SAP IT Security & Risk Office December, 2013 Public

HEC IT Security & Compliance SAP IT Security & Risk Office

December, 2013 Public

© 2013 SAP AG. All rights reserved. 2 Public

Introduction

Dear Customer,

Information Security is not just a buzzword for the SAP IT Security & Risk Office – it‘s our daily work, our passion, and the principle that drives us. We strive to provide the

best data protection possible to SAP and our customers. Each customer is treated as if they were our only customer.

That‘s the kind of commitment and importance we work to achieve - every single day.

We have consistently certified to internationally recognized standards such as ISO 9001 for Quality Management or ISO 27001 for Information Security along with using

industry accepted best practices such as COBIT or the ISF Standard of Good Practice for Information Security to assure the best possible security and risk management

approach.

You can rest assured that your information is in good, experienced hands.

Additional information about HANA Enterprise Cloud can be found at http://www.sap.com/HEC

Regards,

Ralph Salomon,

Chief IT Security Officer

IT Security & Risk Office

HANA Enterprise Cloud

SAP AG

Dietmar-Hopp-Allee 16

69190 Walldorf, Germany


HANA Enterprise Cloud (HEC) – High Level Overview

Corporate

Ad

min

Fir

ew

all

Administrative

Jump Hosts

Shared

Administrative

Infrastructure

Management Networks

Customer #3

Customer #2

HANA ENTERPRISE

CLOUD

MPLS

MPLS

VPN

Public

Internet Access

#1

#2

#3

Customer #1

#<no>: Refers to one customer

MPLS: Multiprotocol Label Switching

VPN: Virtual Private Network

The fundamental security architecture of the HEC infrastructure is the principal of a private cloud. This means customer will receive an

isolated, logical grouping of several Virtual Machines and physical systems. All customer networks are completely isolated from each other.

HEC administrative tasks will be done using management networks


HANA Enterprise Cloud (HEC) – High Level Overview

Customer Isolation

Each HEC customer receives their own isolated landscape

HEC customer landscape is fully integrated into the

customer corporate network using WAN or VPN links

HEC administration

HEC administration is done using

shared administrative infrastructure

and management networks

Corporate

Ad

min

Fir

ew

all

Administrative

Jump Hosts

Shared

Administrative

Infrastructure

Management Networks

Customer #3

Customer #2

HANA ENTERPRISE

CLOUD

MPLS

MPLS

VPN

Public

Internet Access

#1

#2

#3

Customer #1

Integration HEC – SAP

HEC is isolated from the SAP Corporate

Network

Access to HEC is only possible with a 2-

factor authentication




WAN: Wide Area Network


Physical Security

– Video and Sensor

Surveillance

– Access Logging

– Security Guards

– Fire Detection and

Extinguishing System

– Uninterruptible Power

Supply

– Biometric Access Control in

certain Locations

Network Security

– Network Admission Control

– Intrusion Prevention Systems

– Network Filtering

– 2-factor Authentication

– Proxies

– Internet Content Filtering

Secure Operations

– Asset Management

– Change Management

– Incident Management

– Anti Virus & Malware Management

– Backup / Restore Management

– Identity & Access Management

Threat & Vulnerability Management

– Security Patch Management

– Penetration Testing

– Vulnerability Scanning

– 24 x 7 Security Monitoring Center

Advanced IT Security

Architecture

– Isolated, separated

Landscape per Customer

– Security hardened

Systems

Secure Product

Development

Lifecycle

Security measures are audited and confirmed

through various Certifications & Attestations

– ISO Certificates

o ISO9001 Quality Management System

o ISO27001 Information Security Management System

– SOC1 (ISAE3402/SSAE16) Type 1 & SOC 2 Type 1

– SOC1 (ISAE3402/SSAE16) Type 2*) & SOC 2 Type 2*)

– Industry specific Certificates (on demand with business

case foundation)

Customer data flow control

– Regional Data Storage

(e.g. EU-, US-Cloud)

Security Hana Enterprise Cloud

*) scheduled for May 2014


HANA Enterprise Cloud (HEC) – Details Details for Customer Landscapes

#1

Corporate

Ad

min

Fir

ew

all

Administrative

Jump Hosts

Shared

Administrative

Infrastructure

Management Networks

HANA ENTERPRISE

CLOUD

Sto

rag

e

SAP Cloud Frame

Manager Orchestration

HANA-Cell of physical

HANA Servers

Virtualization

Orchestration Virtualization

Server Nodes

1 2

n 3

Provisioning

Physical

Server

SAP Appl.

