Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
HEC IT Security & Compliance SAP IT Security & Risk Office
December, 2013 Public
© 2013 SAP AG. All rights reserved. 2 Public
Introduction
Dear Customer,
Information Security is not just a buzzword for the SAP IT Security & Risk Office – it‘s our daily work, our passion, and the principle that drives us. We strive to provide the
best data protection possible to SAP and our customers. Each customer is treated as if they were our only customer.
That‘s the kind of commitment and importance we work to achieve - every single day.
We have consistently certified to internationally recognized standards such as ISO 9001 for Quality Management or ISO 27001 for Information Security along with using
industry accepted best practices such as COBIT or the ISF Standard of Good Practice for Information Security to assure the best possible security and risk management
approach.
You can rest assured that your information is in good, experienced hands.
Additional information about HANA Enterprise Cloud can be found at http://www.sap.com/HEC
Regards,
Ralph Salomon,
Chief IT Security Officer
IT Security & Risk Office
HANA Enterprise Cloud
SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf, Germany
© 2013 SAP AG. All rights reserved. 3 Public
HANA Enterprise Cloud (HEC) – High Level Overview
Corporate
Ad
min
Fir
ew
all
Administrative
Jump Hosts
Shared
Administrative
Infrastructure
Management Networks
Customer #3
Customer #2
HANA ENTERPRISE
CLOUD
MPLS
MPLS
VPN
Public
Internet Access
#1
#2
#3
Customer #1
#<no>: Refers to one customer
MPLS: Multiprotocol Label Switching
VPN: Virtual Private Network
The fundamental security architecture of the HEC infrastructure is the principal of a private cloud. This means customer will receive an
isolated, logical grouping of several Virtual Machines and physical systems. All customer networks are completely isolated from each other.
HEC administrative tasks will be done using management networks
© 2013 SAP AG. All rights reserved. 4 Public
HANA Enterprise Cloud (HEC) – High Level Overview
Customer Isolation
Each HEC customer receives their own isolated landscape
HEC customer landscape is fully integrated into the
customer corporate network using WAN or VPN links
HEC administration
HEC administration is done using
shared administrative infrastructure
and management networks
Corporate
Ad
min
Fir
ew
all
Administrative
Jump Hosts
Shared
Administrative
Infrastructure
Management Networks
Customer #3
Customer #2
HANA ENTERPRISE
CLOUD
MPLS
MPLS
VPN
Public
Internet Access
#1
#2
#3
Customer #1
Integration HEC – SAP
HEC is isolated from the SAP Corporate
Network
Access to HEC is only possible with a 2-
factor authentication
#<no>: Refers to one customer
MPLS: Multiprotocol Label Switching
VPN: Virtual Private Network
WAN: Wide Area Network
© 2013 SAP AG. All rights reserved. 5 Public
Physical Security
– Video and Sensor
Surveillance
– Access Logging
– Security Guards
– Fire Detection and
Extinguishing System
– Uninterruptible Power
Supply
– Biometric Access Control in
certain Locations
Network Security
– Network Admission Control
– Intrusion Prevention Systems
– Network Filtering
– 2-factor Authentication
– Proxies
– Internet Content Filtering
Secure Operations
– Asset Management
– Change Management
– Incident Management
– Anti Virus & Malware Management
– Backup / Restore Management
– Identity & Access Management
Threat & Vulnerability Management
– Security Patch Management
– Penetration Testing
– Vulnerability Scanning
– 24 x 7 Security Monitoring Center
Advanced IT Security
Architecture
– Isolated, separated
Landscape per Customer
– Security hardened
Systems
Secure Product
Development
Lifecycle
Security measures are audited and confirmed
through various Certifications & Attestations
– ISO Certificates
o ISO9001 Quality Management System
o ISO27001 Information Security Management System
– SOC1 (ISAE3402/SSAE16) Type 1 & SOC 2 Type 1
– SOC1 (ISAE3402/SSAE16) Type 2*) & SOC 2 Type 2*)
– Industry specific Certificates (on demand with business
case foundation)
Customer data flow control
– Regional Data Storage
(e.g. EU-, US-Cloud)
Security Hana Enterprise Cloud
*) scheduled for May 2014
© 2013 SAP AG. All rights reserved. 6 Public
HANA Enterprise Cloud (HEC) – Details Details for Customer Landscapes
#1
Corporate
Ad
min
Fir
ew
all
Administrative
Jump Hosts
Shared
Administrative
Infrastructure
Management Networks
HANA ENTERPRISE
CLOUD
Sto
rag
e
SAP Cloud Frame
Manager Orchestration
HANA-Cell of physical
HANA Servers
Virtualization
Orchestration Virtualization
Server Nodes
1 2
n 3
Provisioning
Physical
Server
SAP Appl.
