sap hana cloud security
TRANSCRIPT
Page 1
SAP CLOUD SECURITY By Gaurav Ahluwalia
Page 2
INTRODUCTION
Information Security is not just a buzzword for the SAP Security, Risk & Compliance Office – it‘s our daily work, our passion, and the principle
that drives us. We strive to provide the best security and data protection possible to SAP and our customers. Each customer is treated as if
they were our only customer. That‘s the kind of commitment and importance we work to achieve - every single day. We have consistently
certified to internationally recognized standards such as ISO 9001 for Quality Management or ISO 27001 for Information Security, provide
SOC1 and SOC2 reports twice a year along with using industry accepted best practices such as COBIT or the ISF Standard of Good Practice
for Information Security to assure the best possible security and risk management approach. You can rest assured that your information is
in good, experienced hands.
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure,
disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data
may take (e.g. electronic, physical).
Sometimes referred to as computer security, information technology security is information security applied to technology (most often
some form of computer system). It is worthwhile to note that a computer does not necessarily mean a home desktop. A computer is any
device with a processor and some memory. Such devices can range from non-networked standalone devices as simple as calculators, to
networked mobile computing devices such as smartphones and tablet computers. IT security specialists are almost always found in any
major enterprise/establishment due to the nature and value of the data within larger businesses. They are responsible for keeping all of
the technology within the company secure from malicious cyber-attacks that often attempt to breach into critical private information or
gain control of the internal systems.
Page 3
Figure Information Security Attributes: or qualities, i.e., Confidentiality, Integrity and Availability (CIA).
Page 4
HANA ENTERPRSE (HEC)- HIGH LEVEL OVERVIEW
#: Refers to one customer MPLS: Multiprotocol Label Switching VPN: Virtual Private Network
The fundamental security architecture of the HEC infrastructure is the principal of a private cloud. This means customer will receive an isolated,
logical grouping of several Virtual Machines and physical systems. All customer networks are completely isolated from each other. HEC
administrative tasks will be done using management networks.
Page 5
The Clouds #1, #2, #3 are the clouds for customer. There would be a shared administrative infrastructure jargon available for example tape
drives or the hardware modules used to take backup. Networking resources and there would be a admin firewall available which bridge
between SAP Corporate Networks (the real SAP Guys) which log on the HEC and check its healthy state.
Customer specific clouds would be alien to each other won’t be interacting with each other until otherwise have a specific interfacing exist for
business needs. In short there would virtualization of every instance and there would minimal downtimes on the Virtual Clouds. As the whole
architecture would be very robust corresponding to Tier quality as a datacenter which inturn hit costs and pockets of the customer.
Cloud hosting of business is not new, pricing around a Google cloud a sample pricing sheet for apps engine.
Resource Unit Unit cost (in US $) Standard Runtime Instances* Instance hours $0.05
Outgoing Network Traffic Gigabytes $0.12
Incoming Network Traffic Gigabytes Free
Datastore Storage Gigabytes per month $0.18
Blobstore, Logs, and Task Queue Stored Data
Gigabytes per month $0.03
Dedicated Memcache Gigabytes per hour $0.06
Logs API Gigabytes $0.12
SSL Virtual IPs** (VIPs) Virtual IP per month $39.00
Sending Email, Shared Memcache, Cron, APIs (URLFetch, Task Queues, Image, Sockets, Files, Users, and Channel)
No Additional Charge
Keenly looking at the sheet shows you low costs for running your IT solution at high availability which can further put down the total cost of
ownership TCO for the IT solution. Cloud computing for SAP would put down the big maintenance cost to different outsourcing partners for
Hardware, Software AMC and other consulting charges which client bear for running a healthy SAP systems.
Page 6
Client might give HECs service provider (PaaS) a lump sum cost to run the sap system as a whole. HEC might bring into action an app based
approach for SAP.
Figure: Your deployed application in HANA cloud platform.
So if you want to do a small rollout you can precisely give out AMC’s on the number HTML5 apps you would be developing on HCP as SAP
partner and package your code in BSP application. This code might talk to your native SAP or Successfactors or Hybris whatever is the underlying
mother system exist for HANA. Security concerns around these small extension apps would an issue to research. Right now SAP is supporting
Page 7
all the new authentication technologies like OAUTH, SAML2 single sign on. Kerberos tokens, X509 client certificates. Following is an overview
of SAP HANA Cloud Platform
Figure: Features of Hana Cloud Platform --- We can create extension apps on every engine in platform.
Page 8
HANA ENTERPRSE (HEC)- HIGH LEVEL OVERVIEW CONTD..
Following figure shows much in details of hana cloud with descriptions.
Page 9
HANA ENTERPRISE CLOUD (HEC) - DETAILS
Details for Customer Landscapes
Page 10
HANA VIRTUALIZATION TECHNOLOGY AND SECURITY
Virtualization technologies like VMware vSphere,
High Availability reduces unplanned downtime and provides higher service levels for applications. In the event of an unplanned hardware failure, affected
virtual machines automatically restart on another host in the vSphere cluster.
