Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Cybersecurity Assessment for SAP HANA on cloud Stay ahead of new age cyber risksProtect your business SAP digital core on cloud
Cybersecurity Assessment for SAP HANA on cloud | Stay ahead of new age cyber risks
02
The SAP suite of products continues to grow within its core applications and new solutions on cloud for the changing business world. As these products evolve new threats have emerged around mobility, cloud, SAP S/4 HANA, and other new on cloud solutions, which can be hosted on leading cloud platforms.
Our SAP Cyber practice is focused on providing holistic risk based assessment services around the SAP solutions deployed on leading cloud platforms. This helps organisations to promptly identify potential external and internal threats in the SAP systems on cloud environment.
Our approach aims to identify vulnerabilities in SAP as well as the cloud instance it is deployed on to provide you with full diagnosis and recommendations.
SAP Cybersecurity on Cloud
SAPCybersecurity Assessment
SAPCyber Risk
Report
Hot Fix
Diagnosis &Recommendation
Cybersecurity assessment services for SAP on Cloud | 4 - 6 weeks
Discovery workshop
Assess
Assess
Cybersecurity Assessment for SAP HANA on cloud | Stay ahead of new age cyber risks
03
Deloitte Cybersecurity assessment services provides clients with an objective and on-demand cybersecurity assessment of their existing SAP cybersecurity management framework, SAP S/4 HANA or ECC core applications and cloud security setup. Our aim is to help you to measure, test and rank your cybersecurity maturity levels across multiple domains and quickly determine whether your critical systems, processes, and data are at risk of cyber threats.
Three Dimensions, Full Coverage
OverallManagement
SAP security
Cloud Platform Security
Governance • Strategy and operating model • Policies, standards, and guidelines • Cyber risk management, metrics, reporting
Operational • Operating model • Day-to-day operating • Re-engineering and optimisation
Application Security • Security role design • Effective data security restrictions • Efficient security governance processes • Compliant user access provisioning
Identity and Access Management • Identity Lifecycle • Multi factor authentication (MFA) • Federated single sign on (SSO) • Privileged access management (PAM)
Data Privacy and Protection • Data privacy policies and controls • Privacy impact assessments (PIAs) • Data classification and discovery • Sensitive data protection
HANA on Cloud • SAP HANA role designs • Encryption strategy • Data protection controls
Identity & access management • Review access to services and resources -
cloud • Secure Identity management for apps • Central governance and management across
cloud platform accounts
Compliance • Visibility to cloud service provider compliance
reports • Continuously audit cloud usage to simplify
risk and compliance
Infrastructure protection • Network security • DDoS protection • Filter malicious web traffic • Central management of firewall rules
Monitoring and Response • Proactive monitoring of security events, critical
configuration and table changes • Cyber incident response and recovery • Integration with security information and event
monitoring system (SIEM)
Controls and Compliance • SAP Information Technology controls • Continuous controls failure monitoring • Preventative Segregation of Duties (SOD) and
Sensitive Access (SA) monitoring
Infrastructure Security • Risk management with on-prem and cloud
infrastructure • Secure system and device configuration • Patch and vulnerability management • Secured integration between hybrid
environments
Data protection • Discover and protect sensitive data at scale • Key storage and management • Hardware based key storage for regulatory
compliance • Provision, manage, and deploy public and private
SSL/TLS certificates • Rotate, manage, and retrieve secrets
Detection & Incident response • Unified security and compliance center • Managed threat detection • Analyse application security • Record and evaluate configurations of cloud
platform resources • Track user activity and API usage • Investigate potential security issuesReview
disaster recovery configurations
1 WeekDiscovery workshop
2 WeeksSecurity
AssessmentSAP Application
layer
2 WeeksSecurity
AssessmentCloud Console
layer
Cybersecurity Assessment for SAP HANA on cloud | Stay ahead of new age cyber risks
04
Deloitte cybersecurity assessment on SAP and cloud platform are conducted by our team of SAP and cloud security experts. Our approach starts with scoping and planning with your team based on your unique system landscape and business model. The assessment and testing on SAP and cloud platform are based on pre-defined rules generated from Deloitte Cybersecurity Management Framework, SAP Security Best Practices and Cloud Security Best Practices.
Five Steps, Best Practices
Planning & Scoping
Discovery Workshops
Assess and testSAP Applications
Assess and test HANA DB, OS and Cloud Platform
GenerateReport
Quick winsHot fixes
RecommendationsLong-term actions
1 2 3 4 5
Report in management summary with actionable technical detail
Executive Management Summary DashboardOverview
Control Status of Key Assets
Status
20Main Controls Monitored
155Sub-Controls Monitored
High Risk
2Failed Sub-Control
Medium Risk
3Failed Sub-Control
Low Risk
1Failed Sub-Control
System1 2 3 4 5 6 7 8 9 10
OverallSAPCSP
Network11 12 13 14 15
Application16 17 18 19 20
Top 20 Critical Security Controls
Cybersecurity Assessment for SAP HANA on cloud | Stay ahead of new age cyber risks
05
Custom package options to suit your business
Comprehensive assessment with threat modelling, detailed configuration review, in-depth application cyber- security assessment.
Focus on essentials, obtain a cost-effective quick diagnostic heath check report of your landscape reviewed against best practices and industry standards.
Tiers
Gold Package(6-8 weeks)
Silver Package(3-4 weeks)
Overall Management • Business Profile • Threat Assessment • Current State Assessment • Target State and Recommendations
• Project Roadmap and Reporting
• Policies and Procedures • Governance Model & Strategy • Monitoring and Response Model
Overall Management • Current State Assessment of overall management of security
• Baseline check of all key foundation requirements against Industry leading practices
• Target State and Recommendations
• Overall Reporting
SAP Security • Detailed SAP Security baseline assessment
• Detailed assessment of Identity and access control framework and governance processes
• Review controls and compliance against recommended Cyber-security baseline
• Assess Data Privacy and Data protection model and overall compliance
• SAP OS, DB & Infra setup gap assessment
SAP Security • Evaluate key Cyber-security foundation controls
• Assess SOD & Overall Access Security Framework against SAP Best practices
• Data Privacy impact assessment • Overall Security Governance and Support model
Cloud Service Provider Security • Threat Modelling & Architecture Review
• Cloud Security Posture Assessment
• Vulnerability Assessment & Penetration Testing – Web, API, Network (Optional)
• Docker & Container Security • IaC code review
Cloud Service Provider Security • Cloud Security & Compliance Posture Assessment Gap Assessment against CIS benchmarks
• Security review against cloud platform best practice
• Overview Configuration assessment for key services & domains
Cybersecurity Assessment for SAP HANA on cloud | Stay ahead of new age cyber risks
06
IndonesiaRichard [email protected]
MalaysiaKenneth [email protected]
Sharul RosliSenior [email protected]
SingaporePhilip [email protected]
Tank Tang [email protected]
Vishal [email protected]
Contact usPhilippinesJesus Ma. Lava [email protected]
ThailandWeerapong [email protected]
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
Deloitte Asia Pacific Limited is a company limited by guarantee and a member firm of DTTL. Members of Deloitte Asia Pacific Limited and their related entities, each of which are separate and independent legal entities, provide services from more than 100 cities across the region, including Auckland, Bangkok, Beijing, Hanoi, Hong Kong, Jakarta, Kuala Lumpur, Manila, Melbourne, Osaka, Seoul, Shanghai, Singapore, Sydney, Taipei and Tokyo.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.
No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.
© 2021 Deloitte Southeast Asia LtdFor information, contact Deloitte SEA. CoRe Creative Services. RITM0677440