Vraag het aan SAP
Hoe kijkt SAP tegen security aan? Wat wordt er gedaan om SAP-gebruikers te helpen hun systemen secure te houden? Wij hebben een aantal vragen opgesteld die deels zijn gebaseerd op de input vanuit onze focusgroep Security & Access Management en deels op de reacties op de recentelijk gehouden VNSG IT Trends-enquête, waarin ook vragen over security waren opgenomen. Die vragen zijn voorgelegd aan Ralph Salomon, Vice President Secure Operations van SAP.
1. How does SAP help companies ensure Business Continuity?

SAP has implemented business continuity management aligned to ISO22301 as part of SAP’s management framework for business continuity and operational resilience, of which corporate continuity, IT service continuity management and cloud continuity are parts.

This business continuity management ensures that SAP’s business can respond and adapt rapidly to threats posed against SAP’s workforce, business, and reputation. It is a holistic management system that identifies potential threats to our organization and their impact on business operations. It provides a framework for building operational resilience with the ability to respond effectively, in case potential threats are realized and validated. This helps safeguard the interests of SAP’s key stakeholders and its reputation, brand, and value creating activities.

The governing principles for corporate continuity and IT service continuity management as well as interfaces to cloud continuity are centrally managed. This continued central governance ensures and documents common principles and requirements providing guidance on implementation of respective procedures. Implementing procedures per central governance is done by all units at SAP as necessary and upon existence of critical products and services. Some cloud services might have different service level offerings for business continuity, so our customers can pick and choose per their required Service Level. In addition, multiple components in SAP’s secure development lifecycle ensuring extensive testing of features and functionality, regarding integration, usability and availability. This is true for both, cloud services as well as on-premise software.

For SAP’s on-premise delivery we have further services like ability to down-port certain patches to enable business continuity at our customer’s side. Furthermore, various solution-specific operational recommendations, cookbooks and implementation guidelines help customers and partners to setup SAP systems properly right from the beginning as well as recommending appropriate business continuity measures for on-premise systems, operated by customers or respective partners.

2. What do you consider key areas in present-day world of security?

According to a global survey performed end of 2016 by our partner EY, the following topics are top-3 rated vulnerabilities: Careless or unaware employees, unauthorized access, outdated information security controls or architecture. Looking at the most common entry points for hacker there are malicious emails and drive-by infections on websites.

Careless or unaware employees
Planning and executing our operational security measures and user awareness activities are on top of our list. A few months ago, during a security event within SAP, I asked the participants if they belief that cybercrime is an issue for the economy in general. 98% of participants raised their arms. Then I asked the group if they belief cybercrime was an issue for SAP as a company. Only 60% raised their arms. This triggered a massive change in our security awareness activities. We have updated training sessions by adding concrete attack examples that happened at SAP, e.g. employees receiving malicious emails, including stats about what happened with it, or what should be done in case someone wants to enter our environment without a company pass. Opinion and behavior do not change from one day to another, so we need to constantly interact with our workforce, and be as specific and concrete as possible on the overall situation. All consumable and without losing their attention. Gamification is one great method to get our employees attention, move them out from possible ‘movie consumption mode’, and bring them to actionable security awareness.

Unauthorized Access
Protection of information and data is key for each company, so access to it should principally and consequently be restricted to a ‘need to know principle’. In addition, several Information Security measures are relevant. Amongst these are strict information classification, and proper protection measures according to confidentiality and criticality level, etc. SAP offers several solutions here, in the Identity and Access Management space, helping its customers to adequately prevent unauthorized access. Internally, we have implemented SAP’s identity management solutions to manage user identities and appropriate authorizations to different central systems and services. SAP’s single sign-on solutions for Cloud and on-premise deployments increase usability for end users in parallel to improved security, by reducing the secure authentication process to the minimum.

Outdated information security controls or architecture
Security is a journey without an end. With our Integrated Security Management System, we ensure continuous improvement of our control system on a risk based approach. In addition, we have defined company-wide Security Reference Architectures, outlining the major use cases of services and necessary security requirements that are mapped to the security measures and tools in place. Measures and tools are continuously monitored for effectiveness, ensuring our security architecture is up to date and enhanced when needed.

In our Security Strategy 2020, on the secure operations side, we are driving the following 4 key areas:
Intelligent Infrastructure Protection to effectively safeguard the Infrastructure from the advanced threat landscape of today
Perceptive Data Shield for data defense and assurance in a mobile workforce world
Secure Augmented Network to ensure business protection on internal and 3rd party networks
Security Shielded Ecosystem, advancing security into the entire business ecosystem
3. What does SAP do to help its customers to protect their systems, applications and code?

SAP knows security is in the vital interest of anyone who is using SAP products to run critical business processes and to store and process sensitive data. So secure products are a prerequisite. Besides the secure development life-cycle, SAP has installed, accompanied by excessive testing and security validation processes, SAP executes on the following 4 strategic key pillars for secure products:
Zero Vulnerabilities to minimize vulnerabilities to ensure maximum protection
Security by Default to enforce secure configuration from the start during implementation and operations
Defendable Applications to automate identification and prevention of attacks from within the application
Zero Knowledge for the ability that everyone in the system can transmit, store, and process data while ensuring complete confidentiality

Security is based on cooperation, and besides to SAP security consulting and security support arms, SAP’s security guidelines can help its customers forming a structured security approach (e.g. SAP’s security recommendations, or the Secure Operations Map).

