View
1.082
Download
0
Category
Preview:
Citation preview
June 15, 2016
#askSAP GRC Innovations
Community Call:
Cybersecurity Risk and
Governance
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 2Customer
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the
permission of SAP. This presentation is not subject to your license agreement or any other service or subscription
agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation
and SAP's strategy and possible future developments, products and or platforms directions and functionality are all
subject to change and may be changed by SAP at any time for any reason without notice. The information in this
document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document
is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties
of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes
and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document,
except if such damages were caused by SAP´s willful misconduct or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Legal disclaimer
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 3Customer
SAP GRC InnovationsCommunity Call Series
3
• Webcast series for the GRC
community hosted by SAP Analytics
(View replays:
http://bit.ly/askSAP_Playlist)
• An opportunity for you to direct the
discussion, get your questions
answered, and end the session with
some useful advice
• Live and interactive 90 minutes
• Connect on topics before, during, and
after the call via twitter using #askSAP
Speakers
Michael Golz
CIO
Americas, SAP
@MikeGolz
Kevin McCollom
Group Vice President
SAP Solutions for Governance,
Risk and Compliance
@SAPTradeGeek
Erin Hughes
Head of Marketing
Greenlight Technologies
@greenlight_corp
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 5Customer
Agenda
Welcome
Gain an understanding of the state of cybersecurity threats and evolving security perspectives
Get a preview of SAP’s security strategy
Poll Question
Q&A
Get a closer look at SAP’s perspective on cyber risk and governance and business application security
Solutions Overview
Poll Question
Q&A
Demo
Customer case study
Final Q&A
Resources and Closing
© 2016 SAP SE. All rights reserved.
The state of cybersecurity
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 7Customer
Defining security risk
$2.8 trillion GDPincrease from online data flows
Dramatic Increase in Value of
Data
521.000 PBof data storage capacity to be shipped by 2020
Exponential Volume of Data
21 billion new devices connected by 2020
Increasing Vulnerability of
Endpoints
65 percent of companies surveyed experienced more Advanced Persistent Threats (APT)/ targeted attacks
Greater Proliferation of
Attackers
Companies can think of the security risks to their business as being a product of 4 key components related to one of a company’s most important assets - its data
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 8Customer
Growth of data breaches
World’s biggest data breaches
2004 2016
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 9Customer
Customer Experience Omni-Channels
Workforce Engagement
Big Data & Internet of
Things
Supplier CollaborationBusiness Networks
The age of digital business
DIGITAL CORE
Cybersecurity is a critical element in the Digital Transformation journey
1. Customers and employees are hyper-connected, always on, with seamless access anywhere and anytime
2. Cloud and hybrid cloud environments have become the norm challenging traditional “protect the 4 walls” security approaches
3. Digitally connected supply chains are based on high trust and availability of all parties
4. The Internet of Things and Big Data bring unprecedented data streams and volumes
5. Confidentiality, integrity and availability of data and systems is the basis for secure operations and trusted relationships
Transactions and data must be secured throughout the entire end-2-end business process
SAP® S/4HANA
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 10Customer
Cybersecurity is a top-of-mind boardroom discussion
Are external as well as internal threats being addressed?
Are gaps identified and addressed?
Do we have sufficient visibility into the real threat?
How would a breach impact the ability of the business to perform?
Do we have the right risk-based approach to management and oversight?
© 2016 SAP SE. All rights reserved.
Evolving security perspectives
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 12Customer
Evolving security perspectives
Historical IT security perspectives
Today’s leading cybersecurity insights
Scope of the ChallengeLimited to your “four walls” and extended to the enterprise
Spans your interconnected global and business ecosystem
Ownership and Accountability IT led and operatedBusiness-aligned and owned; CEO and board accountable
Adversaries’ Characteristics
One-off and opportunistic; motivated by notoriety, technical challenge and individual gain
Organized, funded and targeted; motivated by economic, monetary and political gain
Information Asset Protection One-size-fits-all approach Prioritize and protect the “crown jewels”
Defense Posture Protect the perimeter; respond if attackedProtect the application and dataPlan for a breach, monitor and rapidly respond
Security Intelligence and Information Sharing
Keep to yourselfPublic/private partnerships; collaboration with industry working groups
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 13Customer
Shifts in approach to security and spending
*IDC Future of Security Survey – Preliminary Results, sponsored by SAP, May 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 14Customer
Next-generation Security
360-degree
correlation analytics across network, endpoints, applications, and data
Real-time incident
response and forensics to accelerate detection limiting threat impact
CYBERSECURITY INNOVATIONS
Next-generation
context and application-aware firewalls to enhance both protection and performance
Deep learning
powered cybersecurity analytics able to respond to threats in an adaptive manner
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 15Customer
Next-generation Security
© 2016 SAP SE. All rights reserved.
