Cloud Data Protection and

Information Security at SAP

September 2014

Public

Cloud Data Security and Compliance at SAP

Agenda
Introduction of relevant Standards and Certificates
Cloud Security and Compliance

Physical Security
Network Security
Backup and Recovery
Support of Compliance
Confidentiality & Integrity

SAP Business Cloud

Summary

(Helpful Links)

2014 SAP AG. All rights reserved.

SAP Cloud Security Standards and Certificates

Overview
Physical Security

Network Security

Backup & Recovery

Compliance

Integrity & Confidentiality

Energy Efficiency

High Availability
BS25999 / ISO 22301

GREEN IT

CERTIFIED

CERTIFIED

Quality Management

IT Operations

ISO 9001

ISO 27001

CERTIFIED

CERTIFIED

Cloud Operations
SOC-2

International Accounting
Regulations
ISAE3402

SSAE16

TESTIFIED*

TESTIFIED*

Tax compliancy
PS 880

*formerly SAS 70 Type II

2014 SAP AG. All rights reserved.

SAP Cloud Security Standards and Certificates

Details
Physical Security

Network Security

Backup & Recovery

International Standard Organization

(ISO) 27001

International Organization for

Standardization (ISO) 9001

Specifies how an information security

management system (ISMS) has to be
set up and operated. It defines an
overall management and control
framework
for
managing
an
organization's information security
risks.
British Standards Institution (BS)
25999 / ISO 22301

Specifies requirements for a quality

management (QM) system. Within the
definition of the QM system itself, it is
important to aim for continuous
improvement.

Is a standard in the field of business

continuity management (BCM) to
ensure continued operation in case of
critical situations. This standard sets
the requirements for how a data center
must be built and operated to
guarantee the highest availability.

2014 SAP AG. All rights reserved.

Certified Energy efficient

SAP NEWSBYTE - April 12, 2010 Two SAP AG (NYSE: SAP) data
centers in Germany have been
certified as energy efficient by TV
Rheinland, a German group that
documents the safety and quality of
business and technology systems to
establish sustainability in social and
industrial development. To date, only
10 data centers from various
companies
have
received
this
certification. Out of those, the SAP
data center in St. Leon-Rot, Germany,
achieved the highest ratings

Compliance

Integrity & Confidentiality

International Standard on
Assurance Engagements
(ISAE) No. 3402 Type B
It is globally recognized assurance
report on controls at a service
organization. It has been put forth by
the
International
Auditing
and
Assurance Standards Board (IAASB).
The focus of this quality standard lies
on controls that have a potential
impact on financial reporting.
ISAE 3402 is an "assurance" standard.
It is the international successor
standard of SAS 70.
Statement on Standards for
Attestation Engagements (SSAE)
No. 16
This is the US equivalent
international standard ISAE 3402.

to

SSAE16 is an "attestation" standard.

SAP Cloud Security Physical Security

Overview (2014)
Physical Security

Network Security

Backup & Recovery

Compliance

Integrity & Confidentiality

Data Center

World-class Tier-3 and 4 data centers

Customer data always stays in same national
jurisdiction

SAP managed data centers and selected

partners operating according to SAP standards
2014 SAP AG. All rights reserved.

BS25999
CERTIFIED

ISO 27001
CERTIFIED
5

SAP Cloud Security Physical Security

Locations (2014)
Physical Security

Network Security

Backup & Recovery

Location

Country

St. Leon-Rot

Deutschland SAP

Walldorf

Deutschland SAP

Newtownsquare, PH

USA

SAP

Newtownsquare, PH

USA

SAP

Chandler, AZ

USA

Digital Reality SFSF

Ashburn, VA

USA

Verizon

JAM, NFL Fantasy Football, JPaaS

Amsterdam

NL

Telecity

JAM

Amsterdam

NL

Telecity

JAM

Sydney

AUS

Verizon

SFSF

Sydney

AUS

MacQuire

Chicago, IL

USA

CSC

Sourcing, Streamwork, BIoD

Chicago, IL

USA

Rackspace

Jobs2Web

Sommerville, MA

USA

Internap

Sourcing

Maidstone

UK

CSC

Sourcing

2014 SAP AG. All rights reserved.

Operator

Compliance

Integrity & Confidentiality

Service
C4C, ByD based, Payroll, OnDemand Portal, Photon
(Lumira Cloud), JPaaS, S&OP, SAP HANA Cloud for
Automobiles/Utilities
C4C, ByD based, S&OP

