Download as PDF, PPTX
More Related Content
SAP Cloud security overview 2.0
- 1. SAP Cloud Solution– Security 1
- 2. About me • RasmiSwain • Enterprise IT Consulting & Delivery • Enterprise IT architecture • SAP ECC 6.0 , SAP BW, BO–BI • HANA Analytics, HANA Cloud • SAP Mobility ( SMP 3.0, FIORI, MDM, Mobile Security) • Information Security (Cloud Security, GRC, ISO 2700K) • E-Governance & Smart City SAP Cloud Security 2
- 3. Contents • SAP CloudSolutions • Security Regulations • Security Requirements • Data Center Security • Physical Security • Network Security • Data Security • Backup/Recovery & Compliance • Identity management SAP Cloud Security 3
- 4. SAP a CloudCompany • SAP + HANA+SF+ARIBA+ Sybase • Most Comprehensive cloud portfolio solutions • Data security and data privacy is part of the DNA SAP Cloud Security 4 Source : SAP
- 5. SAP Cloud Portfolio SAPCloud Security 5 Source : SAP Cloud Documents in Public
- 6. Trust the #1asset in cloud business - Security, data protection, and data privacy became more important. - And a single case of data loss hits the whole industry. - If a single company fails in the cloud, no vendor in this service can bet on more subscribers. It´s a loss-loss. - handle data with the utmost discretion and allow business-critical processes to run securely. - Protect customer against unauthorized data access and misuse, confidential data disclosure SAP Cloud Security 6 Source : SAP
- 7. Security Regulations • HIPAA •PCI-DSS, ISO 27002, BS7799, • ISO 27001/27017 • PII/ Privacy • EU Data Protection 95/46/EC • e-Privacy Directive 2002/58/EC • ASIO-4, FIPS Moderate, • BS10012, SSAE-16/SOC2 SAP Cloud Security 7
- 8. Security Requirements • CSP(Cloud Partner) must be complaint • US-EU safe Harbor • Employee Background check • Physical Security • Physical data location • Unauthorized data access (credential steals) SAP Cloud Security 8 • Data steal from insiders • Firewalls to prevent 3rd party attacks • Operational compliance • Shallow security • Data Portability • Business Continuity Security
- 9. Data Center Security SAPCloud Security 9 DB Security Network Security Compliance Back up & Business Continuity SOC2 Privacy Trust Criteria BS10012 Privacy Standard used internationally SAP Cloud Security 9 Location & Physical Security BS25999 CERTIFIED ISO 9001 CERTIFIED ISO 27001 CERTIFIED SSAE16 TESTIFIED ISAE3402 TESTIFIED*
- 10. SAP Cloud Security– Physical Security SAP Cloud Security BUILDINGPOWER FIRE+ FLOOD COOL ING Reinforced concrete construction Hundreds of surveillance cameras with digital recording Fully monitored doors Tens of thousands of environmental sensors Security guards and facility support team onsite 24x7x365 Biometric sensors + card readers to access secured areas Multiple redundant internet connections from multiple carriers Redundant power sources Hundreds of UPS units with additional capabilities of 20 min Auxiliary, expandable diesel power supply, online within minutes Diesel fuel storage sufficient for 48-hours of operations without refueling Contracts with external diesel suppliers to guarantee continuous operation Fire and flood protection Redundant, environmentally friendly, Inergen fire extinguisher System Thousands Fire and Flood Surveillance Sensors 100% redundant air conditioning Auxiliary cooling capacity Source – SAP
- 11. SAP Cloud NetworkSecurity SAP Cloud Security 11 Multi-tiered Network Architecture End-user traffic is limited to the front Demilitarized Zone (DMZ) tier of Web servers only. Each single tier in the hosting environment is organized into a DMZ- like pattern. This allows a firewall or Virtual Local Area Networks (VLAN) separation between each tier. A request is individually validated before creating the next tier independent request. SSAE16-SOC2 Type II auditing twice a year. * formerly known as Secure Sockets Layer Reverse Proxy Farms Hide network topology Multiple redundant Internet Connections Limit the effect of denial of service (DOS) attacks Data Encryption Highest level of protection with up to 256-Bit Data encryption protocols using Transport Layer Security* Intrusion Detection System Monitor web traffic 24 x 7 x 365 Multiple Firewalls Shield internal network from hackers Third Party Audits/Penetration Tests Early and independent detection of security issues (e.g. program backdoors, network vulnerabilities,…) 11 Communication between client and SAP leverages Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption. SAP solutions also support dedicated encrypted communication channels (WAN and VPN) for better access and integration. SAP also provides customers a choice: the management of all security from top to bottom, or the ability to integrate SAP Cloud with their own industry-standard identity management solutions. .
