Upload
bravemanvvn
View
16
Download
1
Embed Size (px)
DESCRIPTION
SAP Cloud Data Protection and Compliance - CRM Tutorial SAP
Citation preview
Cloud Data Protection and
Information Security at SAP
September 2014 Public
2014 SAP AG. All rights reserved. 2
Cloud Data Security and Compliance at SAP
Agenda
Introduction of relevant Standards and Certificates
Cloud Security and Compliance
Physical Security
Network Security
Backup and Recovery
Support of Compliance
Confidentiality & Integrity
Summary
(Helpful Links)
SAP Business Cloud
2014 SAP AG. All rights reserved. 3
SAP Cloud Security Standards and Certificates Overview
High Availability
International Accounting Regulations
Quality Management
Energy Efficiency
IT Operations
*formerly SAS 70 Type II
Physical Security Network Security Backup & Recovery Compliance Integrity & Confidentiality
ISAE3402 TESTIFIED*
SSAE16 TESTIFIED*
BS25999 / ISO 22301 CERTIFIED
GREEN IT CERTIFIED
ISO 27001 CERTIFIED
ISO 9001 CERTIFIED
Tax compliancy
PS 880 SOC-2
Cloud Operations
2014 SAP AG. All rights reserved. 4
SAP Cloud Security Standards and Certificates Details
Certified Energy efficient
SAP NEWSBYTE - April 12, 2010 -
Two SAP AG (NYSE: SAP) data
centers in Germany have been
certified as energy efficient by TV Rheinland, a German group that
documents the safety and quality of
business and technology systems to
establish sustainability in social and
industrial development. To date, only
10 data centers from various
companies have received this
certification. Out of those, the SAP
data center in St. Leon-Rot, Germany,
achieved the highest ratings
International Standard on
Assurance Engagements
(ISAE) No. 3402 Type B
It is globally recognized assurance
report on controls at a service
organization. It has been put forth by
the International Auditing and
Assurance Standards Board (IAASB).
The focus of this quality standard lies
on controls that have a potential
impact on financial reporting.
ISAE 3402 is an "assurance" standard.
It is the international successor
standard of SAS 70.
International Standard Organization
(ISO) 27001
Specifies how an information security
management system (ISMS) has to be
set up and operated. It defines an
overall management and control
framework for managing an
organization's information security
risks.
Statement on Standards for
Attestation Engagements (SSAE)
No. 16
This is the US equivalent to
international standard ISAE 3402.
SSAE16 is an "attestation" standard.
Physical Security Network Security Backup & Recovery Compliance Integrity & Confidentiality
British Standards Institution (BS)
25999 / ISO 22301
Is a standard in the field of business
continuity management (BCM) to
ensure continued operation in case of
critical situations. This standard sets
the requirements for how a data center
must be built and operated to
guarantee the highest availability.
International Organization for
Standardization (ISO) 9001
Specifies requirements for a quality
management (QM) system. Within the
definition of the QM system itself, it is
important to aim for continuous
improvement.
