Secure HANA in the Cloud | Mitigating Internal & External Threats

Confidential
MAY 2017
Secure HANA in the Cloud |
Mitigating Internal & External Threats
Scott Goolik, VP of Compliance & Security | Symmetry
Tom Evgey, Director of Cloud | Onapsis

Confidential
Agenda
§ Introducing Symmetry & Onapsis
§ Evolution of SAP Security
§ Recent trends in SAP security & SAP Cybersecurity
§ Considerations for moving to the cloud
§ Mitigating risk with the Onapsis Security Platform
§ Questions
©2017 Symmetry

Confidential
24x7x365
Full-time
Employees
U.S. based
Global
Customers
Industry Roots
Symmetry was founded in 1996 and has
since grown to become one of the larger
privately held application management
and cloud hosting firms in the United
States.
Longtime Certified SAP Partner
Center of Excellence -
Milwaukee, Wis.
Enterprise Hosting
In 2005, Symmetry began providing
comprehensive hosting and managed
services to customers and is now a leader in
enterprise application hosting services.
Investing in next generation cloud platform
that also support HANA
Symmetry SAP HANA Cloud
Symmetry is a LEADER in SAP HANA
technologies, with dedicated hardware to host
true ‘Pay as you Grow’ cloud model.
Dedicated Support
Symmetry’s reputation for providing excellence in
customer service is proven by our NPS rating of 57
(2015 survey results), providing direct access to a
team familiar with your systems, backed by a
24x7x365 help desk.
GRC
Always Audit Ready
Founded in 2009, Symmetry’s GRC software is built
and supported by GRC and audit professionals.
Symmetry’s robust GRC in-house solution provides
complete compliance automation.
Who is Symmetry?
©2017 Symmetry

@2017 Onapsis, Inc. All Rights Reserved
ONAPSIS: COMPANY HIGHLIGHTS
Onapsis: Keeping Business-Critical Applications Secure & Compliant
Market Leaders
First-movers focused on Fortune
2000 and Federal organizations;
over 200 customers
Thought Leaders
Dedicated in-house Research Labs;
discovered over 500
vulnerabilities and attack vectors
Patented Technology
Awarded patent covering
underlying critical algorithms and
capabilities
Experienced Management
Successful executives from IBM,
RSA, EMC, Sophos, Amazon.com
Backed by Leading Investors
.406 Ventures, Schlumberger,
Evolution, Arsenal, Endeavor
Board of Directors & Advisors
Sr VP, Booz Allen CISO Schlumberger,
former AVG CEO, CTO Veracode
Sustained Hyper-Growth: 4th consecutive year of 100%+ YoY ARR & Bookings growth

The industry’s leading intelligence on security threats affecting
SAP and Oracle Business-Critical Applications
THE ONAPSIS RESEARCH LABS
Helped secure over
500 SAP and Oracle
flaws to date,
including 100+
affecting SAP HANA
Worked hand in hand
with the DHS on the
first-ever US-CERT
Alert for SAP
Business Applications
Regularly invited to
speak at leading
Security, SAP and
Oracle conferences
around the world
(BlackHat, RSA,
Defcon, SANS, etc)
Provide the Onapsis
Security Platform and
Onapsis Customers
with Advanced Threat
Intelligence and
market trends

Confidential
Business Critical Application Security
ERP Systems & Business-Critical Applications = The Crown Jewels
Intellectual Property
High value industry data
Sensitive Customer Information
High value customer data
Business Trade Secrets
Competitive Insights
Treasury and Cash
Corporate bank accounts
Financial Reporting Insights
Inside financial information
Sensitive Employee Information
High volume employee data
Network Front Door
Access point to the corporate network
Life Blood of the Business
Single point of operational failure
©2017 Symmetry

Confidential
Traditional SAP Security Challenges
©2017 Symmetry
§ What challenges faced when
managing…
§ SAP security workloads?
§ complex SAP security questions?
§ Audit and compliance requirements?
§ How does your organization
address…
§ Segregation of Duties?
§ User Provisioning?
§ Role Changes?
§ Emergency Access?

Confidential
Traditional SAP Security Challenges
Mitigating Risk with ControlPanelGRC
§ Managed SAP Security Services
§ Deep technical expertise with customer-first mindset
§ ControlPanelGRC
§ Symmetry’s proprietary compliance automation solution
for SAP environments
§ Automated compliance processes reduce risks
§ Compliant User Provisioning
§ Compliant Role Management
§ Emergency Access Management
§ Audit & Compliance Reporting
©2017 Symmetry
Managed SAP Security + ControlPanelGRC = Lower Cost + Greater Value

RECENT TRENDS IN SAP CYBERSECURITY

THE THREAT LANDSCAPE
The Escalation of SAP Security Attacks
Anonymous claimed breach to
Greek Ministry of Finance
using SAP zero-day exploit
2012
A malware targeting SAP
systems discovered in the wild
- A “Tsunami of SAP Attacks
Coming?”
2013
A Chinese hacker exploited a
vulnerability in a corporate
SAP NetWeaver Portal.
2014
2015
Report: Chinese Breach of
USIS targeted SAP. Went
unnoticed for over six months
and compromised over 48,000
employee records of DHS and
OPM.
First ever US-CERT Alert for
cybersecurity of SAP business
applications released
2016