Server
Virtual
Machines
HANA,
e.g. 3 TB
Provisioning
Customer Landscape Customer Landscape consists of physical servers
running the HANA database and virtual machines running
additional components (e.g. SAP Application Servers)
Only logical separation within a customer landscape
Security hardened system configurations
© 2013 SAP AG. All rights reserved. 7 Public
Network Integration Customer Landscapes can be connected
using IPSEC VPN and MPLS
Customers can have multiple customer
landscapes that are joined in one
customer routing domain (#1.1 and #1.2)
Network filtering can be requested
between Customer Landscape and
Customer Corporate Network
HANA Enterprise Cloud (HEC) – Details Details for Network Integration
Corporate
Ad
min
Fir
ew
all
Administrative
Jump Hosts
Shared
Administrative
Infrastructure
Management Networks
Customer #2
HANA ENTERPRISE
CLOUD
Customer #1
VPN
Router
VPN
for #2 #2
VLAN
for #2
#1.1
#1.2
MPLS
Router
VLAN
for #1
MPLS
for #1
#<no>: Refers to one customer
IPSEC: Internet Protocol Security
MPLS: Multiprotocol Label Switching
VLAN: Virtual Local Area Network
VPN: Virtual Private Network
Details • Security Architecture
• Compliance
• Data Governance
• Physical Security
• Human Resources Security
• Legal
• Information Security
• Operations
• Risk Management
• Release Management
• Resilience
• SAP Product Security
Thank you
Ralph Salomon
Chief IT Security Officer
IT Security & Risk Office
HANA Enterprise Cloud
© 2013 SAP AG. All rights reserved. 11 Public
Security Architecture
The fundamental security architecture of the HEC infrastructure
is the principal of a private cloud. This means customer will
receive an isolated, logical grouping of several VMs and
physical systems. All customer networks are completely isolated
from each other. Administrative tasks will be done using a
management network.
Access to the customer HEC infrastructure is done via the
customer network.
As part of the service delivery from SAP, we provide customers
with guidance on how to create a layered security architecture
equivalence using our cloud solution.
Within a private cloud only logical separation between tiers is
available. Stronger separation requirements (e.g. production
private cloud, non-production private cloud) have to be
discussed and agreed between SAP and the customer.
Data input and output integrity routines (i.e., reconciliation and
edit checks) are implemented for application interfaces and
databases to prevent manual or systematic processing errors or
corruption of data.
Full remote access to the SAP network and access to the HEC
administrative landscape from the SAP network is protected with
2-factor authentication.
Access to systems with network infrastructure is granted only to
certified and authorized subcontractors.
We use a synchronized time-service protocol to ensure all
systems have a common time reference.
Integrity checks and network intrusion detection tools are
implemented to help facilitate timely detection, investigation by
root cause analysis, and response to incidents
Our security architecture is defined using industry best-
practices and experiences of SAP from similar solutions.
Furthermore, we hold ourselves to the guidelines, standards and
certifications for SOC1/ISAE 3402/SSAE 16, SOC2 and
ISO9001, ISO27001.
Due diligence mapping of regulations and standards to our
controls/architecture/processes has been done in accordance
with the standards we certify to. The following mappings exist :
– ISO 27001 and 9001
– IT Control Objectives for SOX (SOC 1, ISAE3402, SSAE16)
– Trust Services Principles and Criteria, TSP 100 (SOC 2)
Physical and logical user access to audit logs is restricted only
to authorized personnel.
HEC offers different authentication possibilities depending on
the SAP product capabilities. Details for authentication and
integration have to be defined as part of the SAP / Customer
HEC project.
© 2013 SAP AG. All rights reserved. 12 Public
Compliance
IT SRO audits are always conducted following ISO Standard 19011.
We perform regular penetration testing (both network and infrastructure) of our HEC service infrastructure.
Regular internal and external audits are performed as part of our certification efforts.
Depending on their nature, external audit reports may be shared with customers or prospects upon request. Internal audit reports will not
be published.
Penetration test results are not shared but clients may request/execute their own penetration tests against their private cloud in
coordination with SAP.
SAP permits customers to perform independent vulnerability assessments so long as we are informed in advance so that we can ignore
security alerts during the test.
SAP maintains liaisons and points of contact with local authorities in accordance appropriate regulations.
A fundamental concept of HEC is the ability to logically segment customer data along with the ability to recover data for a specific
customer in the case of a failure or data loss.