• Automation. VMware’s automated load balancing takes advantage of vMotion and Storage vMotion to migrate virtual machines among a set of VMware ESXi™
hosts. VMware vSphere Storage DRS and DRS allow automatic resource relocation and optimization for virtual machines and related storage.
• Provisioning. VMware virtualization encapsulates an application into an image that can be duplicated or moved, which greatly reduces the cost of application
provisioning and deployment
Figure: VMware vSphere virtual infrastructure
Page 11
INSTRUCTION ISOLATION
Figure: Instruction Isolation
Page 12
MEMORY ISOLATION
Figure: Memory Isolation
Figure: Transparent Page Sharing – Page-Content Hashing
Page 13
I/O REMAPPING
Figure: I/O Remapping -- Data Paths via the Hypervisor and DirectPath I/O
Page 14
Resource Provisioning, Shares, and Limits. In a virtualized environment, resources are shared among all virtual machines. But because system resources can be managed, it enables use limits on virtual machines.
NETWORK ISOLATION
Figure: Increasing Sensitivity of Networks in Virtual Infrastructures Figure: Network Isolation
Through the use of a virtualized network controller (vNIC)–level firewall, a virtual machine can be isolated from other virtual machines, even on the
same switch (layer 2 isolation).
Page 15
STORAGE ISOLATION
Figure. Virtual Firewall at the vNIC Level Figure NFS and Block Storage I/O
Page 16
HANA ENTERPRISE CLOUD (HEC) – DETAILS CONTD..
Details for Network Integration
Page 17
HANA ENTERPRISE CLOUD (HEC) - DETAILS
Details for Public Internet Access
Page 18
BITS AND PIECES OF REVERSE PROXY FARMS
This diagram show a bit network for reverse proxy farms setup inside HECs for different client clouds given every domain name of the client is different.
Page 19
FEATURES OF HANA ENTERPRISE CLOUD SECURITY
Advanced IT Security Architecture,
o Isolated, separated Landscape per Customer
o Security hardened Systems
Secure Operations –
o Asset Management
o Change Management
o Incident Management
o Anti-Virus & Malware Management
o Backup / Restore Management
o Identity & Access Management
o Security Awareness Trainings
Security measures are audited and confirmed through various Certifications & Attestations –
o ISO Certificates o
ISO9001 Quality Management System o
ISO27001 Information Security Management System
o SOC1 (ISAE3402/SSAE16) Type I & Type II
o SOC2 Type I & Type II
o Industry specific Certificates (on demand with business case foundation)
Network Security
o Network Filtering
o Intrusion Prevention Systems
Page 20
o Web Application Firewall
o 2-factor Authentication
o Network Admission Control – Proxies with Content Filtering
o Advanced threat management
Physical Security
o Video and Sensor Surveillance
o Access Logging
o Security Guards
o Fire Detection and Extinguishing System
o Uninterruptible Power Supply
o Biometric Access Control in certain Locations
Threat & Vulnerability Management
o Security Patch Management
o Penetration Testing
o Vulnerability Scanning
o 24 x 7 Security Monitoring Center
Customer data flow control
o Regional Data Storage (e.g. EU-, US-Cloud)
o European data protection and privacy policy
Page 21
DATA CENTER – SECURITY REQUIREMENTS
SAP Cloud Solutions and Customer Data needs to be operated in a: SAP Tier Level III, III+ or IV classified Data Center. SAP checks on site the compliance to the SAP Data
Center minimum physical security standard that covers topics like:
o Perimeter & Location security
o Building entry point security
o Building Security
o Access Controls & Monitoring
o General access and
o Access to dedicated SAP areas
o Fire Protection
o Electrical Power supply
o Certifications of the DC Provider
Page 22
Minimum availability requirements Tier I Tier II Tier III Tier III+ Tier IV
Stand-alone Data Center building necessary no no no yes yes
Amount of external electrical power suppliers. 1 1 1 1 2
Amount of transformers to power the Data
Center
n n n + 1 n + 1 2n
UPS Battery System necessary no yes yes yes yes
Minutes UPS must provide power 0 5 >10 >10 >10
Amount of UPS Systems necessary n n n + 1 n + 1 2n
(Diesel-) Generators needed no no yes yes yes
Amount of cooling systems needed n n n + 1 n + 1 2n
Server cooling is independent from an office
AC
no no yes yes yes
Fire detection system needs to be installed yes yes yes yes yes
Fire extinguishing system must be installed no yes yes yes yes
On-site response time of Data Center
personnel
<48h <8h <1h <1h <1h
Available WAN network connection lines 1 n + 1 n + 1 n + 1 2n
Available LAN network connection lines N n + 1 n + 1 2n 2n
Data center security requirements for SAP.