- 12. Data Security -Data Segregation SaaS Multi-tenant Architecture - example SAP Cloud for People With cloud solutions from SAP, there is a logical isolation within a SaaS application that extends down to the virtual server layer. In certain environments like the SAP HANA Enterprise Cloud, organizations will also get physical isolation via dedicated SAP HANA database servers that reside in dedicated customer network segments (VLANS). SAP Cloud Security 12 . Database Tier Instance A Instance B Instance C Instance D Application Tier Service Tier Personal credentials Optional Single Sign On Distinct application instance per customer enforces Memory segregation Distinct database schema per customer enforces data segregation 3rd party Application Core Tenant manager Instance A Instance B Instance C Instance D XML Abstraction Layer WebServices InterfaceGraphical User Interface Schema • Data • Configurations Schema • Data • Configurations Schema • Data • Configurations Schema Data Configurations
- 13. Cloud SaaS deliverymodel- Data transmission & data flow control SAP Cloud Security 1313 Cloud solutions from SAP segregate heterogeneous data by using the following approach to build the application architecture and store the data: • Unique database tables: • Most service providers offering shared Web access have one set of database tables in a normalized database that is shared by many customers. In contrast, organizations that use cloud solutions from SAP share the network security infrastructure, Web servers, application servers, and database instance. However, each customer has its own set of database tables within its own unique database schema, which ensures complete segregation of tenants’ data. • Dedicated database Servers: • In case of a SAP HANA database, SAP provides a dedicated physical database server that is located in the customer cloud network segment. • Encrypted data storage: • When cloud solutions from SAP support database or file system encryption, all encrypted data is stored on disks using a minimum of AES 128-bit encryption. • Secure levels: • In SaaS services, the top two tiers (application and Web in later levels) are completely stateless. Cloud solutions from SAP dramatically reduce the security risk of these two tiers because no sessions are kept in memory or written to disk. This approach simplifies the construction of load-balanced server farms, as there is no need to keep the workloads on any given server. • Movement of data: • It is important to remember that data is moving through multiple tiers, and each level must ensure data security. Cloud solutions from SAP use a defense-in-depth strategy to provide segregation of data at all layers.
- 14. SAP Cloud Security– Backup/Recovery & Compliance SAP Cloud Security 14 • Compliance features Journal entries that allow tracing of business transactions to source documents Number ranges that distinguish journal entries Accounting-relevant data cannot be deleted from audit trails Supports IFRS accounting regulations Solution documentation included Segregation of duties supported Snapshots: Backups are created with snapshots from disk to disk. This ensures fast creation, backups, and, if required, fast restoration. Frequency: Daily full backup. Log files incrementally backed up every two hours: all changes in database since the last full backup are saved. Location: Database and log-file backups are stored in a geographically separated data center but stay in the designated region. Objective: Recovery up to the last transaction is supported within database recovery process. Maximum lost time for customer is two hours - if the primary data center is completely destroyed. Retention times: Backups of the last 3 days are kept on primary and secondary storage. Previous backups are kept up to 14 days in the geographically separated backup data center. 14
- 15. SAP SaaS deliverymodel- Identity management SAP Cloud Security 15 • Internal authentication: • Cloud solutions from SAP use an internal repository of user profiles when customers choose not to integrate their identity management product with SAP solutions • Federated authentication (single sign-on): • The primary transport protocol for this trust mechanism is standard Hypertext Transfer Protocol Secure (HTTPS). In the SAP HANA® Enterprise Cloud service, a direct integration into the customer network and single-sign-on implementation is possible. Cloud solutions from SAP also use single sign-on features of the SAP NetWeaver® technology platform for system-to-system and administrator authentication. 15 Cloud solutions from SAP support the Lightweight Directory Access Protocol (LDAP) and tokens, • such as MD5, SHA-1, • HMAC encryption, DES, and 3DES. • The solution also supports Security Assertion Markup Language (SAML 1.1, 2.0) • SAP Supply Network Collaboration with encrypted remote function call (RFC) and client/server personal security environment (PSE) verification.
- 16.