and 4 data centersCustomer data always stays in same nationaljurisdictionSAP managed data centers and selectedpartners operating according to SAP standardsPhysical Security Network Security Backup & Recovery Compliance Integrity & ConfidentialityData CenterBS25999CERTIFIEDISO 27001CERTIFIED
  6. 6. © 2012 SAP AG. All rights reserved. 6SAP Cloud Security – Physical SecurityLocations (2013)Physical Security Network Security Backup & Recovery Compliance Integrity & ConfidentialityLocation Country Operator ServiceSt. Leon-Rot Deutschland SAP ByD based, Payroll, OnDemand Portal, Photon (LumiraCloud), JPaaS, S&OP, SAP HANA Cloud forAutomobiles/UtilitiesWalldorf Deutschland SAPNewtownsquare, PH USA SAP ByD based, S&OPNewtownsquare, PH USA SAPChandler, AZ USA Digital Reality SFSFAshburn, VA USA Verizon JAM, NFL Fantasy Football, JPaaSAmsterdam NL Telecity JAMAmsterdam NL Telecity JAMSydney AUS Verizon SFSFSydney AUS MacQuireChicago, IL USA CSC Sourcing, Streamwork, BIoDChicago, IL USA Rackspace Jobs2WebSommerville, MA USA Internap SourcingMaidstone UK CSC Sourcing
  7. 7. © 2012 SAP AG. All rights reserved. 7SAP Cloud Security – Physical SecurityDetailsBUILDINGPOWERFIRE+FLOODCOOLINGReinforced concrete constructionHundreds of surveillance cameras with digital recordingFully monitored doorsTens of thousands of environmental sensorsSecurity guards and facility support team onsite 24x7x365Biometric sensors + card readers to access secured areasMultiple redundant internet connections from multiple carriersRedundant power sourcesHundreds of UPS units with additional capabilities of 20 minAuxiliary, expandable diesel power supply, online within minutesDiesel fuel storage sufficient for 48-hours of operations without refuelingContracts with external diesel suppliers to guarantee continuous operationFire and flood protectionRedundant, environmentally friendly, Inergen fire extinguisher SystemThousands Fire and Flood Surveillance Sensors100% redundant air conditioningAuxiliary cooling capacityPhysical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity
  8. 8. © 2012 SAP AG. All rights reserved. 8SAP Cloud Security – Network SecurityOverviewIDSPhysical Security Network Security Backup & Recovery ComplianceRev.Proxy FIREWALLSDatacenterConfidentiality & IntegrityReverse Proxy FarmsMultiple redundant Internet ConnectionsData EncryptionIntrusion Detection System (IDS)Multiple FirewallsThird Party Audits and Penetration Tests
  9. 9. © 2012 SAP AG. All rights reserved. 9SAP Cloud Security – Network SecurityDetailsPhysical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity* formerly known as Secure Sockets LayerReverse Proxy FarmsHide network topologyMultiple redundant Internet ConnectionsLimit the effect of denial of service (DOS) attacksData EncryptionHighest level of protection with up to 256-Bit Data encryption protocols usingTransport Layer Security*Intrusion Detection SystemMonitor web traffic 24 x 7 x 365Multiple FirewallsShield internal network from hackersThird Party Audits and Penetration TestsEarly and independent detection of security issues (e.g. program backdoors, networkvulnerabilities,…)
  10. 10. © 2012 SAP AG. All rights reserved. 10SAP Cloud Security – Backup and RecoveryOverviewPrimary Storageproduction Data CenterSecondary Storagein offsite backup LocationMost recentsnapshot onprimary storageMultiple snapshotson retention policyGlobal Performance Monitoring of BackupsPhysical Security Network Security Backup & Recovery Compliance Confidentiality & IntegrityISO 27001CERTIFIED
  11. 11. © 2012 SAP AG. All rights reserved. 11SAP Cloud Security – Backup and RecoveryDetailsSnapshots:Backups are created with snapshots from disk to disk. This ensures fast creation,backups, and, if required, fast restoration.Frequency:Daily full backup. Log files incrementally backed up every two hours: all changes indatabase since the last full backup are saved.Location:Database and log-file backups are stored in a geographically separated data centerbut stay in the designated region.Objective:Recovery up to the last transaction is supported within database recovery process.Maximum lost time for customer is two hours - if the primary data center iscompletely destroyed.Retention times:Backups of the last 3 days are kept on primary and secondary storage.Previous backups are kept up to 14 days in the geographically separated backupdata center.Physical Security Network Security Backup & Recovery ComplianceFor SAP Sourcing OnDemand, SAPBusinessObjects BI OnDemand, andSAP Streamwork (CSC DC)Daily incremental backups 15daysWeekly cumulative incremental 8 weeksMonthly full 1 yearBackups on tape stored in offsite vaultexcept for daily backups which are storedonsiteFor SAP Carbon Impact OnDemand(Amazon Cloud)Daily incremental backups 10daysWeekly full 14 weeksBackups stored on S3 – triple-redundantsystem within the designated regionInformation Security Management SystemConfidentiality & IntegrityISO 27001CERTIFIEDISO 27001CERTIFIEDISO 27001CERTIFIED