Server

Virtual

Machines

HANA,

e.g. 3 TB

Provisioning

Customer Landscape Customer Landscape consists of physical servers

running the HANA database and virtual machines running

additional components (e.g. SAP Application Servers)

Only logical separation within a customer landscape

Security hardened system configurations


Network Integration Customer Landscapes can be connected

using IPSEC VPN and MPLS

Customers can have multiple customer

landscapes that are joined in one

customer routing domain (#1.1 and #1.2)

Network filtering can be requested

between Customer Landscape and

Customer Corporate Network

HANA Enterprise Cloud (HEC) – Details Details for Network Integration

Corporate

Ad

min

Fir

ew

all

Administrative

Jump Hosts

Shared

Administrative

Infrastructure

Management Networks

Customer #2

HANA ENTERPRISE

CLOUD

Customer #1

VPN

Router

VPN

for #2 #2

VLAN

for #2

#1.1

#1.2

MPLS

Router

VLAN

for #1

MPLS

for #1


IPSEC: Internet Protocol Security


VLAN: Virtual Local Area Network


Details • Security Architecture

• Compliance

• Data Governance

• Physical Security

• Human Resources Security

• Legal

• Information Security

• Operations

• Risk Management

• Release Management

• Resilience

• SAP Product Security

Thank you

Ralph Salomon

Chief IT Security Officer

IT Security & Risk Office

HANA Enterprise Cloud


Security Architecture

The fundamental security architecture of the HEC infrastructure

is the principal of a private cloud. This means customer will

receive an isolated, logical grouping of several VMs and

physical systems. All customer networks are completely isolated

from each other. Administrative tasks will be done using a

management network.

Access to the customer HEC infrastructure is done via the

customer network.

As part of the service delivery from SAP, we provide customers

with guidance on how to create a layered security architecture

equivalence using our cloud solution.

Within a private cloud only logical separation between tiers is

available. Stronger separation requirements (e.g. production

private cloud, non-production private cloud) have to be

discussed and agreed between SAP and the customer.

Data input and output integrity routines (i.e., reconciliation and

edit checks) are implemented for application interfaces and

databases to prevent manual or systematic processing errors or

corruption of data.

Full remote access to the SAP network and access to the HEC

administrative landscape from the SAP network is protected with

2-factor authentication.

Access to systems with network infrastructure is granted only to

certified and authorized subcontractors.

We use a synchronized time-service protocol to ensure all

systems have a common time reference.

Integrity checks and network intrusion detection tools are

implemented to help facilitate timely detection, investigation by

root cause analysis, and response to incidents

Our security architecture is defined using industry best-

practices and experiences of SAP from similar solutions.

Furthermore, we hold ourselves to the guidelines, standards and

certifications for SOC1/ISAE 3402/SSAE 16, SOC2 and

ISO9001, ISO27001.

Due diligence mapping of regulations and standards to our

controls/architecture/processes has been done in accordance

with the standards we certify to. The following mappings exist :

– ISO 27001 and 9001

– IT Control Objectives for SOX (SOC 1, ISAE3402, SSAE16)

– Trust Services Principles and Criteria, TSP 100 (SOC 2)

Physical and logical user access to audit logs is restricted only

to authorized personnel.

HEC offers different authentication possibilities depending on

the SAP product capabilities. Details for authentication and

integration have to be defined as part of the SAP / Customer

HEC project.


Compliance

IT SRO audits are always conducted following ISO Standard 19011.

We perform regular penetration testing (both network and infrastructure) of our HEC service infrastructure.

Regular internal and external audits are performed as part of our certification efforts.

Depending on their nature, external audit reports may be shared with customers or prospects upon request. Internal audit reports will not

be published.

Penetration test results are not shared but clients may request/execute their own penetration tests against their private cloud in

coordination with SAP.

SAP permits customers to perform independent vulnerability assessments so long as we are informed in advance so that we can ignore

security alerts during the test.

SAP maintains liaisons and points of contact with local authorities in accordance appropriate regulations.

A fundamental concept of HEC is the ability to logically segment customer data along with the ability to recover data for a specific

customer in the case of a failure or data loss.


