SAP Cloud Security Framework Theory And Practice PDF Free Download

2y ago

111 Views

1 Downloads

2.84 MB

25 Pages

Report/dmca

Download PDF

Transcription

SAP Cloud Security FrameworkTheory and PracticeMichal Marko, SAP CZPresales Senior Specialist for Cloud Platform & TechnologyPUBLIC

AgendaWhat is SAP Cloud§ Delivery and Deployment models§ PortfolioSAP Cloud Secure§ Trust Center§ Certification & Standards§ Contractual framework§ Data Centers & InfrastructureStory & ExperienceSummary & Links 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC2

What is SAP Cloud?Delivery, Deployment Models & Portfolio

Definition* of cloud deployment modelPrivate cloud§ The Service is assigned to one dedicated customer(single-tenant)§ Access via protected network channel (Virtual PrivateNetwork)§ Operations by customer or "Managed-Service" agreement§ May be hosted „On-premise“ or with service providerHybrid cloudPrivatecloudPubliccloudPublic cloud§ Systems are shared between multiple customer (multi-tenant)§ Service usage by self-service access and tools§ Operations by service providerHybrid cloud§ Mix of multiple deployment model§ Integration through standardized or specific interfacesensuring access and data transferA mix of “On-premise" andat least one cloud model isnamed “Mixed environment”On-premise* Analog to definition of cloud by the National Institute of Science and Technology (NIST) 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC4

SAP Cloud deployment modelSAP Cloud Secure§ SAP Data Center§ SAP Managed Operations§ SAP SupportSAP-Data centerHybrid cloudPrivatecloudPubliccloudA mix of “On-premise" andat least one cloud model isnamed “Mixed environment”On-premise 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC5

SAP Cloud Solution portfolioHana EnterpriseCloudSAP CloudApplicationsSAP Cloud PlatformBuildNew CloudAppsPrivate Cloud & Managed ServicesExtendOn-premiseAppsIntegrateEverythingOne Cloud Infrastructure 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC6

SAP Cloud SecureHigh Level Overview

Layer of assuranceContract§ Data processing agreement to meet applicable local dataprivacy regulations globallyAudit and CertificationSAP CloudSecure§ Service Organization Control (SOC) reports and certificationsto provide independent evidence for security, availability,confidentiality, data protection, and qualityPolicies, directives, and standards§ Integrated management system for information security, dataprotection, and service delivery§ Comprehensive security architecture covering applications,processing systems, and data center 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC9

Management System of standards and best practices*TransparencyCertificationFinancial ControlsOperations and ComplianceISO 27001**ISO 22301**, ISO 9001** BS10012SOC 1(SSAE18 / ISAE 3402)SOC 2, SOC 3(AT 101 / ISAE 3000)PrivacySecurityBest Practice(extract)QualityManagementISO 9000ISO25010Data ProtectionData PrivacyBS 10012ISO 27018EU General Data ityISO 20000ISO nesISO 27034OWASPSANs, ISOCERT, NISTDestructionof MediaIncidentManagementISO 27040ISO 27035Code of PracticeISO 27002* The Management systems are used across all SAP Cloud Secure services, execution of independent certification and audit depend on service and organizational unit respectively.Details available at: quality/excellence.html** Component of the Integrated Information Security Management System (IISMS) of oud-certification-compliance.html 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC10

SAP Data Protection Management SystemLegal Data Protection and Privacy requirementsManagement StandardsISO27001(optional)SAPDPMSSAP Policies & StandardsSAPDP PolicyBS10012:2009SAP SecurityPolicy & StandardsOrganizational specificsData Protectionrelevant processesTOMTechnical &organizationalmeasuresData ProtectionGovernanceMajor locationsof LoBSAP’s Data Protection Management System combines the various requirements relevant fordata protection and privacy in two documents§ General book: General rules and descriptions valid for entire organizations§ LoB appendix: Definition of scope and work instructions valid for employees in this LoB 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC12

SAP Cloud Secure – Contractual frameworkGlobally applicable Data Processing Agreement (DPA) based on European GeneralData Protection Regulation, one of the most comprehensive privacy regulationUniform application and control of this comprehensive data privacyregulation is consistent throughout the sub-processor chain.SAP observes changes of local data privacy regulation globally and invests tokeep our service in a way that our customer can continue to use it in compliance.Additional cloud service offerings to cover stricter data privacy requirementsand special customer demands; like storage and transfer of data in / from EUlocations, only, US Federal Government environment, Australian or Russian dataresidency loud-service-level-agreements.html 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC14