  12. 12. © 2012 SAP AG. All rights reserved. 12SAP Cloud Security – ComplianceOverviewPhysical Security Network Security Backup & Recovery Compliance Integrity & Confidentiality*formerly SAS 70 Type IICompliance featuresJournal entries that allow tracing of business transactionsto source documentsNumber ranges that distinguish journal entriesAccounting-relevant data cannot be deleted from audittrailsSupports IFRS accounting regulationsSolution documentation includedSegregation of duties supportedISAE3402TESTIFIED*SSAE16TESTIFIED*
  13. 13. © 2012 SAP AG. All rights reserved. 13SAP Cloud Security – ComplianceDetailsFeatures that support customers in achieving compliance include:Journal entries carry the complete informationAbility to identify business transactions and trace them through to underlying source documentsNumber ranges support the ability to distinguish entriesAvailability of transparency to customers for precise retrievalInability to delete accounting-relevant data, and all changes made to financially relevantdata are recorded in a change-history logHelp for customers to perform auditsSupports IFRS accounting regulationsHelp for customers to adhere to regulations of multiple markets(International Financial Reporting Standards)Solution documentation includedProvision of necessary procedure and task descriptions for end users and detailed technicaldescriptions explaining data processing and storagePhysical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity
  14. 14. © 2012 SAP AG. All rights reserved. 14SAP Cloud Security – Confidentiality & IntegrityCustomer ViewPhysical Security Network Security Backup & Recovery ComplianceRole BasedAccessActivityLoggingDataOwnershipOn-demand solutions support role based accesswith user profiles to allow segregation of dutiesOn-demand solutions log all user activitiesSupport for contract terminationCustomer Data extractionCustomer Data handover in file formatExtended read-only system access aftercontract terminationData deletion only after customer approvalConfidentiality & Integrity
  15. 15. © 2012 SAP AG. All rights reserved. 15SAP Cloud Security – Integrity & ConfidentialityConcept of Support User Access ControlApplication and Customer Support* Platform and System Support*Data integrity and availability is ensured byproactive automated system monitoringPhysical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity*Variances may exist depending on cloud offeringCustomer reports incident:TicketOne-time user with short-term password (1 hour)Personalized log-tracesSystem reports incident:TicketOne-time user with short-term password (4 hours)Personalized log-traces
  16. 16. © 2012 SAP AG. All rights reserved. 16SAP Cloud Security – SummaryCertified operationsWorld-class data centersAdvanced networksecurityReliable data backupBuilt-in compliance,integrity, andconfidentiality
  17. 17. © 2012 SAP AG. All rights reserved. 17Helpful Links:SAP ContractDetailshttp://www.sap.com/corporate-en/our-company/agreements/index.epxSearch e.g. “ByD Terms and Conditions US”ByD SecurityFAQswww.sme.sap.comSAP Business ByDesign Sell Security Topics FAQsByD Standardsand Auditswww.sme.sap.comSAP Business ByDesign Sell Security and Standard AccreditationsByD Certificates www.service.sap.com/certificateshttp://www.sap.com/press.epx?pressid=13030SAP DC EnergyEfficiencyByD Data CenterSecurity Videohttp://youtu.be/oK5OIaUPEZ4 (German)http://youtu.be/wxOs1AdJXLs (English)ByD CloudOperations Videohttp://youtu.be/3EZy1jq_vjE (German)http://youtu.be/zGvKZkQixCg (English)E-Book ByDCloud Securitywww.sap.de/business-cloud-sicherheit (German)
  18. 18. © 2012 SAP AG. All rights reserved. 19© 2012 SAP AG. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP AG. The information contained herein may bechanged without prior notice.Some software products marketed by SAP AG and its distributors contain proprietarysoftware components of other software vendors.Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio areregistered trademarks of Microsoft Corporation.IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, PowerArchitecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA,pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP,RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli,Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.Linux is the registered trademark of Linus Torvalds in the United States and other countries.Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States and other countries.Oracle and Java are registered trademarks of Oracle and its affiliates.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWinare trademarks or registered trademarks of Citrix Systems Inc.HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®,World Wide Web Consortium, Massachusetts Institute of Technology.Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C,Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.IOS is a registered trademark of Cisco Systems Inc.RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerryTorch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry AppWorld are trademarks or registered trademarks of Research in Motion Limited.Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps,Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync,Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android aretrademarks or registered trademarks of Google Inc.INTERMEC is a registered trademark of Intermec Technologies Corporation.Wi-Fi is a registered trademark of Wi-Fi Alliance.Bluetooth is a registered trademark of Bluetooth SIG Inc.Motorola is a registered trademark of Motorola Trademark Holdings LLC.Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,StreamWork, SAP HANA, and other SAP products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of SAP AG in Germanyand other countries.Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, CrystalDecisions, Web Intelligence, Xcelsius, and other Business Objects products and servicesmentioned herein as well as their respective logos are trademarks or registered trademarksof Business Objects Software Ltd. Business Objects is an SAP company.Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybaseproducts and services mentioned herein as well as their respective logos are trademarks orregistered trademarks of Sybase Inc. Sybase is an SAP company.Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarksof Crossgate AG in Germany and other countries. Crossgate is an SAP company.All other product and service names mentioned are the trademarks of their respectivecompanies. Data contained in this document serves informational purposes only. Nationalproduct specifications may vary.The information in this document is proprietary to SAP. No part of this document may bereproduced, copied, or transmitted in any form or for any purpose without the express priorwritten permission of SAP AG.
  19. 19. © 2012 SAP AG. All rights reserved. 20© 2012 SAP AG. Alle Rechte vorbehalten.Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zuwelchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftlicheGenehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationenkönnen ohne vorherige Ankündigung geändert werden.Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte könnenSoftwarekomponenten auch anderer Softwarehersteller enthalten.Microsoft, Windows, Excel, Outlook, und PowerPoint sind eingetragene Marken derMicrosoft Corporation.IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, PowerArchitecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA,pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP,RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli,Informix und Smarter Planet sind Marken oder eingetragene Marken der IBM Corporation.Linux ist eine eingetragene Marke von Linus Torvalds in den USA und anderen Ländern.Adobe, das Adobe-Logo, Acrobat, PostScript und Reader sind Marken oder eingetrageneMarken von Adobe Systems Incorporated in den USA und/oder anderen Ländern.Oracle und Java sind eingetragene Marken von Oracle und/oder ihrerTochtergesellschaften.UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame und MultiWinsind Marken oder eingetragene Marken von Citrix Systems, Inc.HTML, XML, XHTML und W3C sind Marken oder eingetragene Marken des W3C®,World Wide Web Consortium, Massachusetts Institute of Technology.Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C,Retina, Safari, Siri und Xcode sind Marken oder eingetragene Marken der Apple Inc.IOS ist eine eingetragene Marke von Cisco Systems Inc.RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerryTorch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook und BlackBerry AppWorld sind Marken oder eingetragene Marken von Research in Motion Limited.Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps,Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync,Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik und Android sindMarken oder eingetragene Marken von Google Inc.INTERMEC ist eine eingetragene Marke der Intermec Technologies Corporation.Wi-Fi ist eine eingetragene Marke der Wi-Fi Alliance.Bluetooth ist eine eingetragene Marke von Bluetooth SIG Inc.Motorola ist eine eingetragene Marke von Motorola Trademark Holdings, LLC.Computop ist eine eingetragene Marke der Computop Wirtschaftsinformatik GmbH.SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,StreamWork, SAP HANA und weitere im Text erwähnte SAP-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Markender SAP AG in Deutschland und anderen Ländern.Business Objects und das Business-Objects-Logo, BusinessObjects, Crystal Reports,Crystal Decisions, Web Intelligence, Xcelsius und andere im Text erwähnte Business-Objects-Produkte und Dienstleistungen sowie die entsprechenden Logos sind Markenoder eingetragene Marken der Business Objects Software Ltd. Business Objects ist einUnternehmen der SAP AG.Sybase und Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere und weitere im Texterwähnte Sybase-Produkte und -Dienstleistungen sowie die entsprechenden Logos sindMarken oder eingetragene Marken der Sybase Inc. Sybase ist ein Unternehmen derSAP AG.Crossgate, m@gic EDDY, B2B 360°, B2B 360°Services sind eingetragene Marken derCrossgate AG in Deutschland und anderen Ländern. Crossgate ist ein Unternehmen derSAP AG.Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligenFirmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informations-zwecken. Produkte können länderspezifische Unterschiede aufweisen.Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe undVervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck undin welcher Form auch immer, nur mit ausdrücklicher schriftlicher Genehmigung durchSAP AG gestattet.

×