Data Governance

Our data classification policy is available upon request, however

customer data and customer data classification is the

responsibility of the customer per standards and laws that apply

to their business.

Regarding labeling, handling and security of data, data containers and data aggregators - SAP takes a risk-based approach which includes five classifications - strictly confidential, confidential, internal, customer only, public. Per our security standard, each of these categories denotes separate handling and labeling procedures.

It is possible to provide the geographical location of storage of a customer’s data upon request and we permit customers to define acceptable geographical locations for data transport and data storage & processing.

There are controls in place that enforce customer data retention policies as it pertains to SAP managed data services (e.g. backup). Customers have the responsibility to address data retention requirements within their applications.

There is a documented and published procedure for the secure disposal of customer data (e.g. degaussing, multi-pass overwrite), as determined by the customer.

Customer data migration will use industry standard strong encryption and trusted carriers (tracking). SAP data sanitization will use secure deletion technology in accordance with the aforementioned procedure regarding exiting the HEC service.

We have controls that support the capability to identify virtual machines and restrict operations on them using policies.

SAP has procedures that ensure production data shall not be replicated to non-production environments for the scope of testing of our software. Customers are responsible for managing their own business data and we often support the cloning of systems or data at the customers request and execute masking or data manipulation depending on their own policies and procedures.

By design, HEC ensures complete isolation of data between clients both at the network and hypervisor level. Our perimeter controls dramatically reduce the risk of data leakage on our side of our network. We do not currently deploy data leakage controls for existing customers. We view this as a customer responsibility - however if required we can support customer requirements at their discretion.

We only allow access to our APIs to customers using a secure private network connection. We do not publish our API's directly to the Internet. As previously stated, we see this as a customer responsibility to define where data leakage or extrusion would be required.

We can, upon request, provide security control health data to allow customer monitoring of your controls status. It is planned to provide real-time security operations dashboards in the near future.

Requests for tenant data from governments or third parties will be reviewed by SAP Legal, SAP Data Protection Office, SAP HEC Management and SAP Security. Our response will also depend on the regulations and locations (EU, US) in scope and our customer agreement.


Physical Security

We have physical security perimeters implemented at our service facilities, using a combination of entry badges, biometrics, 24x7 staffing

with dedicated lines to local police and fire departments, and video (CCTV) to enforce security at the perimeter.

The personnel entry and exit points in our facilities are monitored, controlled and isolated from data storage and process.

We allow customers to specify which of our geographic locations their data is allowed to traverse into/out of (to address legal

jurisdictional considerations based on where data is stored vs. accessed).

Customers can choose which region they want to use - data is stored regionally for EU- and US-Cloud.

When customer data needs to be moved from one site to another, SAP uses data replication between data centers in a region (e.g.

replication between data centers in Europe). The HANA Enterprise Cloud system itself will remain in its primary location in the region.

Documentation describing our asset management/equipment repurposing policies and procedures if requested.

An inventory of our assets and critical suppliers is regularly maintained.

We can provide evidence, upon request, that policies and procedures have been established for maintaining a safe and secure working

environment in offices, rooms, facilities and secure areas.


Human Resources Security

All our employment candidates, contractors and third parties subject to background verification by the HEC service provider.

We regularly train and re-train our employees regarding their roles and responsibilities (and the customer's roles) in providing information

security controls.

Employee acknowledgment of training they have completed is documented.

Our employment termination and departmental change procedures are documented, including the assignment of roles and

responsibilities for following procedures.


Legal Requirements

NDA and confidentiality requirements are documented and regularly reviewed.

We select / monitor outsourced providers in compliance with laws in the country where the data is processed, stored and transmitted.

SAP‘s legal counsel reviews all third party agreements.

SAP requires that outsourced providers / partners comply to the EU data protection laws and to the SAP Security Policy and SAP

Security Standards. Safe Harbor is also implemented if applicable.

SAP will not use or process customer data without explicit approval.


Information Security (1/3)

We provide customers with documentation describing our

Information Security Management System (ISMS) upon request.

Management (executive and line) is involved in security policy

and security standard definition, changes, employee awareness

training as well and setting priorities and funding security and

compliance related efforts.