© 2013 SAP AG. All rights reserved. 13 Public
Data Governance
Our data classification policy is available upon request, however
customer data and customer data classification is the
responsibility of the customer per standards and laws that apply
to their business.
Regarding labeling, handling and security of data, data containers and data aggregators - SAP takes a risk-based approach which includes five classifications - strictly confidential, confidential, internal, customer only, public. Per our security standard, each of these categories denotes separate handling and labeling procedures.
It is possible to provide the geographical location of storage of a customer’s data upon request and we permit customers to define acceptable geographical locations for data transport and data storage & processing.
There are controls in place that enforce customer data retention policies as it pertains to SAP managed data services (e.g. backup). Customers have the responsibility to address data retention requirements within their applications.
There is a documented and published procedure for the secure disposal of customer data (e.g. degaussing, multi-pass overwrite), as determined by the customer.
Customer data migration will use industry standard strong encryption and trusted carriers (tracking). SAP data sanitization will use secure deletion technology in accordance with the aforementioned procedure regarding exiting the HEC service.
We have controls that support the capability to identify virtual machines and restrict operations on them using policies.
SAP has procedures that ensure production data shall not be replicated to non-production environments for the scope of testing of our software. Customers are responsible for managing their own business data and we often support the cloning of systems or data at the customers request and execute masking or data manipulation depending on their own policies and procedures.
By design, HEC ensures complete isolation of data between clients both at the network and hypervisor level. Our perimeter controls dramatically reduce the risk of data leakage on our side of our network. We do not currently deploy data leakage controls for existing customers. We view this as a customer responsibility - however if required we can support customer requirements at their discretion.
We only allow access to our APIs to customers using a secure private network connection. We do not publish our API's directly to the Internet. As previously stated, we see this as a customer responsibility to define where data leakage or extrusion would be required.
We can, upon request, provide security control health data to allow customer monitoring of your controls status. It is planned to provide real-time security operations dashboards in the near future.
Requests for tenant data from governments or third parties will be reviewed by SAP Legal, SAP Data Protection Office, SAP HEC Management and SAP Security. Our response will also depend on the regulations and locations (EU, US) in scope and our customer agreement.
© 2013 SAP AG. All rights reserved. 14 Public
Physical Security
We have physical security perimeters implemented at our service facilities, using a combination of entry badges, biometrics, 24x7 staffing
with dedicated lines to local police and fire departments, and video (CCTV) to enforce security at the perimeter.
The personnel entry and exit points in our facilities are monitored, controlled and isolated from data storage and process.
We allow customers to specify which of our geographic locations their data is allowed to traverse into/out of (to address legal
jurisdictional considerations based on where data is stored vs. accessed).
Customers can choose which region they want to use - data is stored regionally for EU- and US-Cloud.
When customer data needs to be moved from one site to another, SAP uses data replication between data centers in a region (e.g.
replication between data centers in Europe). The HANA Enterprise Cloud system itself will remain in its primary location in the region.
Documentation describing our asset management/equipment repurposing policies and procedures if requested.
An inventory of our assets and critical suppliers is regularly maintained.
We can provide evidence, upon request, that policies and procedures have been established for maintaining a safe and secure working
environment in offices, rooms, facilities and secure areas.
© 2013 SAP AG. All rights reserved. 15 Public
Human Resources Security
All our employment candidates, contractors and third parties subject to background verification by the HEC service provider.
We regularly train and re-train our employees regarding their roles and responsibilities (and the customer's roles) in providing information
security controls.
Employee acknowledgment of training they have completed is documented.
Our employment termination and departmental change procedures are documented, including the assignment of roles and
responsibilities for following procedures.
© 2013 SAP AG. All rights reserved. 16 Public
Legal Requirements
NDA and confidentiality requirements are documented and regularly reviewed.
We select / monitor outsourced providers in compliance with laws in the country where the data is processed, stored and transmitted.
SAP‘s legal counsel reviews all third party agreements.
SAP requires that outsourced providers / partners comply to the EU data protection laws and to the SAP Security Policy and SAP
Security Standards. Safe Harbor is also implemented if applicable.
SAP will not use or process customer data without explicit approval.
© 2013 SAP AG. All rights reserved. 17 Public
Information Security (1/3)
We provide customers with documentation describing our
Information Security Management System (ISMS) upon request.
Management (executive and line) is involved in security policy
and security standard definition, changes, employee awareness
training as well and setting priorities and funding security and
compliance related efforts.