4. What is the status of cloud security?

Cloud Security is following an end to end security framework based on international standards and best practices.

The Security Framework governs all security controls and measures, provided for the production environments of SAP Cloud solutions and respective modules of SAP. To fulfil SAP’s high security and compliance standards, information and data is handled and protected in a way that is designed to:
• Maintain confidentiality – only authorized persons receive access.
• Safeguard integrity - only authorized persons can change information.
• Maintain availability - information is available when it is needed and within the defined boundaries.

Via external audits SAP provides transparency in the effectiveness of the cloud control system. SOC reports provide detailed description of the relevant controls as well as the effectiveness of the control.

To provide respective insights into the status and the strategy on cloud security we have recently published the SAP Cloud Security Trust Center. It provides a transparent view of how SAP delivers security, cyber security and data center security for cloud services, including clear explanations on how SAP handles data privacy and how the company protects the rights of individuals. In addition, it proves SAP is compliant with international standards, including ISO and British standards, industry-specific and regional certificates; explanations of different service organization control reports and how they can be requested from SAP. Also, SAP Cloud Trust Center offers easy-to-understand agreements that can serve as building blocks for subscribing to the SAP Cloud portfolio; examples and relevant quick facts that make it easy for a current or prospective customer to understand the process. Last, but not least, it gives answers to common questions on trust-related cloud topics, such as security, data protection and privacy, and on compliance for the SAP Integrated Business Planning solution, the SAP Cloud Platform Integration service and SAP S/4HANA® Cloud software.

5. What is SAP doing to help companies adhere to data protection and privacy guidelines and become GDPR compliant?

The European Union released the GDPR coming into fact May 2018 and replacing the local Data Protection regulations across Europe. The GDPR reflects the increased importance of data in the Digital economy by increased obligations to entities processing Personal Data combined with
powerful enforcements.

SAP transparently shares all relevant detail of the Product capabilities and Cloud processing environments. SAP provides secure operation guidance for SAP products and high Security standards with SAP Cloud environments. SAP joins forces with governments and other global players to be able to exchange information on attacks promptly.

This helps our customers to focus on their Business Processes while relying on SAP expertise for Security and Data Protection as a EU based company. Regular validation, certifications and audits assure compliant service delivery. Proven enterprise scale processes assuring high standards and timely communication.

6. How can companies differentiate themselves in the area of security?

Drive security holistically managed by an integrated security management system following a risk based approach, supported by a capable risk management implemented across the board in the company. Focus on the internal key risk area and establish an individual security approach tailored for the business of the company.
7. Secure or not secure… When and how is my landscape completely secure? Please advise.

Security is not a status that an organization can achieve one time and hold it forever. Instead, it is a constant collaboration process between people and technology throughout the whole digital economy. In addition, it is a delicate split between complete transparency on one hand - and the wish for confidentiality and control on the other, on budget and on time. And to add some more complexity, we need to comply with governmental regulations as well.

Digital transformation is security transformation. The only viable option we have is following a structured approach, include security into the business strategy, and make risk calculable. Some areas were discussed already. To bring it to the point, you could structure your approach in three areas: first is to prevent from attacks – form a security framework with state of the art protection (including anti-virus, firewalls, etc.), people enablement, and threat & risk monitoring. But what are you are doing when your systems get hacked nevertheless? You need to secondly detect potential hacks utilizing security deviation management processes, and threat & vulnerability detection, and establish a security monitoring center for alerts. And you thirdly need to react before this attack can harm your business with security response, vulnerability management and business continuity processes. And to follow the SAP security recommendations is a great starting point for SAP landscapes.

8. A recent survey within our user group showed that 74% of the respondents considers the mitigation of threats from within the organization to be an important issue within the security strategy. What is your opinion on this?

I agree that this is an important focus for security. We always have to implement security measures holistically. One of our key initiative within the security strategy 2020 is the implementation of an end-to-end security monitoring and incident management process as well as a capable tool to cover our corporate infrastructure as well as the cloud solutions. We have performed a RFP recently and looked into several solutions. Key requirements are monitoring is required from bottom infrastructure layer up to top application layer.

Analytics are required in real time on the streamed data from different log sources in a volume of 500,000 logs per second. This enable earliest possible detection of potential attacks from internally or externally. The only solution that could fulfill those requirements sufficiently was SAP Enterprise Threat Detection. This is currently implemented and is planned to be life to cover corporate as well as our cloud environment by end of the year.

At SAP, not only do we deliver software and services that help our customers compete in the digital economy, but we compete in the same digital economy ourselves. We run in the cloud – on an in-memory platform. We analyze Big Data to understand our customers better. We use the IoT to improve the customer experience. And we also have competitors attempting to use digital economy technologies to cut away at our market share.

This is why we take a comprehensive, holistic approach to security – one that extends to products, operations, and the company culture of SAP itself. We invite you, our customers and partners, to engage directly with SAP on the theme of security. Our goal is to share best practices with you to ensure the highest levels of security possible – and to incorporate feedback from you. This is all part and parcel of a holistic approach to security where the emphasis is continuous learning and improvement. To engage directly with SAP, please visit us at www.sap.com/security.