Our information security and privacy policies align with the

following industry standards and best practices:

– Quality: ISO 9001

– Security: BS7799 / ISO27001

– IT SCM: ISO22301

– Service Management: ITIL / ISO 20000

– Overall Framework: COBIT, ISACA

We have agreements with our providers to ensure their

adherence to our information security and privacy policies.

We can provide, upon request, evidence of due diligence

mapping of our controls, architecture, and processes to

regulations and standards.

Security procedures are available that define the security

baselines for the different HEC layers (e.g. operating system,

HANA database, application layer).

We have the capability to continuously monitor and report

compliance against security baselines. Report compliance can

be delivered upon request. We are planning to provide real-time

security operations dashboards in the near future.

We allow customers to provide their own VM image(s) that

conform to their own internal standards as long as it can be run

with the SAP virtualization technology and supported

infrastructure. VM images will be vetted by SAP for their security

compliance to avoid any impact to SAP's cloud services (no

hacker / malicious / illegal software). SAP's approval is

mandatory.

Formal disciplinary procedures are established for employees

who have violated security or privacy policies however exact

measures are decided on case by case decisions depending on

the incident.

User Management for HEC is controlled using the SAP Cloud

Access Manager (CAM). SAP CAM is integrated with the central

SAP HR system which maintains the user record and

information regarding employee will be automatically replicated

to the SAP CAM. This system will revoke user access.

Additionally, the SAP CAM revokes users automatically when

they are expired. There are no permanent user permissions. In

general users need to re-request access profiles to HEC every

year. HEC managers can revoke user rights any time as

necessary.

The performance of the user access removal controls is

regularly tracked.



Procedures granting administrative access to HEC are covered

by SAP's access control procedures. Access to customer data in

the cloud is determined by the customer’s access control

policies.

Tamper detection from the Internet will be monitored. Our

infrastructure includes tamper detection of administrators which

is monitored for selected scenarios. Security compliance checks

will be run on operating system level to detect unauthorized

changes. Additional layers (e.g. database) are currently under

investigation.

We encrypt customer data in transit across sites, networks

and/or hypervisor instances.

We have the capability for unique encryption keys per customer

or customer managed encryption keys along with documented

encryption key management procedures.

We regularly conduct network-layer, application-layer, and local

operating system-layer vulnerability scans.

We have documented vulnerability and patch management

procedures that address risks to the cloud service in a timely

fashion.

We can provide our risk mitigation and patching targets versus

actual performance to customers on request.

We provide anomaly detection controls installed on the relevant

systems in your cloud service offerings using an industry best

practice IDS/IPS infrastructure.

State-of-the-art Malware/Anti-Virus scanners are installed on

HEC systems.

The security threat detection systems (including signatures, lists,

and behavioral patterns) are regularly updated in a timely

fashion.

We have a documented security incident response plan which

includes customer and provider roles and responsibilities during

security incidents.

There are procedures in place to monitor for privacy breaches

and notify customers if a such a breach occurs.

Our security information and event management (SIEM) system

merge data sources (application logs, network activity, IDS

alerts) for Analysis and Reporting and Alerting.

Our SIEM system allows for the isolation of an incident to

specific customer(s).

Our incident response capability include the use of legally

admissible forensic data collection and analysis techniques,

however to maintain independency forensic analysis is

conducted by specialized 3rd Parties.



We are capable of supporting litigation holds (freeze of data

from a specific point in time) for a specific customer without

freezing other customer data upon request.

We monitor and quantify the types, volumes, and impacts of all

information security incidents.

We have documented procedures for collecting metadata about

customer service usage.

SAP provides encryption facilities for customer data that

traverses public networks, including Internet, dedicated VPN,

and MPLS lines.

SAP uses encryption facilities when cloud service components

communicate over public networks.

We restrict, log, and monitor access to our information security

management systems.

We use dedicated secure networks to provide management

access to your cloud service with the management layer on it's

own logical network with isolated controls.

We collect capacity data for all components of your cloud

service.

Our policies, procedures, and controls are established to limit

access to sensitive data or infrastructure from portable and

mobile devices.

SAP will inform customers about material changes to our

information security and/or privacy policies if such changes

would affect the security/privacy aspects of HEC.

SAP has policies, procedures, and controls in place to prevent

unauthorized access to our (cloud service) application, program

or object source code. Core HANA software source code is only

kept in a source and version control repository and is only

accessible to authorized SAP development personnel.

