SAP Cloud Data Protection and Compliance

Cloud Data Protection and

Information Security at SAP

September 2014 Public

2014 SAP AG. All rights reserved. 2

Cloud Data Security and Compliance at SAP

Agenda

Introduction of relevant Standards and Certificates

Cloud Security and Compliance

Physical Security

Network Security

Backup and Recovery

Support of Compliance

Confidentiality & Integrity

Summary

(Helpful Links)

SAP Business Cloud


SAP Cloud Security Standards and Certificates Overview

High Availability

International Accounting Regulations

Quality Management

Energy Efficiency

IT Operations

*formerly SAS 70 Type II

Physical Security Network Security Backup & Recovery Compliance Integrity & Confidentiality

ISAE3402 TESTIFIED*

SSAE16 TESTIFIED*

BS25999 / ISO 22301 CERTIFIED

GREEN IT CERTIFIED

ISO 27001 CERTIFIED

ISO 9001 CERTIFIED

Tax compliancy

PS 880 SOC-2

Cloud Operations


SAP Cloud Security Standards and Certificates Details

Certified Energy efficient

SAP NEWSBYTE - April 12, 2010 -

Two SAP AG (NYSE: SAP) data

centers in Germany have been

certified as energy efficient by TV Rheinland, a German group that

documents the safety and quality of

business and technology systems to

establish sustainability in social and

industrial development. To date, only

10 data centers from various

companies have received this

certification. Out of those, the SAP

data center in St. Leon-Rot, Germany,

achieved the highest ratings

International Standard on

Assurance Engagements

(ISAE) No. 3402 Type B

It is globally recognized assurance

report on controls at a service

organization. It has been put forth by

the International Auditing and

Assurance Standards Board (IAASB).

The focus of this quality standard lies

on controls that have a potential

impact on financial reporting.

ISAE 3402 is an "assurance" standard.

It is the international successor

standard of SAS 70.

International Standard Organization

(ISO) 27001

Specifies how an information security

management system (ISMS) has to be

set up and operated. It defines an

overall management and control

framework for managing an

organization's information security

risks.

Statement on Standards for

Attestation Engagements (SSAE)

No. 16

This is the US equivalent to

international standard ISAE 3402.

SSAE16 is an "attestation" standard.


British Standards Institution (BS)

25999 / ISO 22301

Is a standard in the field of business

continuity management (BCM) to

ensure continued operation in case of

critical situations. This standard sets

the requirements for how a data center

must be built and operated to

guarantee the highest availability.

International Organization for

Standardization (ISO) 9001

Specifies requirements for a quality

management (QM) system. Within the

definition of the QM system itself, it is

important to aim for continuous

improvement.


SAP Cloud Security Physical Security Overview (2014)

World-class Tier-3 and 4 data centers

Customer data always stays in same national

jurisdiction

SAP managed data centers and selected

partners operating according to SAP standards


Data Center

BS25999 CERTIFIED

ISO 27001 CERTIFIED


SAP Cloud Security Physical Security Locations (2014)


Location Country Operator Service St. Leon-Rot Deutschland SAP C4C, ByD based, Payroll, OnDemand Portal, Photon

(Lumira Cloud), JPaaS, S&OP, SAP HANA Cloud for

Automobiles/Utilities

Walldorf Deutschland SAP

Newtownsquare, PH USA SAP C4C, ByD based, S&OP

Newtownsquare, PH USA SAP

Chandler, AZ USA Digital Reality SFSF

Ashburn, VA USA Verizon JAM, NFL Fantasy Football, JPaaS

Amsterdam NL Telecity JAM

Amsterdam NL Telecity JAM

Sydney AUS Verizon SFSF

Sydney AUS MacQuire

Chicago, IL USA CSC Sourcing, Streamwork, BIoD

Chicago, IL USA Rackspace Jobs2Web

Sommerville, MA USA Internap Sourcing

Maidstone UK CSC Sourcing


SAP Cloud Security Physical Security Details

BU

ILD

ING

P

OW

ER

F

IRE

+

FL

OO

D

CO

OL

ING

Reinforced concrete construction

Hundreds of surveillance cameras with digital recording

Fully monitored doors

Tens of thousands of environmental sensors

Security guards and facility support team onsite 24x7x365

Biometric sensors + card readers to access secured areas

Multiple redundant internet connections from multiple carriers

Redundant power sources

Hundreds of UPS units with additional capabilities of 20 min

Auxiliary, expandable diesel power supply, online within minutes

Diesel fuel storage sufficient for 48-hours of operations without refueling

Contracts with external diesel suppliers to guarantee continuous operation

Fire and flood protection

Redundant, environmentally friendly, Inergen fire extinguisher System

Thousands Fire and Flood Surveillance Sensors

100% redundant air conditioning

Auxiliary cooling capacity

Physical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity


SAP Cloud Security Network Security Overview

IDS

Physical Security Network Security Backup & Recovery Compliance

Rev.