2014 SAP AG. All rights reserved. 5
SAP Cloud Security Physical Security Overview (2014)
World-class Tier-3 and 4 data centers
Customer data always stays in same national
jurisdiction
SAP managed data centers and selected
partners operating according to SAP standards
Physical Security Network Security Backup & Recovery Compliance Integrity & Confidentiality
Data Center
BS25999 CERTIFIED
ISO 27001 CERTIFIED
2014 SAP AG. All rights reserved. 6
SAP Cloud Security Physical Security Locations (2014)
Physical Security Network Security Backup & Recovery Compliance Integrity & Confidentiality
Location Country Operator Service St. Leon-Rot Deutschland SAP C4C, ByD based, Payroll, OnDemand Portal, Photon
(Lumira Cloud), JPaaS, S&OP, SAP HANA Cloud for
Automobiles/Utilities
Walldorf Deutschland SAP
Newtownsquare, PH USA SAP C4C, ByD based, S&OP
Newtownsquare, PH USA SAP
Chandler, AZ USA Digital Reality SFSF
Ashburn, VA USA Verizon JAM, NFL Fantasy Football, JPaaS
Amsterdam NL Telecity JAM
Amsterdam NL Telecity JAM
Sydney AUS Verizon SFSF
Sydney AUS MacQuire
Chicago, IL USA CSC Sourcing, Streamwork, BIoD
Chicago, IL USA Rackspace Jobs2Web
Sommerville, MA USA Internap Sourcing
Maidstone UK CSC Sourcing
2014 SAP AG. All rights reserved. 7
SAP Cloud Security Physical Security Details
BU
ILD
ING
P
OW
ER
F
IRE
+
FL
OO
D
CO
OL
ING
Reinforced concrete construction
Hundreds of surveillance cameras with digital recording
Fully monitored doors
Tens of thousands of environmental sensors
Security guards and facility support team onsite 24x7x365
Biometric sensors + card readers to access secured areas
Multiple redundant internet connections from multiple carriers
Redundant power sources
Hundreds of UPS units with additional capabilities of 20 min
Auxiliary, expandable diesel power supply, online within minutes
Diesel fuel storage sufficient for 48-hours of operations without refueling
Contracts with external diesel suppliers to guarantee continuous operation
Fire and flood protection
Redundant, environmentally friendly, Inergen fire extinguisher System
Thousands Fire and Flood Surveillance Sensors
100% redundant air conditioning
Auxiliary cooling capacity
Physical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity
2014 SAP AG. All rights reserved. 8
SAP Cloud Security Network Security Overview
IDS
Physical Security Network Security Backup & Recovery Compliance
Rev.
Proxy F
IRE
WA
LL
S
Datacenter
Confidentiality & Integrity
Reverse Proxy Farms
Multiple redundant Internet Connections
Data Encryption
Intrusion Detection System (IDS)
Multiple Firewalls
Third Party Audits and Penetration Tests
2014 SAP AG. All rights reserved. 9
SAP Cloud Security Network Security Details
Physical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity
* formerly known as Secure Sockets Layer
Reverse Proxy Farms Hide network topology
Multiple redundant Internet Connections Limit the effect of denial of service (DOS) attacks
Data Encryption Highest level of protection with up to 256-Bit Data encryption protocols using
Transport Layer Security*
Intrusion Detection System Monitor web traffic 24 x 7 x 365
Multiple Firewalls Shield internal network from hackers
Third Party Audits and Penetration Tests Early and independent detection of security issues (e.g. program backdoors, network
vulnerabilities,)
2014 SAP AG. All rights reserved. 10
SAP Cloud Security Backup and Recovery Overview
Primary Storage
production Data Center
Secondary Storage
in offsite backup Location
Most recent
snapshot on
primary storage
Multiple snapshots
on retention policy
Global Performance Monitoring of Backups
Physical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity
ISO 27001 CERTIFIED
2014 SAP AG. All rights reserved. 11
SAP Cloud Security Backup and Recovery Details
Snapshots: Backups are created with snapshots from disk to disk. This ensures fast creation,
backups, and, if required, fast restoration.
Frequency: Daily full backup. Log files incrementally backed up every two hours: all changes in
database since the last full backup are saved.
Location: Database and log-file backups are stored in a geographically separated data center
but stay in the designated region.
Objective: Recovery up to the last transaction is supported within database recovery process.
Maximum lost time for customer is two hours - if the primary data center is
completely destroyed.
Retention times: Backups of the last 3 days are kept on primary and secondary storage.
Previous backups are kept up to 14 days in the geographically separated backup
data center.
