3. What does SAP do to help its customers to protect their systems, applications and code?
SAP knows security is in the vital interest of anyone who is using SAP products to run critical business processes and to store and process sensitive data. So secure products are a prerequisite. Besides the secure development life-cycle, SAP has installed, accompanied by excessive testing and security validation processes, SAP executes on the following 4 strategic key pillars for secure products:
•
Zero Vulnerabilities to minimize vulnerabilities to ensure maximum protection
•
Security by Default to enforce secure configuration from the start during implementation and operations
•
Defendable Applications to automate identification and prevention of attacks from within the application
•
Zero Knowledge for the ability that everyone in the system can transmit, store, and process data while ensuring complete confidentiality
Security is based on cooperation, and besides to SAP security consulting and security support arms, SAP’s security guidelines can help its customers forming a structured security approach (e.g.
SAP’s security recommendations, or the
Secure Operations Map).
4. What is the status of cloud security?
Cloud Security is following an end to end security framework based on international standards and best practices.
The Security Framework governs all security controls and measures, provided for the production environments of SAP Cloud solutions and respective modules of SAP. To fulfil SAP’s high security and compliance standards, information and data is handled and protected in a way that is designed to:
• Maintain confidentiality – only authorized persons receive access.
• Safeguard integrity - only authorized persons can change information.
• Maintain availability - information is available when it is needed and within the defined boundaries.
Via external audits SAP provides transparency in the effectiveness of the cloud control system. SOC reports provide detailed description of the relevant controls as well as the effectiveness of the control.
To provide respective insights into the status and the strategy on cloud security we have recently published the
SAP Cloud Security Trust Center. It provides a transparent view of how SAP delivers security, cyber security and data center security for cloud services, including clear explanations on how SAP handles data privacy and how the company protects the rights of individuals. In addition, it proves SAP is compliant with international standards, including ISO and British standards, industry-specific and regional certificates; explanations of different service organization control reports and how they can be requested from SAP. Also, SAP Cloud Trust Center offers easy-to-understand agreements that can serve as building blocks for subscribing to the SAP Cloud portfolio; examples and relevant quick facts that make it easy for a current or prospective customer to understand the process. Last, but not least, it gives answers to common questions on trust-related cloud topics, such as security, data protection and privacy, and on compliance for the SAP Integrated Business Planning solution, the SAP Cloud Platform Integration service and SAP S/4HANA® Cloud software.
5. What is SAP doing to help companies adhere to data protection and privacy guidelines and become GDPR compliant?
The European Union released the GDPR coming into fact May 2018 and replacing the local Data Protection regulations across Europe. The GDPR reflects the increased importance of data in the Digital economy by increased obligations to entities processing Personal Data combined with
powerful enforcements.
SAP transparently shares all relevant detail of the Product capabilities and Cloud processing environments. SAP provides secure operation guidance for SAP products and high Security standards with SAP Cloud environments. SAP joins forces with governments and other global players to be able to exchange information on attacks promptly.
This helps our customers to focus on their Business Processes while relying on SAP expertise for Security and Data Protection as a EU based company. Regular validation, certifications and audits assure compliant service delivery. Proven enterprise scale processes assuring high standards and timely communication.
6. How can companies differentiate themselves in the area of security?
Drive security holistically managed by an integrated security management system following a risk based approach, supported by a capable risk management implemented across the board in the company. Focus on the internal key risk area and establish an individual security approach tailored for the business of the company.