Our information security and privacy policies align with the
following industry standards and best practices:
– Quality: ISO 9001
– Security: BS7799 / ISO27001
– IT SCM: ISO22301
– Service Management: ITIL / ISO 20000
– Overall Framework: COBIT, ISACA
We have agreements with our providers to ensure their
adherence to our information security and privacy policies.
We can provide, upon request, evidence of due diligence
mapping of our controls, architecture, and processes to
regulations and standards.
Security procedures are available that define the security
baselines for the different HEC layers (e.g. operating system,
HANA database, application layer).
We have the capability to continuously monitor and report
compliance against security baselines. Report compliance can
be delivered upon request. We are planning to provide real-time
security operations dashboards in the near future.
We allow customers to provide their own VM image(s) that
conform to their own internal standards as long as it can be run
with the SAP virtualization technology and supported
infrastructure. VM images will be vetted by SAP for their security
compliance to avoid any impact to SAP's cloud services (no
hacker / malicious / illegal software). SAP's approval is
mandatory.
Formal disciplinary procedures are established for employees
who have violated security or privacy policies however exact
measures are decided on case by case decisions depending on
the incident.
User Management for HEC is controlled using the SAP Cloud
Access Manager (CAM). SAP CAM is integrated with the central
SAP HR system which maintains the user record and
information regarding employee will be automatically replicated
to the SAP CAM. This system will revoke user access.
Additionally, the SAP CAM revokes users automatically when
they are expired. There are no permanent user permissions. In
general users need to re-request access profiles to HEC every
year. HEC managers can revoke user rights any time as
necessary.
The performance of the user access removal controls is
regularly tracked.
© 2013 SAP AG. All rights reserved. 18 Public
Information Security (2/3)
Procedures granting administrative access to HEC are covered
by SAP's access control procedures. Access to customer data in
the cloud is determined by the customer’s access control
policies.
Tamper detection from the Internet will be monitored. Our
infrastructure includes tamper detection of administrators which
is monitored for selected scenarios. Security compliance checks
will be run on operating system level to detect unauthorized
changes. Additional layers (e.g. database) are currently under
investigation.
We encrypt customer data in transit across sites, networks
and/or hypervisor instances.
We have the capability for unique encryption keys per customer
or customer managed encryption keys along with documented
encryption key management procedures.
We regularly conduct network-layer, application-layer, and local
operating system-layer vulnerability scans.
We have documented vulnerability and patch management
procedures that address risks to the cloud service in a timely
fashion.
We can provide our risk mitigation and patching targets versus
actual performance to customers on request.
We provide anomaly detection controls installed on the relevant
systems in your cloud service offerings using an industry best
practice IDS/IPS infrastructure.
State-of-the-art Malware/Anti-Virus scanners are installed on
HEC systems.
The security threat detection systems (including signatures, lists,
and behavioral patterns) are regularly updated in a timely
fashion.
We have a documented security incident response plan which
includes customer and provider roles and responsibilities during
security incidents.
There are procedures in place to monitor for privacy breaches
and notify customers if a such a breach occurs.
Our security information and event management (SIEM) system
merge data sources (application logs, network activity, IDS
alerts) for Analysis and Reporting and Alerting.
Our SIEM system allows for the isolation of an incident to
specific customer(s).
Our incident response capability include the use of legally
admissible forensic data collection and analysis techniques,
however to maintain independency forensic analysis is
conducted by specialized 3rd Parties.
© 2013 SAP AG. All rights reserved. 19 Public
Information Security (3/3)
We are capable of supporting litigation holds (freeze of data
from a specific point in time) for a specific customer without
freezing other customer data upon request.
We monitor and quantify the types, volumes, and impacts of all
information security incidents.
We have documented procedures for collecting metadata about
customer service usage.
SAP provides encryption facilities for customer data that
traverses public networks, including Internet, dedicated VPN,
and MPLS lines.
SAP uses encryption facilities when cloud service components
communicate over public networks.
We restrict, log, and monitor access to our information security
management systems.
We use dedicated secure networks to provide management
access to your cloud service with the management layer on it's
own logical network with isolated controls.
We collect capacity data for all components of your cloud
service.
Our policies, procedures, and controls are established to limit
access to sensitive data or infrastructure from portable and
mobile devices.
SAP will inform customers about material changes to our
information security and/or privacy policies if such changes
would affect the security/privacy aspects of HEC.
SAP has policies, procedures, and controls in place to prevent
unauthorized access to our (cloud service) application, program
or object source code. Core HANA software source code is only
kept in a source and version control repository and is only
accessible to authorized SAP development personnel.
SAP also has policies, procedures, and controls in place to
prevent unauthorized access to customer applications,
programs or object source code.