Proxy F

IRE

WA

LL

S

Datacenter


Reverse Proxy Farms

Multiple redundant Internet Connections

Data Encryption

Intrusion Detection System (IDS)

Multiple Firewalls

Third Party Audits and Penetration Tests


SAP Cloud Security Network Security Details


* formerly known as Secure Sockets Layer

Reverse Proxy Farms Hide network topology

Multiple redundant Internet Connections Limit the effect of denial of service (DOS) attacks

Data Encryption Highest level of protection with up to 256-Bit Data encryption protocols using

Transport Layer Security*

Intrusion Detection System Monitor web traffic 24 x 7 x 365

Multiple Firewalls Shield internal network from hackers

Third Party Audits and Penetration Tests Early and independent detection of security issues (e.g. program backdoors, network

vulnerabilities,)


SAP Cloud Security Backup and Recovery Overview

Primary Storage

production Data Center

Secondary Storage

in offsite backup Location

Most recent

snapshot on

primary storage

Multiple snapshots

on retention policy

Global Performance Monitoring of Backups


ISO 27001 CERTIFIED


SAP Cloud Security Backup and Recovery Details

Snapshots: Backups are created with snapshots from disk to disk. This ensures fast creation,

backups, and, if required, fast restoration.

Frequency: Daily full backup. Log files incrementally backed up every two hours: all changes in

database since the last full backup are saved.

Location: Database and log-file backups are stored in a geographically separated data center

but stay in the designated region.

Objective: Recovery up to the last transaction is supported within database recovery process.

Maximum lost time for customer is two hours - if the primary data center is

completely destroyed.

Retention times: Backups of the last 3 days are kept on primary and secondary storage.

Previous backups are kept up to 14 days in the geographically separated backup

data center.


Information Security Management System


ISO 27001 CERTIFIED


SAP Cloud Security Compliance Overview



Compliance features

Journal entries that allow tracing of business transactions

to source documents

Number ranges that distinguish journal entries

Accounting-relevant data cannot be deleted from audit

trails

Supports IFRS accounting regulations

Solution documentation included

Segregation of duties supported

ISAE3402 TESTIFIED*

SSAE16 TESTIFIED*


SAP Cloud Security Compliance Details

Features that support customers in achieving compliance include:

Journal entries carry the complete information Ability to identify business transactions and trace them through to underlying source documents

Number ranges support the ability to distinguish entries Availability of transparency to customers for precise retrieval

Inability to delete accounting-relevant data, and all changes made to financially relevant data are recorded in a change-history log

Help for customers to perform audits

Supports IFRS accounting regulations Help for customers to adhere to regulations of multiple markets (International Financial Reporting Standards)

Solution documentation included Provision of necessary procedure and task descriptions for end users and detailed technical descriptions explaining data processing and storage



SAP Cloud Security Confidentiality & Integrity Customer View


Role Based

Access

Activity

Logging

Data

Ownership

On-demand solutions support role based access

with user profiles to allow segregation of duties

On-demand solutions log all user activities

Support for contract termination

Customer Data extraction

Customer Data handover in file format

Extended read-only system access after

contract termination

Data deletion only after customer approval



SAP Cloud Security Integrity & Confidentiality Concept of Support User Access Control

Application and Customer Support* Platform and System Support*

Data integrity and availability is ensured by

proactive automated system monitoring


*Variances may exist depending on cloud offering

Customer reports incident:

Ticket

One-time user with short-

term password (1 hour)

Personalized log-traces

System reports incident:

Ticket

One-time user with short-

term password (4 hours)

Personalized log-traces


SAP Cloud Security Summary

Certified operations

World-class data centers

Advanced network security

Reliable data backup

Built-in compliance, integrity, and

confidentiality


Helpful Links:

