Enterprises today use the cloud for applications all across their IT landscape for tools like email, Salesforce, ServiceNow and more. Cost savings, operational stability, and reduced management effort are all proven advantages. But when we consider moving mission-critical systems at the heart of business such as SAP HANA – there is significant angst and uncertainty among IT and security professionals. Tom Evgey – Director of Cloud, Onapsis and Scott Goolik – VP of Compliance & Security, Symmetry explore various security issues organizations are facing when it comes to SAP HANA cloud deployments. During this presentation, we outline foundational elements and best practices for organizations to follow as they build a comprehensive security program when migrating SAP implementations to the cloud.
Secure HANA in the Cloud | Mitigating Internal & External Threats
1. Confidential
MAY 2017
Secure HANA in the Cloud |
Mitigating Internal & External Threats
Scott Goolik, VP of Compliance & Security | Symmetry
Tom Evgey, Director of Cloud | Onapsis
4. @2017 Onapsis, Inc. All Rights Reserved
ONAPSIS: COMPANY HIGHLIGHTS
Onapsis: Keeping Business-Critical Applications Secure & Compliant
Market Leaders
First-movers focused on Fortune
2000 and Federal organizations;
over 200 customers
Thought Leaders
Dedicated in-house Research Labs;
discovered over 500
vulnerabilities and attack vectors
Patented Technology
Awarded patent covering
underlying critical algorithms and
capabilities
Experienced Management
Successful executives from IBM,
RSA, EMC, Sophos, Amazon.com
Backed by Leading Investors
.406 Ventures, Schlumberger,
Evolution, Arsenal, Endeavor
Board of Directors & Advisors
Sr VP, Booz Allen CISO Schlumberger,
former AVG CEO, CTO Veracode
Sustained Hyper-Growth: 4th consecutive year of 100%+ YoY ARR & Bookings growth
5. @2017 Onapsis, Inc. All Rights Reserved
The industry’s leading intelligence on security threats affecting
SAP and Oracle Business-Critical Applications
THE ONAPSIS RESEARCH LABS
Helped secure over
500 SAP and Oracle
flaws to date,
including 100+
affecting SAP HANA
Worked hand in hand
with the DHS on the
first-ever US-CERT
Alert for SAP
Business Applications
Regularly invited to
speak at leading
Security, SAP and
Oracle conferences
around the world
(BlackHat, RSA,
Defcon, SANS, etc)
Provide the Onapsis
Security Platform and
Onapsis Customers
with Advanced Threat
Intelligence and
market trends
11. @2017 Onapsis, Inc. All Rights Reserved
THE THREAT LANDSCAPE
The Escalation of SAP Security Attacks
Anonymous claimed breach to
Greek Ministry of Finance
using SAP zero-day exploit
2012
A malware targeting SAP
systems discovered in the wild
- A “Tsunami of SAP Attacks
Coming?”
2013
A Chinese hacker exploited a
vulnerability in a corporate
SAP NetWeaver Portal.
2014
2015
Report: Chinese Breach of
USIS targeted SAP. Went
unnoticed for over six months
and compromised over 48,000
employee records of DHS and
OPM.
First ever US-CERT Alert for
cybersecurity of SAP business
applications released
2016
12. @2017 Onapsis, Inc. All Rights Reserved
May ‘16: DHS Released Critical Alert on SAP Cyberattacks
THE THREAT LANDSCAPE
Onapsis Research Labs discovered 36 organizations worldwide
being exploited through a 5-year-old SAP vulnerability
Onapsis worked very closely and confidentially with US
Department of Homeland Security resulting in the US DHS CERT-
Alert TA16--132A
Onapsis released a detailed Threat Report to help customers:
• Explain the nature of the US-CERT Alert
• Determine if they are susceptible to the vulnerability
• Mitigate this vulnerability in their SAP Implementation
13. @2017 Onapsis, Inc. All Rights Reserved
PONEMAN RESEARCH REPORT
Key Findings
92%
92% indicated an SAP breach
would be serious, very
serious or catastrophic
65%
65% said their SAP System
was breached at least once
in the past 24 months
$4.5M
Average cost to take
SAP offline was $4.5M
per incident
47%
47% indicated they were “not
confident” or had “no confidence”
that they could detect an SAP
breach within a year
15. @2017 Onapsis, Inc. All Rights Reserved
• Many leading Organizations are already running in the cloud
• WHY ORGANIZATIONS MOVE TO THE CLOUD
• Saves on space and money required to buy and host hardware
• Makes it possible for users to access data, applications and services over the internet
• Gives users and employees the ability to work anywhere
• Employee collaboration capabilities
• Quicker and more cost effective scaling of environments
• Free or cost effective IT management and updates
• Perceived security of cloud environments
17. @2017 Onapsis, Inc. All Rights Reserved
• Hosting deployments for SAP, SAP HANA & Traditional Workloads
• Managed Private Cloud
o A secure cloud based environment managed directly by Symmetry
• available as Dedicated Private Cloud or Virtual Private Cloud
o Engineered to deliver performance and security for complex enterprises with a compliant-ready
foundation for a variety of security control points
• Hybrid Cloud
o A combination of Private and Public cloud environments designed specifically for your needs
19. @2017 Onapsis, Inc. All Rights Reserved
• CLOUD SECURITY ISSUES
• Complex migration process
• Data Breaches
• Data Loss
• Insecure APIs and Connections
• Malicious Insiders
• Insufficient Due Diligence
• Shared Technology
• Agreeing to someone else's security standards
21. @2017 Onapsis, Inc. All Rights Reserved@2017 Onapsis, Inc. All Rights Reserved
The first cybersecurity solution that automates vulnerability
management, insider and outsider threat detection and
response, and audit and compliance monitoring for SAP systems
By partnering with Onapsis, your enterprise can unlock new
security and compliance capabilities in three key areas:
AUTOMATE
Continuous vulnerability scanning and alerts
proactively identify and bring attention to
misconfigurations, insider and outsider threats.
Improve work flows to reduce resources
committed to audit and compliance data tasks.
Compensating controls help satisfy regulators and
maintain compliance between audits.
INTEGRATE ANTICIPATE
Implementation and customer success services
accelerate the maturity of an enterprise’s
cybersecurity organization.
Custom data links feed your existing SIEM tools,
such as Splunk and QRadar, to provide a unified
view of risk.
SAP-certified add-on assures BASIS teams of
system compatibility.
Onapsis Research Labs provides industry-defining
threat intelligence to prepare our customers for
what’s next.
Research feeds development of new features to
address emerging needs.
More than 350 SAP and Oracle vulnerabilities
reported to date.
THE ONAPSIS SECURITY PLATFORM