Utilities that can significantly manage virtualized partitions (e.g.
shutdown, clone, etc.) are appropriately restricted and monitored
and have the capability to detect and mitigate attacks that target
virtual infrastructure directly.
© 2013 SAP AG. All rights reserved. 20 Public
Operational Security
Our policies and procedures have been established and made available for all personnel to adequately support services operations roles.
Furthermore, information system documentation (e.g., administrator and user guides, architecture diagrams, etc.) are made available to
authorized personnel to ensure the correct configuring, installation, and operation of the information system.
Our cloud solution includes hardware independent restore and recovery capabilities along with providing customers with a capability to
restore a virtual machine to a previous state in time ("snapshot").
SAP allows virtual machine images to be downloaded by the customer and our cloud solution includes provider independent restore and
recovery capabilities.
© 2013 SAP AG. All rights reserved. 21 Public
Risk Management
The SAP organization insured by a third party for losses and the service level agreements provide customers with remuneration for
losses they may incur due to outages and other incidents.
Formal risk assessments are performed at planned intervals, to determine the likelihood and impact of identified risks and the likelihood
and impact associated with inherent and residual risk determined independently, considering all risk categories (e.g. audit results, threat
and vulnerability analysis, and regulatory compliance).
We assure that risks are mitigated to acceptable levels based on criteria and within reasonable time frames.
Risk assessment results include updates to security policies, procedures, and controls to ensure they remain relevant and effective.
We have implemented disaster recovery capabilities that cope with multiple simultaneous failures where redundancies are implemented
from the hardware layer, network level, application level, and physical data center locations.
SAP monitors service continuity with upstream providers and have more than one provider for each upstream service we depend on.
We provide customers with access to operational redundancy / continuity for upstream services by providing customers the ability to use
redundant upstream services.
SAP‘s customers, together with SAP, can escalate based on SAP's incident and emergency management. A customer triggered failover
option is also provided.
© 2013 SAP AG. All rights reserved. 22 Public
Release Management
SAP has policies and procedures established for management authorization for development or acquisition of new applications, systems,
databases, infrastructure, services, operations, and facilities depending on the level of service requested by the customer and generally
provided on a case-by-case basis.
As part of our certifications, SAP provides customers with documentation that describes roles, responsibilities and rights of provider and
customer for production change management procedures and documents describing the quality assurance process.
SAP has controls in place to ensure that standards of quality are being met for all systems & software development and to detect source
code security defects for any outsourced software development activities by utilizing Secure Software Development.
More details can be found in the SAP Support Portal:
https://service.sap.com/~sapdownload/011000358700000186512013E/sec-sw-dev.pdf
© 2013 SAP AG. All rights reserved. 23 Public
Resilience
SAP has implemented business continuity/disaster recovery policies and procedures to minimize the impact of an event.
Customers are provided with visibility of our operational Service Level Agreement (SLA) performance, upon request.
We provide customers with geographically resilient hosting options (Regional only. Cross region hosting is not possible due to legal and
technical constraints.)
SAP‘s business continuity plans are tested at planned intervals and upon significant change. This is a requirement of our BCM
certification.
Physical protection against damage from natural disasters and deliberate attacks is implemented.
Our datacenters are strategically located in places which have a low probability of high-impact environmental risks (i.e. flooding,
earthquake) and
controls are implemented to protect equipment from utility service outages such as power failures, network failure, and staff
unavailability.
As part of the on-boarding and off-boarding procedure, we provide customers with documentation showing the (physical and logical)
transport route of their data between cloud service systems.
Customers are also given the right to specify the legal jurisdiction their data is transmitted through.
© 2013 SAP AG. All rights reserved. 24 Public
SAP Product Security
SAP utilizes Secure Software Development to build security into our System / Software Development Lifecycle.
Our software suppliers adhere to industry standards for secure Systems/Software Development Lifecycle.
SAP performs peer code reviews on source code to detect security defects and use code analysis tools to detect code security defects
prior to production.
More details can be found in the SAP Support Portal:
https://service.sap.com/~sapdownload/011000358700000186512013E/sec-sw-dev.pdf
© 2013 SAP AG. All rights reserved.
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the United States and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries.
Oracle and Java are registered trademarks of Oracle and its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc.
HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.
IOS is a registered trademark of Cisco Systems Inc.
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited.
Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc.
INTERMEC is a registered trademark of Intermec Technologies Corporation.
Wi-Fi is a registered trademark of Wi-Fi Alliance.
Bluetooth is a registered trademark of Bluetooth SIG Inc.
Motorola is a registered trademark of Motorola Trademark Holdings LLC.
Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.