Page 23
HEC DATACENTERS
Current Status Tier Level & Certifications
Page 24
WHY HANA ENTERPRISECLOUD (HEC) IS BETTER
SAP has a long-standing tradition in security of its solutions and takes demands from customers on cloud security very seriously.
a) Strong collaboration between Security, Operations and Product Development team.
o Strong collaboration of Product Security team and Operations Security team ensures proper security and compliance
implemented in HEC products.
o Identified issues are directly communicated into Product Development team to ensure immediate fixes.
o Strong collaboration of Security team and Operations team ensures proper definition of security requirements individually per
Cloud product within HEC.
o Security team consults the Operations team in defining and implementing the security measures per asset individually.
o Regular monitoring ensures timely identification of issues.
b) Multi Layers of defense to protect our Customer’s data.
Page 25
c) Holistic Security & Compliance approach: integrated, monitored and validated by external audits.
o HEC leverages a multi-dimensional security and compliance approach to establish and maintain state-of-the-art Security &
Compliance.
o The following two slides describe the key aspects of the holistic Security & Compliance Approach.
o Protection Goal
i. Security (CIA) HEC focuses on confidentiality and integrity of data as well as availability of customer systems and central
infrastructure.
ii. Data Protection HEC is fully committed to data protection and privacy. SAP is a global company with its headquarters in Germany,
which is a member of the European Union (EU). Therefore our Policy is based on definitions of European Data Protection
legislation and defines the basic principles applicable for every SAP entity *). HEC respects data protection and privacy rights
and safeguards any Personal Data of our customers.
o IP Protection HEC in addition focuses on the protection of your intellectual property. Access to data is strictly limited according
the need-to-know-principle. Strict separation of customer systems is understood!
Page 26
o Demands & Enforcement –
i. Requirements / Measures --- SAP has a strict policy framework which is broken down into detailed technical procedures
for operations.
ii. Monitoring --- Regular monitoring ensures timely identification of deviations and initiates fixes quickly.
iii. Audits
i. During the Compliance & Certification Audits we ask external experts to verify our security effectiveness.
ii. Through regular supplier audits, we ensure the security effectiveness of suppliers and sub-contractors.
o Scoping –
i. Technology-
a. Secure operability of HEC products is monitored. Issues are directly addressed to Product Development team.
b. Our security scope covers all infrastructure components and tools required to operate and manage HEC.
ii. Processes-
All relevant processes for cloud product development and cloud operations are within the security scope.
iii. People-
Regular training and evaluation is key to ensure proper operations of HEC.
d) Customer can select the region of data storage.
a. The physical storage of customer data is crucial to numerous enterprises. Therefore, our HEC customers can choose if their data
is stored in cloud data centers located in the USA or in Europe.
b. The general rule is: We have clear and company-wide guidelines in place that define, how we respond to requests for customer
data coming from law enforcement authorities and regarding national security concerns. We take our commitment to our
Page 27
customers and legal compliance very seriously. Customer data is only shared if the request is legally valid. Our legal department
evaluates every inquiry in detail. In addition, we will question a request if there are grounds for assuming that they are not in
conformity with the law.
CLOUD SECURITY GOVERNANCE / BUILD ONE DELIVERY – INTERNAL CONTROLS
Compliance & Processes
Page 28
Integrated Information Security Management System (acc. ISO27001)
Controls embedded into operational processes and procedures
Process Managers located within the delivery unit
Training is provided on regular basis to ensure proper implementation
Control effectiveness is regularly tested
Compliance audits performed twice per year
ISO audits performed on annual basis
Certification Overview & Roadmap
Certifications/ Attestations
Roadmap
Certifications and Attestations
SAP Cloud Offering SOC1/ISAE3402 SOC 2
ISO27001 Others Type I Type II Type I Type II
SAP Business by Design
SAP Cloud for Customer
SAP Cloud for Financials
SAP Cloud for Sales
SAP Cloud for Service
SAP Cloud for Social Engagement
SAP Cloud for Travel & Expense
Page 29
HANA Enterprise Cloud ISO9001; planned for Q4/2014: ISO22301
Ariba cloud solutions from SAP PCI-DSS, Webtrust, SafeHarbor
Ariba - Quadrem cloud solutions from SAP WebTrust
SuccessFactors cloud solutions from SAP SafeHarbor
SAP People Cloud Solutions - Employee Central SafeHarbor
SAP People Cloud Solutions - Employee Central Payroll SafeHarbor
SAP HANA Cloud Platform & Portal
SAP HANA Cloud Portal
Legend Colors
Certification available
Certification planned for 2014:
Certification planned for 2016:
Certification not applicable:
May be added in future:
Page 30
Certifications / Attestations Purpose
SOC1 / ISAE 3402 / SSAE16
Report on a service organizations internal controls that are likely to be relevant to an audit of a customer’s financial statements. (former SAS 70)
SOC 2
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. Can be handed out to customers and prospects, use/distribution may be restricted.
SOC 3
Trust Services Report for Service Organizations. Used for marketing purposes, unrestricted use/distribution.
ISO 27001
Certification of a Information Security Management System. Used for marketing purposes, certification can be officially published.
ISO 9001
Certification of a Quality Management System Used for marketing purposes, certification can be officially published.
PCI-DSS
Required for customers: who handle cardholder information for debit, credit, prepaid, e-purse, ATM, and POS cards