What is Cloud Security Framework?“This Cloud Security Framework, which is part of SAP’s Documentation as defined in the SAP General Terms and Conditions for CloudServices [8] and may be updated from time to time, governs the security controls and measures provided for the production (PRD)environments of SAP Cloud solutions and respective modules provided by SAP as listed in Section 2.3”It’s a document which applicable to all SAP Cloud Solutions 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC16

Technical & organizational measures (TOM) at a glanceTOMMeasures (samples)Access ControlVideo and sensor surveillance, access logging, intruder alarm systemsSystem Access ControlPassword policy, strong authentication, access management toolData Access ControlAuthorization concepts, SAP security policies and standards,security checks and penetration testsData Transmission ControlSAP security policy (confidentiality), network security, encryptionData Input ControlSecurity Incident Management, 24 x 7 Security Monitoring Center,SIEMJob ControlSegregation of duties, subcontractor compliance / certificationAvailability ControlBusiness continuity management, disaster recovery plans / testingData Separation ControlMulti-tenancy, separate system landscapes, access restrictionsData Integrity ControlSecurity patch management, malware management process 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC17

SAP Cloud SecureData Centers

SAP Cloud Secure Data Centers§ Data Center on level III or IVSAP Cloud Secure data center overview *§ SAP Data Centers around the world14 countries, 30 locations, 40 DCs§ Benefit from local regulations(e.g. strong German & EU regulations)§ Low latency speeds-up access§ Customer can choose– Region of data storage– EU-only operations available– preferred datacenter partner Premium Partner Model for HANA Enterprise Cloud10 Premium Partner: 33 data centers in 16 aSingaporeBrazilAustraliaoperationalplanned* Not all Cloud Solutions are available in all Data Center; for the availability of Cloud Solutions please compare the official availability matrix 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC19

Data Center – SAP Data Center level (availability) definition§ SAP Cloud solutions and customer dataneeds to be operated in a:§ SAP Data Center level III, III or IVclassified Data Center§ SAP checks on site the compliance to theSAP Data Center minimum physicalsecurity standard that covers topics like:§ Perimeter & location security§ Building entry point security§ Building security§ Access controls & monitoring– General access and– Access to dedicated SAP areas§ Fire protection§ Electrical power supply§ Certifications of the Data Center provider 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICMinimum availability requirementsStand-alone Data Center building necessaryAmount of external electrical power suppliersAmount of transformers to power the Data CenterUPS battery system necessaryMinutes UPS must provide powerAmount of UPS systems necessary(Diesel-) Generators neededAmount of cooling systems neededServer cooling is independent from an office ACFire detection system needs to be installedFire extinguishing system must be installedOn-site response time of Data Center personnelAvailable WAN network connection linesAvailable LAN network connection lineslevel Ilevel IIlevel IIIlevel III level IVno1nno0nnonnoyesno 48h1nno1nyes5nnonnoyesyes 8hn 1n 1no1n 1yes 10n 1yesn 1yesyesyes 1hn 1n 1yes1n 1yes 10n 1yesn 1yesyesyes 1hn 12nyes22nyes 102nyes2nyesyesyes 1h2n2nn all components are used for operation; no spare component; no backup or redundancy;n 1 exactly one additional component is available to replace a failed component;2n every component has a backup/spare component; full redundancyUPS uninterruptible power supplyAC air condition20

SAP Cloud SecureA bit of experience

PortalOptions WSKICK-OFFSAP CloudPortfolio WSProof of Technology1MDHANA CloudPlatform WS 1Integration, Users,Custom Fiori, Mobile NW & BW onPrem NW & BW onPrem HCP HCP & ERP1234567SAP CloudPlatform WS 2SoldPoC 1 Neo &Cust. JavaPoC 2CF & Cust. JavaUsers ? Authorization ? Authentication ? LDAPs/IDPs/SAML2.0/Oauth . J 6March2017September2017BiggerPicture

SAP Cloud SecureSummary

Confidence in SAP Cloud Secure service through transparencyComprehensive ContractsPrivacy, security framework, andapplicable local regulationsIndependent AuditsService Organization Control reportscertificationsCyber DefenseMultiple layers of defenseHolistic: Prevent, detect, and reactSecure Cloud ModelHolistic approachSecure architecture 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC24

01.06.2018 · SAP security policy (confidentiality), network security, encryption Segregation of duties, subcontractor compliance / certification Business continuity management, disaster recovery plans / testing Multi-tenancy, separate system landscapes, access restrictions Security patch management, malware management process . SAP Cloud Secure Data Centers 2017 SAP SE or an SAP affiliate