SAP security strategy
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 17Customer
SAP security vision
Defendable Application• Identify and prevent attacks from within the application
Zero Knowledge• Ability to store data in the cloud and protect it from outside control
Zero Vulnerability• Minimize vulnerability to ensure maximum protection
Security by Default• Building security into product right from the start
Transparency • Full and pro-active transparency for the customer
SAP is in the business of securing our customer’s business”
Justin Somaini - Chief Security Officer (CSO)
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 18Customer
SAP security strategy
Secure Products and Services
• Driving security into the core of the application and services to provide depth
of visibility and control
Security Ecosystem Integration
• Enabling our customers’ to integrate SAP into their Security Ecosystem
SAP’s Security DNA
• Leveraging SAP’s long standing expertise in Analytics and Business Process
Management to help solve customers’ security challenges
SAP is in the business of securing our customer’s business”
Justin Somaini - Chief Security Officer (CSO)
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 19Customer
SAP secure software development lifecycle
At the core of SAP’s development processes is a comprehensive security strategy based on three pillars: Prevent > Detect > React
The secure software development lifecycle (secure SDL):
Is a risk-based approach, which uses threat modeling
ISO 27034 Compliance, ISO 9001 Certifications
More information: http://go.sap.com/solution/platform-technology/security.html
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 20Customer
Security is a shared responsibility
Monitor configuration changes
Check custom code
Consistently apply patches and updates
Review RFC connections and interfaces
Monitor logs for anomalies and attacks
Review critical access and relevant transactions
Govern access and manage identities
Protect data inside / outside the application
Ensure appropriate policies and training
Life cycle of the application
Applica-tion
1
Installation, configuration, customization
3
Patches and updates
2
System access, remote and mobile
4
Upgrades and interfaces
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 21Customer
POLL QUESTION #1
QUESTION #1
How has the Security topic currently viewed within your organization?
a) Top of mind – sense of urgency
b) One of many strategic risks to manage
c) Some focus but not considered strategic
© 2016 SAP SE. All rights reserved.
Q&A
© 2016 SAP SE. All rights reserved.
Cyber risk and governance; business application security
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 24Customer
Business application security
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 24Customer
Consider what SAP can do to help you strengthen your:
Help protect trade secrets, intellectual property, financials, and personal data
Cyber risk and governance
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 25Customer
Cyber risk and governance
What should we be doing?
What are the gaps compared to what we’re doing today?
Are our cybersecurity practices effective?
How do we communicate our vision and status with stakeholders?
How do we benchmark against best practices, frameworks, and regulations?
Are our security processes centralized and simplified?
What emerging threats are we not considering today?
Where should we be investing further in security?
Are we able to detect breaches in a timely manner?
Are our security policies effective?
Is access secured?
Is our custom code secure?
Where are our critical business processes exposed?
How protected are our high-value assets?
Are we meeting our KPIs?
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 26Customer
Business application security
How do we efficiently support user on boarding and off boarding?
Do we enable our end users for self service?
How do we manage the identities for our customers and partners?
How do we engage in new business models, yet protect our IP?
How do we prevent loss and leakage of our critical data?
Can we enforce our data and file sharing policies?
How do we ensure that users have the appropriate system assignments?
How do we apply business rules and processes?
How do we have the appropriate auditing and reporting for our business applications?
Can we detect anomalies and possible security issues?
Can the security team respond quickly to stop the attack?
Are we managing users across our processes?
How do we share information and data securely?
Are the right users involved in critical business processes?
Can we detect security and anomalies in our system?
© 2016 SAP SE. All rights reserved.
Solutions overview
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 28Customer
Solutions for GRC and security from SAP
Cybersecurity risk and
governance
Identify and manage risks, regulations and polices to minimize potential business impact
Cyber risk and governance
SAP Regulation Management by Greenlight, cyber governance edition
SAP Audit Management
SAP Process ControlSAP Risk Management
Manage cyber-related regulatory requirements and align with internal controls
Document and monitor security risks as part of the enterprise risk management program
Continuously monitor critical security configuration
Establish security policies
Test adherence and understanding
Document and test response and recovery plan
Audit the security program to provide independent assurance
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 29Customer
Solutions for GRC and security from SAP
Business application security
Protect data, manage access, and detect threats
SAP Dynamic Authorization Management by NextLabs
SAP Enterprise Threat Detection
SAP Access Control
SAP Single Sign-On SAP Identity Management
Monitor business applications for anomalies and attacks
Integrate with existing security infrastructure
Protect data with fine-grained access and data protection
Analyze access risk, define roles, support emergency access
Manage identities and administer users, employees, and customers across business applications
Cybersecurity risk and
governance
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 30Customer
Solutions for GRC and security from SAP
SAP secure functionality
Security patches and updates
Focused on custom code
Find and fix unknown vulnerabilities
Security services by SAP
Analyze Custom Code
Manage Software Updates
SAP Services
Leverage Standard Functionality
SAP Fortify by HPE
SAP NetWeaver Application Server, add-on for code vulnerability analysis
*
*
SAP
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 31Customer
Governance, Risk & Compliance portfolio SAP Access Control
SAP Process Control
SAP Risk Management
SAP Audit Management
SAP Fraud Management
SAP Identity Analytics
SAP Business Partner screening
SAP Global Trade Services
SAP Electronic Invoicing for Brazil
Security and Threat Intelligence SAP Identity Management
SAP Cloud Identity service
SAP Single Sign-On
SAP Enterprise Threat Detection
SAP Code Vulnerability Analysis
SAP Fortify by HP
GRC Solution Extensions SAP Access Violation Management by Greenlight
SAP Regulation Management by Greenlight (cyber
governance solution)
SAP Dynamic Authorization Management by NextLabs
SAP Technical Data Export Compliance application by
NextLabs
Secure Digital Business Transformation
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 32Customer
POLL QUESTION #2
QUESTION #2
Which of the following SAP offerings were you most familiar with prior to today’s
conversation?