Physical Security Network Security Backup & Recovery Compliance
Information Security Management System
Confidentiality & Integrity
ISO 27001 CERTIFIED
2014 SAP AG. All rights reserved. 12
SAP Cloud Security Compliance Overview
Physical Security Network Security Backup & Recovery Compliance Integrity & Confidentiality
*formerly SAS 70 Type II
Compliance features
Journal entries that allow tracing of business transactions
to source documents
Number ranges that distinguish journal entries
Accounting-relevant data cannot be deleted from audit
trails
Supports IFRS accounting regulations
Solution documentation included
Segregation of duties supported
ISAE3402 TESTIFIED*
SSAE16 TESTIFIED*
2014 SAP AG. All rights reserved. 13
SAP Cloud Security Compliance Details
Features that support customers in achieving compliance include:
Journal entries carry the complete information Ability to identify business transactions and trace them through to underlying source documents
Number ranges support the ability to distinguish entries Availability of transparency to customers for precise retrieval
Inability to delete accounting-relevant data, and all changes made to financially relevant data are recorded in a change-history log
Help for customers to perform audits
Supports IFRS accounting regulations Help for customers to adhere to regulations of multiple markets (International Financial Reporting Standards)
Solution documentation included Provision of necessary procedure and task descriptions for end users and detailed technical descriptions explaining data processing and storage
Physical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity
2014 SAP AG. All rights reserved. 14
SAP Cloud Security Confidentiality & Integrity Customer View
Physical Security Network Security Backup & Recovery Compliance
Role Based
Access
Activity
Logging
Data
Ownership
On-demand solutions support role based access
with user profiles to allow segregation of duties
On-demand solutions log all user activities
Support for contract termination
Customer Data extraction
Customer Data handover in file format
Extended read-only system access after
contract termination
Data deletion only after customer approval
Confidentiality & Integrity
2014 SAP AG. All rights reserved. 15
SAP Cloud Security Integrity & Confidentiality Concept of Support User Access Control
Application and Customer Support* Platform and System Support*
Data integrity and availability is ensured by
proactive automated system monitoring
Physical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity
*Variances may exist depending on cloud offering
Customer reports incident:
Ticket
One-time user with short-
term password (1 hour)
Personalized log-traces
System reports incident:
Ticket
One-time user with short-
term password (4 hours)
Personalized log-traces
2014 SAP AG. All rights reserved. 16
SAP Cloud Security Summary
Certified operations
World-class data centers
Advanced network security
Reliable data backup
Built-in compliance, integrity, and
confidentiality
2014 SAP AG. All rights reserved. 17
Helpful Links:
SAP Contract
Details
http://www.sap.com/corporate-en/our-company/agreements/index.epx
Search e.g. ByD Terms and Conditions US
Security FAQs www.sme.sap.com Sell Security Topics FAQs
Standards and
Audits
www.sme.sap.com Sell Security and Standard Accreditations
Certificates www.service.sap.com/certificates
http://www.sap.com/press.epx?pressid=13030 SAP DC Energy
Efficiency
Data Center
Security Video
http://youtu.be/oK5OIaUPEZ4 (German)
http://youtu.be/wxOs1AdJXLs (English)
Cloud Operations
Video
http://youtu.be/3EZy1jq_vjE (German)
http://youtu.be/zGvKZkQixCg (English)
Virtual Data Center-
Walkthrough www.sapdatacenter.com (English)
Appendix
2014 SAP AG. All rights reserved. 20
SAP Cloud Security Standards and Certificates Details
Certified Energy efficient
SAP NEWSBYTE - April 12, 2010 -
Two SAP AG (NYSE: SAP) data
centers in Germany have been
certified as energy efficient by TV Rheinland, a German group that
documents the safety and quality of
business and technology systems to
establish sustainability in social and
industrial development. To date, only
10 data centers from various
companies have received this
certification. Out of those, the SAP
data center in St. Leon-Rot, Germany,
achieved the highest ratings
International Standard on
Assurance Engagements
(ISAE) No. 3402 Type B
It is globally recognized assurance
report on controls at a service
organization. It has been put forth by
the International Auditing and
Assurance Standards Board (IAASB).