SAP also has policies, procedures, and controls in place to

prevent unauthorized access to customer applications,

programs or object source code.

Utilities that can significantly manage virtualized partitions (e.g.

shutdown, clone, etc.) are appropriately restricted and monitored

and have the capability to detect and mitigate attacks that target

virtual infrastructure directly.


Operational Security

Our policies and procedures have been established and made available for all personnel to adequately support services operations roles.

Furthermore, information system documentation (e.g., administrator and user guides, architecture diagrams, etc.) are made available to

authorized personnel to ensure the correct configuring, installation, and operation of the information system.

Our cloud solution includes hardware independent restore and recovery capabilities along with providing customers with a capability to

restore a virtual machine to a previous state in time ("snapshot").

SAP allows virtual machine images to be downloaded by the customer and our cloud solution includes provider independent restore and

recovery capabilities.


Risk Management

The SAP organization insured by a third party for losses and the service level agreements provide customers with remuneration for

losses they may incur due to outages and other incidents.

Formal risk assessments are performed at planned intervals, to determine the likelihood and impact of identified risks and the likelihood

and impact associated with inherent and residual risk determined independently, considering all risk categories (e.g. audit results, threat

and vulnerability analysis, and regulatory compliance).

We assure that risks are mitigated to acceptable levels based on criteria and within reasonable time frames.

Risk assessment results include updates to security policies, procedures, and controls to ensure they remain relevant and effective.

We have implemented disaster recovery capabilities that cope with multiple simultaneous failures where redundancies are implemented

from the hardware layer, network level, application level, and physical data center locations.

SAP monitors service continuity with upstream providers and have more than one provider for each upstream service we depend on.

We provide customers with access to operational redundancy / continuity for upstream services by providing customers the ability to use

redundant upstream services.

SAP‘s customers, together with SAP, can escalate based on SAP's incident and emergency management. A customer triggered failover

option is also provided.


Release Management

SAP has policies and procedures established for management authorization for development or acquisition of new applications, systems,

databases, infrastructure, services, operations, and facilities depending on the level of service requested by the customer and generally

provided on a case-by-case basis.

As part of our certifications, SAP provides customers with documentation that describes roles, responsibilities and rights of provider and

customer for production change management procedures and documents describing the quality assurance process.

SAP has controls in place to ensure that standards of quality are being met for all systems & software development and to detect source

code security defects for any outsourced software development activities by utilizing Secure Software Development.

More details can be found in the SAP Support Portal:

https://service.sap.com/~sapdownload/011000358700000186512013E/sec-sw-dev.pdf








Resilience

SAP has implemented business continuity/disaster recovery policies and procedures to minimize the impact of an event.

Customers are provided with visibility of our operational Service Level Agreement (SLA) performance, upon request.

We provide customers with geographically resilient hosting options (Regional only. Cross region hosting is not possible due to legal and

technical constraints.)

SAP‘s business continuity plans are tested at planned intervals and upon significant change. This is a requirement of our BCM

certification.

Physical protection against damage from natural disasters and deliberate attacks is implemented.

Our datacenters are strategically located in places which have a low probability of high-impact environmental risks (i.e. flooding,

earthquake) and

controls are implemented to protect equipment from utility service outages such as power failures, network failure, and staff

unavailability.

As part of the on-boarding and off-boarding procedure, we provide customers with documentation showing the (physical and logical)

transport route of their data between cloud service systems.

Customers are also given the right to specify the legal jurisdiction their data is transmitted through.


SAP Product Security

SAP utilizes Secure Software Development to build security into our System / Software Development Lifecycle.

Our software suppliers adhere to industry standards for secure Systems/Software Development Lifecycle.

SAP performs peer code reviews on source code to detect security defects and use code analysis tools to detect code security defects

prior to production.

More details can be found in the SAP Support Portal:








© 2013 SAP AG. All rights reserved.

© 2013 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the United States and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries.

Oracle and Java are registered trademarks of Oracle and its affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc.

HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.

IOS is a registered trademark of Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited.

Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc.

INTERMEC is a registered trademark of Intermec Technologies Corporation.

Wi-Fi is a registered trademark of Wi-Fi Alliance.

Bluetooth is a registered trademark of Bluetooth SIG Inc.

Motorola is a registered trademark of Motorola Trademark Holdings LLC.

Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

Documents

SAP IT Security & Risk Office December, 2013 Public