Sven Denecken, VP Strategy, SAP AG @SDenecken September 2013

Update on Cloud Security

© 2013 SAP AG. All rights reserved. 2 Public

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a

purchase decision. This presentation is not subject to your license agreement or any other agreement

with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to

develop or release any functionality mentioned in this presentation. This presentation and SAP's

strategy and possible future developments are subject to change and may be changed by SAP at any

time for any reason without notice. This document is provided without a warranty of any kind, either

express or implied, including but not limited to, the implied warranties of merchantability, fitness for a

particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this

document, except if such damages were caused by SAP intentionally or grossly negligent.

© 2013 SAP AG. All rights reserved. 3

Requires the right mix

Adopting cloud Solutions to solve real business problems

© 2013 SAP AG. All rights reserved. 4

…and security.

Adopting cloud Solutions to solve real business problems

Cloud Security

Along the IT service isobars

Security remains an important topic

Data center- data security

Where is my data

Portability of data

Business Continuity

SAP Cloud Security – Standards and Certificates

Overview

High Availability

International Accounting Regulations

Quality Management

Energy Efficiency

IT Operations

*formerly SAS 70 Type II

Physical Security Network Security Backup & Recovery Compliance

ISAE3402 TESTIFIED*

SSAE16 TESTIFIED*

BS25999 CERTIFIED

GREEN IT CERTIFIED

ISO 27001 CERTIFIED

ISO 9001 CERTIFIED

Confidentiality & Integrity

SAP Cloud Security – Network Security

Details Physical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity

* formerly known as Secure Sockets Layer

Reverse Proxy Farms Hide network topology

Multiple redundant Internet Connections Limit the effect of denial of service (DOS) attacks

Data Encryption Highest level of protection with up to 256-Bit Data

encryption protocols using Transport Layer Security*

Intrusion Detection System Monitor web traffic 24 x 7 x 365

Multiple Firewalls Shield internal network from hackers

Third Party Audits/Penetration Tests Early and independent detection of security issues (e.g. program backdoors, network

vulnerabilities,…)

SAP Cloud Security – Backup and Recovery

Details

Snapshots: Backups are created with snapshots from disk to disk.

This ensures fast creation, backups, and, if required,

fast restoration.

Frequency: Daily full backup. Log files incrementally backed up every

two hours: all changes in database since the last full backup are saved.

Location: Database and log-file backups are stored in a geographically separated data

center but stay in the designated region.

Objective: Recovery up to the last transaction is supported within database recovery

process.

Maximum lost time for customer is two hours - if the primary data center is

completely destroyed.

Retention times: Backups of the last 3 days are kept on primary and secondary storage.

Previous backups are kept up to 14 days in the geographically separated

backup data center.

Physical Security Network Security Backup & Recovery Compliance

Information Security

Management System

Confidentiality & Integrity

ISO 27001

CERTIFIED

SAP Cloud Security – Compliance

Overview

Physical Security Network Security Backup & Recovery Compliance

*formerly SAS 70 Type II

Compliance features

Journal entries that allow tracing

of business transactions to

source documents

Number ranges that distinguish journal

entries

Accounting-relevant data cannot be deleted

from audit trails

Supports IFRS accounting regulations

Solution documentation included

Segregation of duties supported

ISAE3402

TESTIFIED*

SSAE16

TESTIFIED*

Confidentiality & Integrity

SAP Cloud Security – Confidentiality & Integrity

Customer View Physical Security Network Security Backup & Recovery Compliance

Role Based Access

Activity Logging

Data Ownership

On-demand solutions support role based

access with user profiles to allow

segregation of duties

On-demand solutions log all user activities

Support for contract termination

Customer Data extraction

Customer Data handover in file format

Extended read-only system access after contract termination

Data deletion only after customer approval

Confidentiality & Integrity

Customer and System Support

One-time user with short- term

password (1-4 hour)

Personalized log-traces

Summary

Along the IT service isobars

Security remains an important topic

Data center- data security

Where is my data

Portability of data

Business Continuity

SOC2 Privacy

Trust Criteria

BS10012 Privacy Standard

used internationally

© 2013 SAP AG. All rights reserved. 14 Public

© 2013 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and

SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in

the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as consti tuting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other

countries.

Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.