The focus of this quality standard lies
on controls that have a potential
impact on financial reporting.
ISAE 3402 is an "assurance" standard.
It is the international successor
standard of SAS 70.
International Standard Organization
(ISO) 27001
Specifies how an Information Security
Management System has to be set up
and operated. It defines an overall
management and control framework
for managing an organization's
information security risks.
Statement on Standards for
Attestation Engagements (SSAE)
No. 16
This is the US equivalent to
international standard ISAE 3402.
SSAE16 is an "attestation" standard.
Physical Security Network Security Backup & Recovery Compliance Integrity & Confidentiality
British Standards Institution (BS)
25999
Is a standard in the field of business
continuity management (BCM) to
ensure continued operation in case of
critical situations. This standard sets
the requirements for how a data center
must be built and operated to
guarantee the highest availability.
International Organization for
Standardization (ISO) 9001
Specifies requirements for a quality
management (QM) system. Within the
definition of the QM system itself, it is
important to aim for continuous
improvement.
German Audience
(PS880 included)
PS 880 Certificate for ByDesign.
Prfung rechnungslegungsrelevanter Softwareprodukte
Ensures the product is in line with
German GoB Grundstzen ordnungsgemer Buchfhrung. Renewed for each software release.
2014 SAP AG. All rights reserved. 21
SAP Cloud Security Compliance Overview
Physical Security Network Security Backup & Recovery Compliance Integrity & Confidentiality
*formerly SAS 70 Type II
Compliance features
Journal entries that allow tracing of business transactions
to source documents
Number ranges that distinguish journal entries
Accounting-relevant data cannot be deleted from audit
trails
Supports IFRS accounting regulations
Supports German accounting regulations
Solution documentation included
Segregation of duties supported
ISAE3402 TESTIFIED*
SSAE16 TESTIFIED*
PS 880 CERTIFIED
German Audience
(PS880 included)
2014 SAP AG. All rights reserved. 22
SAP Cloud Security Compliance Details
Features that support customers in achieving compliance include:
Journal entries carry the complete information Ability to identify business transactions and trace them through to underlying source documents
Number ranges support the ability to distinguish entries Availability of transparency to customers for precise retrieval
Inability to delete accounting-relevant data, and all changes made to financially relevant data are recorded in a change-history log
Help for customers to perform audits
Supports IFRS accounting regulations Help for customers to adhere to regulations of multiple markets (International Financial Reporting Standards)
Supports German accounting regulations Help for customers to adhere to German accounting regulations. (Certified for each new ByDesing solution release)
Solution documentation included Provision of necessary procedure and task descriptions for end users and detailed technical descriptions explaining data processing and storage
Physical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity
German Audience
(PS880 included)
2014 SAP AG. All rights reserved. 23
SAP Cloud Security Physical Security Overview (2013)
Physical Security Network Security Backup & Recovery Compliance Integrity & Confidentiality
Data Center
Planning Status
April 2012
World-class Tier-3/4 data centers
Customer data always stays in same national
jurisdiction
SAP managed data centers and select
partners operating according to SAP standards
BS25999 CERTIFIED
ISO 27001 CERTIFIED
2014 SAP AG. All rights reserved. 24
2012 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP AG. The information contained herein may be
changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary
software components of other software vendors.
Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are
registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,
System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power
Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA,
pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP,
RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli,
Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the United States and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered
trademarks of Adobe Systems Incorporated in the United States and other countries.
Oracle and Java are registered trademarks of Oracle and its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin
are trademarks or registered trademarks of Citrix Systems Inc.
HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C,
World Wide Web Consortium, Massachusetts Institute of Technology.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C,
Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.
IOS is a registered trademark of Cisco Systems Inc.
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry
Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App
World are trademarks or registered trademarks of Research in Motion Limited.
Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps,
Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync,
Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are
trademarks or registered trademarks of Google Inc.