SAP Contract

Details

http://www.sap.com/corporate-en/our-company/agreements/index.epx

Search e.g. ByD Terms and Conditions US

Security FAQs www.sme.sap.com Sell Security Topics FAQs

Standards and

Audits

www.sme.sap.com Sell Security and Standard Accreditations

Certificates www.service.sap.com/certificates

http://www.sap.com/press.epx?pressid=13030 SAP DC Energy

Efficiency

Data Center

Security Video

http://youtu.be/oK5OIaUPEZ4 (German)

http://youtu.be/wxOs1AdJXLs (English)

Cloud Operations

Video

http://youtu.be/3EZy1jq_vjE (German)

http://youtu.be/zGvKZkQixCg (English)

Virtual Data Center-

Walkthrough www.sapdatacenter.com (English)

Appendix


SAP Cloud Security Standards and Certificates Details

Certified Energy efficient

SAP NEWSBYTE - April 12, 2010 -

Two SAP AG (NYSE: SAP) data

centers in Germany have been

certified as energy efficient by TV Rheinland, a German group that

documents the safety and quality of

business and technology systems to

establish sustainability in social and

industrial development. To date, only

10 data centers from various

companies have received this

certification. Out of those, the SAP

data center in St. Leon-Rot, Germany,

achieved the highest ratings

International Standard on

Assurance Engagements

(ISAE) No. 3402 Type B

It is globally recognized assurance

report on controls at a service

organization. It has been put forth by

the International Auditing and

Assurance Standards Board (IAASB).

The focus of this quality standard lies

on controls that have a potential

impact on financial reporting.

ISAE 3402 is an "assurance" standard.

It is the international successor

standard of SAS 70.

International Standard Organization

(ISO) 27001

Specifies how an Information Security

Management System has to be set up

and operated. It defines an overall

management and control framework

for managing an organization's

information security risks.

Statement on Standards for

Attestation Engagements (SSAE)

No. 16

This is the US equivalent to

international standard ISAE 3402.

SSAE16 is an "attestation" standard.


British Standards Institution (BS)

25999

Is a standard in the field of business

continuity management (BCM) to

ensure continued operation in case of

critical situations. This standard sets

the requirements for how a data center

must be built and operated to

guarantee the highest availability.

International Organization for

Standardization (ISO) 9001

Specifies requirements for a quality

management (QM) system. Within the

definition of the QM system itself, it is

important to aim for continuous

improvement.

German Audience

(PS880 included)

PS 880 Certificate for ByDesign.

Prfung rechnungslegungsrelevanter Softwareprodukte

Ensures the product is in line with

German GoB Grundstzen ordnungsgemer Buchfhrung. Renewed for each software release.


SAP Cloud Security Compliance Overview



Compliance features

Journal entries that allow tracing of business transactions

to source documents

Number ranges that distinguish journal entries

Accounting-relevant data cannot be deleted from audit

trails

Supports IFRS accounting regulations

Supports German accounting regulations

Solution documentation included

Segregation of duties supported

ISAE3402 TESTIFIED*

SSAE16 TESTIFIED*

PS 880 CERTIFIED

German Audience

(PS880 included)


SAP Cloud Security Compliance Details

Features that support customers in achieving compliance include:

Journal entries carry the complete information Ability to identify business transactions and trace them through to underlying source documents

Number ranges support the ability to distinguish entries Availability of transparency to customers for precise retrieval

Inability to delete accounting-relevant data, and all changes made to financially relevant data are recorded in a change-history log

Help for customers to perform audits

Supports IFRS accounting regulations Help for customers to adhere to regulations of multiple markets (International Financial Reporting Standards)

Supports German accounting regulations Help for customers to adhere to German accounting regulations. (Certified for each new ByDesing solution release)

Solution documentation included Provision of necessary procedure and task descriptions for end users and detailed technical descriptions explaining data processing and storage


German Audience

(PS880 included)


SAP Cloud Security Physical Security Overview (2013)


Data Center

Planning Status

April 2012

World-class Tier-3/4 data centers

Customer data always stays in same national

jurisdiction

SAP managed data centers and select

partners operating according to SAP standards

BS25999 CERTIFIED

ISO 27001 CERTIFIED


2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose

without the express permission of SAP AG. The information contained herein may be

changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary

software components of other software vendors.

Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are

registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,

System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power

Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA,

pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP,

RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli,

Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the United States and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered

trademarks of Adobe Systems Incorporated in the United States and other countries.

Oracle and Java are registered trademarks of Oracle and its affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin

are trademarks or registered trademarks of Citrix Systems Inc.

HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C,

World Wide Web Consortium, Massachusetts Institute of Technology.

Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C,

Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.

IOS is a registered trademark of Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry

Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App

World are trademarks or registered trademarks of Research in Motion Limited.

Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps,

Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync,

Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are

trademarks or registered trademarks of Google Inc.

INTERMEC is a registered trademark of Intermec Technologies Corporation.

Wi-Fi is a registered trademark of Wi-Fi Alliance.

Bluetooth is a registered trademark of Bluetooth SIG Inc.

Motorola is a registered trademark of Motorola Trademark Holdings LLC.

Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,

StreamWork, SAP HANA, and other SAP products and services mentioned herein as well

as their respective logos are trademarks or registered trademarks of SAP AG in Germany

and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal

Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services

mentioned herein as well as their respective logos are trademarks or registered trademarks

of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase

products and services mentioned herein as well as their respective logos are trademarks or

registered trademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of their respective

companies. Data contained in this document serves informational purposes only. National

product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be

reproduced, copied, or transmitted in any form or for any purpose without the express prior

written permission of SAP AG.


2012 SAP AG. Alle Rechte vorbehalten.

Weitergabe und Vervielfltigung dieser Publikation oder von Teilen daraus sind, zu

welchem Zweck und in welcher Form auch immer, ohne die ausdrckliche schriftliche

Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen

knnen ohne vorherige Ankndigung gendert werden.

Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte knnen

Softwarekomponenten auch anderer Softwarehersteller enthalten.

Microsoft, Windows, Excel, Outlook, und PowerPoint sind eingetragene Marken der

Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,

System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power

Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA,

pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP,

RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli,

Informix und Smarter Planet sind Marken oder eingetragene Marken der IBM Corporation.

Linux ist eine eingetragene Marke von Linus Torvalds in den USA und anderen Lndern.

Adobe, das Adobe-Logo, Acrobat, PostScript und Reader sind Marken oder eingetragene

Marken von Adobe Systems Incorporated in den USA und/oder anderen Lndern.

Oracle und Java sind eingetragene Marken von Oracle und/oder ihrer

Tochtergesellschaften.

UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame und MultiWin

sind Marken oder eingetragene Marken von Citrix Systems, Inc.

HTML, XML, XHTML und W3C sind Marken oder eingetragene Marken des W3C,

World Wide Web Consortium, Massachusetts Institute of Technology.

Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C,

Retina, Safari, Siri und Xcode sind Marken oder eingetragene Marken der Apple Inc.

IOS ist eine eingetragene Marke von Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry

Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook und BlackBerry App

World sind Marken oder eingetragene Marken von Research in Motion Limited.

Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps,

Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync,

Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik und Android sind

Marken oder eingetragene Marken von Google Inc.

INTERMEC ist eine eingetragene Marke der Intermec Technologies Corporation.

Wi-Fi ist eine eingetragene Marke der Wi-Fi Alliance.

Bluetooth ist eine eingetragene Marke von Bluetooth SIG Inc.

Motorola ist eine eingetragene Marke von Motorola Trademark Holdings, LLC.

Computop ist eine eingetragene Marke der Computop Wirtschaftsinformatik GmbH.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,

StreamWork, SAP HANA und weitere im Text erwhnte SAP-Produkte und -

Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken

der SAP AG in Deutschland und anderen Lndern.

Business Objects und das Business-Objects-Logo, BusinessObjects, Crystal Reports,

Crystal Decisions, Web Intelligence, Xcelsius und andere im Text erwhnte Business-

Objects-Produkte und Dienstleistungen sowie die entsprechenden Logos sind Marken

oder eingetragene Marken der Business Objects Software Ltd. Business Objects ist ein

Unternehmen der SAP AG.

Sybase und Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere und weitere im Text

erwhnte Sybase-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind

Marken oder eingetragene Marken der Sybase Inc. Sybase ist ein Unternehmen der

SAP AG.

Crossgate, m@gic EDDY, B2B 360, B2B 360Services sind eingetragene Marken der Crossgate AG in Deutschland und anderen Lndern. Crossgate ist ein Unternehmen der

SAP AG.

Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen

Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informations-

zwecken. Produkte knnen lnderspezifische Unterschiede aufweisen.

Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und

Vervielfltigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und

in welcher Form auch immer, nur mit ausdrcklicher schriftlicher Genehmigung durch

SAP AG gestattet.

Documents

SAP Cloud Data Protection and Compliance