May ‘16: DHS Released Critical Alert on SAP Cyberattacks
THE THREAT LANDSCAPE
Onapsis Research Labs discovered 36 organizations worldwide
being exploited through a 5-year-old SAP vulnerability
Onapsis worked very closely and confidentially with US
Department of Homeland Security resulting in the US DHS CERT-
Alert TA16--132A
Onapsis released a detailed Threat Report to help customers:
• Explain the nature of the US-CERT Alert
• Determine if they are susceptible to the vulnerability
• Mitigate this vulnerability in their SAP Implementation

PONEMAN RESEARCH REPORT
Key Findings
92%
92% indicated an SAP breach
would be serious, very
serious or catastrophic
65%
65% said their SAP System
was breached at least once
in the past 24 months
$4.5M
Average cost to take
SAP oﬄine was $4.5M
per incident
47%
47% indicated they were “not
confident” or had “no confidence”
that they could detect an SAP
breach within a year

CONSIDERATIONS FOR MOVING TO THE CLOUD

• Many leading Organizations are already running in the cloud
• WHY ORGANIZATIONS MOVE TO THE CLOUD
• Saves on space and money required to buy and host hardware
• Makes it possible for users to access data, applications and services over the internet
• Gives users and employees the ability to work anywhere
• Employee collaboration capabilities
• Quicker and more cost effective scaling of environments
• Free or cost effective IT management and updates
• Perceived security of cloud environments

• Hosting deployments for SAP, SAP HANA & Traditional Workloads
• Managed Private Cloud
o A secure cloud based environment managed directly by Symmetry
• available as Dedicated Private Cloud or Virtual Private Cloud
o Engineered to deliver performance and security for complex enterprises with a compliant-ready
foundation for a variety of security control points
• Hybrid Cloud
o A combination of Private and Public cloud environments designed specifically for your needs

• CLOUD SECURITY ISSUES
• Complex migration process
• Data Breaches
• Data Loss
• Insecure APIs and Connections
• Malicious Insiders
• Insufficient Due Diligence
• Shared Technology
• Agreeing to someone else's security standards

MITIGATING RISKS WITH
THE ONAPSIS SECURITY PLATFORM

@2017 Onapsis, Inc. All Rights Reserved@2017 Onapsis, Inc. All Rights Reserved
The first cybersecurity solution that automates vulnerability
management, insider and outsider threat detection and
response, and audit and compliance monitoring for SAP systems
By partnering with Onapsis, your enterprise can unlock new
security and compliance capabilities in three key areas:
AUTOMATE
Continuous vulnerability scanning and alerts
proactively identify and bring attention to
misconfigurations, insider and outsider threats.
Improve work flows to reduce resources
committed to audit and compliance data tasks.
Compensating controls help satisfy regulators and
maintain compliance between audits.
INTEGRATE ANTICIPATE
Implementation and customer success services
accelerate the maturity of an enterprise’s
cybersecurity organization.
Custom data links feed your existing SIEM tools,
such as Splunk and QRadar, to provide a unified
view of risk.
SAP-certified add-on assures BASIS teams of
system compatibility.
Onapsis Research Labs provides industry-defining
threat intelligence to prepare our customers for
what’s next.
Research feeds development of new features to
address emerging needs.
More than 350 SAP and Oracle vulnerabilities
reported to date.
THE ONAPSIS SECURITY PLATFORM

Confidential
Conclusion
§ Symmetry mitigates risks for internal threats
§ Managed SAP Security Services
§ ControlPanelGRC – a proprietary compliance automation platform
§ Onapsis identifies risks from external threats
§ Identification of critical SAP security notes
§ Continuous vulnerability and configuration scanning
§ Symmetry Managed SAP Basis Services mitigates identified risks
©2017 Symmetry

Confidential
Symmetry + Onapsis
©2017 Symmetry
Segregation of
Duties
Emergency Access
Management
Identity
Management
User Provisioning
Continuous
Monitoring
User Activity
Monitoring
Compliance
Monitoring
SAP Platform
Security
Configurations
Security Patches
Interfaces
Real-time Detection
of Cyber-Attacks
Virtual Patching
Research & Advance
Threat Intelligence
Integration with
Customer Ecosystem
Custom Code Static
Analysis
ControlPanelGRC
Onapsis Security Platform
Managed SAP Security Services
Managed SAP Basis Services
Managed Cloud Platform
COMPLETE security coverage

Secure HANA in the Cloud | Mitigating Internal & External Threats

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Secure HANA in the Cloud | Mitigating Internal & External Threats

Similar to Secure HANA in the Cloud | Mitigating Internal & External Threats (20)

More from Symmetry™

More from Symmetry™ (17)

Recently uploaded

Recently uploaded (20)

Secure HANA in the Cloud | Mitigating Internal & External Threats