a) SAP’s solutions related to traditional access management
b) SAP’s solution extensions
c) SAP’s solutions related to Identity Management and Single Sign On
d) SAP standard functionality to support security
e) I wasn’t really familiar with any of these areas
© 2016 SAP SE. All rights reserved.
Q&A
© 2016 SAP SE. All rights reserved.
Case study
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 45Customer
Internal Control Design,
Financial or Operational Risk Mapping
Collect Evidence, Assess Financial
Impact of Risk & Non-Compliance
Prioritization, Impact Analysis,
Requirement Interpretation, Cataloguing
Regulatory
Intelligence
(applicable to
Orgs)
Multiple
regulations
Regulatory changes feeds &
Surveillance
New & Changing Regulations
Monitoring and Reporting
Governance
Dashboards
and reports
External Reporting
and “In Control”
Monitor Regulations
• Monitor GMP, Privacy, & Cybersecurity external requirements (300+)
Baseline Regulations
• Life Sciences & Pharma: FDA, ISO/IEC 27000, IEC/TR 62443 and 80001, NERC CIP,
SEC, GSA, DHHS and OIG, USDA, EPA, ICH, Europa, FCC, COSO, FTC, Eudralex,
EFPIA, PhRMA, EMEA, EFSA, ABPI, MHRA, Health Canada, DHAC of Australia, TGA
Catalog Requirements
• CGMP – Current Good Manufacturing Guidelines
• Cybersecurity – Cybersecurity Standards
Define & Reuse Controls mapped to Risks
• CSC4005— Ensure all windows registry entries are consistent across the domain.
Identify and configure key registry entries and monitor for any changes to those registry
entries
• CNC195— Windows server vulnerabilities are checked on a regular basis. Exception
reporting to alert administrators • PM200— Password policy across Oracle databases is consistent and enforced
Collect & Report
• Regulatory Intelligence on changes to regulatory requirements and surveillance
• Exception reporting on automated controls
Database Windows LDAP
Improving Security Governance with Regulation Management
© 2016 SAP SE. All rights reserved.
Final Q&A
© 2016 SAP SE. All rights reserved.
Resources
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 48Customer
Need more information on SAP HANA security?
Read the SAP HANA security whitepaper! Want to know more? Check out the SAP HANA security page: http://hana.sap.com/security
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 49Customer
Security patches
Keep up to date by installing the latest security patchesand monitoring SAP security notes
Security improvements/corrections ship with SAP HANA revisions
Current SAP HANA version: SAP HANA SPS11, revisions 11x
Installed using SAP HANA’s lifecycle management tools
See also SAP Note 2021789 – SAP HANA revision und maintenance strategy
SAP security notes contain further information
Affected SAP HANA application areas and specific measures that protect against the exploitation of potential weaknesses
Released as part of the monthly SAP Security Patch Day
See also http://support.sap.com/securitynotes and SAP Security Notes – Frequently asked questions
Operating system patches
Provided by the respective vendors SuSE/Redhat
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 50Customer
Security services by SAP
SAP offers a wide range of security tools and services to ensure the smooth operation of your SAP solution by taking action proactively, before security issues occur
More information:
SAP Support Portal - EarlyWatch Alert
SAP Security Optimization Services
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 51Customer
Solutions for GRC and security from SAP
• SAP Access Control - Product page
• SAP Process Control - Product page
• SAP Risk Management - Product Page
• SAP Audit Management - Product page
• SAP Identity Management - Product Page
• SAP Single Sign-On - Product Page
• SAP Enterprise Threat Detection - Product Page
• SAP Regulation Management by Greenlight, cyber governance edition - Product Page
• SAP Dynamic Authorization Management by NextLabs - Product Page
Thank you
Recommended