INTERMEC is a registered trademark of Intermec Technologies Corporation.
Wi-Fi is a registered trademark of Wi-Fi Alliance.
Bluetooth is a registered trademark of Bluetooth SIG Inc.
Motorola is a registered trademark of Motorola Trademark Holdings LLC.
Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, SAP HANA, and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of SAP AG in Germany
and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services
mentioned herein as well as their respective logos are trademarks or registered trademarks
of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase
products and services mentioned herein as well as their respective logos are trademarks or
registered trademarks of Sybase Inc. Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.
All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only. National
product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be
reproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.
2014 SAP AG. All rights reserved. 25
2012 SAP AG. Alle Rechte vorbehalten.
Weitergabe und Vervielfltigung dieser Publikation oder von Teilen daraus sind, zu
welchem Zweck und in welcher Form auch immer, ohne die ausdrckliche schriftliche
Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen
knnen ohne vorherige Ankndigung gendert werden.
Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte knnen
Softwarekomponenten auch anderer Softwarehersteller enthalten.
Microsoft, Windows, Excel, Outlook, und PowerPoint sind eingetragene Marken der
Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,
System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power
Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA,
pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP,
RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli,
Informix und Smarter Planet sind Marken oder eingetragene Marken der IBM Corporation.
Linux ist eine eingetragene Marke von Linus Torvalds in den USA und anderen Lndern.
Adobe, das Adobe-Logo, Acrobat, PostScript und Reader sind Marken oder eingetragene
Marken von Adobe Systems Incorporated in den USA und/oder anderen Lndern.
Oracle und Java sind eingetragene Marken von Oracle und/oder ihrer
Tochtergesellschaften.
UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame und MultiWin
sind Marken oder eingetragene Marken von Citrix Systems, Inc.
HTML, XML, XHTML und W3C sind Marken oder eingetragene Marken des W3C,
World Wide Web Consortium, Massachusetts Institute of Technology.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C,
Retina, Safari, Siri und Xcode sind Marken oder eingetragene Marken der Apple Inc.
IOS ist eine eingetragene Marke von Cisco Systems Inc.
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry
Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook und BlackBerry App
World sind Marken oder eingetragene Marken von Research in Motion Limited.
Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps,
Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync,
Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik und Android sind
Marken oder eingetragene Marken von Google Inc.
INTERMEC ist eine eingetragene Marke der Intermec Technologies Corporation.
Wi-Fi ist eine eingetragene Marke der Wi-Fi Alliance.
Bluetooth ist eine eingetragene Marke von Bluetooth SIG Inc.
Motorola ist eine eingetragene Marke von Motorola Trademark Holdings, LLC.
Computop ist eine eingetragene Marke der Computop Wirtschaftsinformatik GmbH.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, SAP HANA und weitere im Text erwhnte SAP-Produkte und -
Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken
der SAP AG in Deutschland und anderen Lndern.
Business Objects und das Business-Objects-Logo, BusinessObjects, Crystal Reports,
Crystal Decisions, Web Intelligence, Xcelsius und andere im Text erwhnte Business-
Objects-Produkte und Dienstleistungen sowie die entsprechenden Logos sind Marken
oder eingetragene Marken der Business Objects Software Ltd. Business Objects ist ein
Unternehmen der SAP AG.
Sybase und Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere und weitere im Text
erwhnte Sybase-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind
Marken oder eingetragene Marken der Sybase Inc. Sybase ist ein Unternehmen der
SAP AG.
Crossgate, m@gic EDDY, B2B 360, B2B 360Services sind eingetragene Marken der Crossgate AG in Deutschland und anderen Lndern. Crossgate ist ein Unternehmen der
SAP AG.
Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen
Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informations-
zwecken. Produkte knnen lnderspezifische Unterschiede aufweisen.
Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und
Vervielfltigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und
in welcher Form auch immer, nur mit ausdrcklicher schriftlicher Genehmigung durch
SAP AG gestattet.