SAP Cloud Security Physical Security

Details
Backup & Recovery

Compliance

Confidentiality & Integrity

Reinforced concrete construction

Hundreds of surveillance cameras with digital recording

Fully monitored doors

Tens of thousands of environmental sensors

Security guards and facility support team onsite 24x7x365

Biometric sensors + card readers to access secured areas

Multiple redundant internet connections from multiple carriers

Redundant power sources

Hundreds of UPS units with additional capabilities of 20 min

Auxiliary, expandable diesel power supply, online within minutes

Diesel fuel storage sufficient for 48-hours of operations without refueling

Contracts with external diesel suppliers to guarantee continuous operation

Fire and flood protection

Redundant, environmentally friendly, Inergen fire extinguisher System

Thousands Fire and Flood Surveillance Sensors

100% redundant air conditioning

Auxiliary cooling capacity

POWER

BUILDING

FIRE +
FLOOD

Network Security

COOL
ING

Physical Security

2014 SAP AG. All rights reserved.

SAP Cloud Security Network Security

Overview
Physical Security

Network Security

Backup & Recovery

Compliance

Confidentiality & Integrity

IDS
Rev.
Proxy

2014 SAP AG. All rights reserved.

FIREWALLS

Datacenter

Reverse Proxy Farms

Multiple redundant Internet Connections

Data Encryption
Intrusion Detection System (IDS)
Multiple Firewalls
Third Party Audits and Penetration Tests
8

SAP Cloud Security Network Security

Details
Physical Security

Network Security

Backup & Recovery

Compliance

Confidentiality & Integrity

Reverse Proxy Farms

Hide network topology

Multiple redundant Internet Connections

Limit the effect of denial of service (DOS) attacks

Data Encryption
Highest level of protection with up to 256-Bit Data encryption protocols using
Transport Layer Security*

Intrusion Detection System

Monitor web traffic 24 x 7 x 365

Multiple Firewalls
Shield internal network from hackers

Third Party Audits and Penetration Tests

Early and independent detection of security issues (e.g. program backdoors, network
vulnerabilities,)
* formerly known as Secure Sockets Layer
2014 SAP AG. All rights reserved.

SAP Cloud Security Backup and Recovery

Overview
Physical Security

Network Security

Primary Storage
production Data Center

Backup & Recovery

Compliance

Confidentiality & Integrity

Secondary Storage
in offsite backup Location

Most recent
snapshot on
primary storage

Multiple snapshots
on retention policy

Global Performance Monitoring of Backups

ISO 27001
CERTIFIED

2014 SAP AG. All rights reserved.

10

SAP Cloud Security Backup and Recovery

Details
Physical Security

Network Security

Backup & Recovery

Compliance

Confidentiality & Integrity

Snapshots:
Backups are created with snapshots from disk to disk. This ensures fast creation,
backups, and, if required, fast restoration.

Frequency:
Daily full backup. Log files incrementally backed up every two hours: all changes in
database since the last full backup are saved.

Location:
Database and log-file backups are stored in a geographically separated data center
but stay in the designated region.

Objective:
Recovery up to the last transaction is supported within database recovery process.
Maximum lost time for customer is two hours - if the primary data center is
completely destroyed.

Retention times:
Backups of the last 3 days are kept on primary and secondary storage.
Previous backups are kept up to 14 days in the geographically separated backup
data center.

ISO 27001
CERTIFIED

Information Security Management System

2014 SAP AG. All rights reserved.

11

SAP Cloud Security Compliance

Overview
Physical Security

Network Security

Backup & Recovery

Compliance

Integrity & Confidentiality

Compliance features
Journal entries that allow tracing of business transactions
to source documents

Number ranges that distinguish journal entries

Accounting-relevant data cannot be deleted from audit
trails
Supports IFRS accounting regulations
Solution documentation included
Segregation of duties supported

ISAE3402

SSAE16

TESTIFIED*

TESTIFIED*

2014 SAP AG. All rights reserved.

*formerly SAS 70 Type II

12

SAP Cloud Security Compliance

Details
Physical Security

Network Security

Backup & Recovery

Compliance

Confidentiality & Integrity

Features that support customers in achieving compliance include:

Journal entries carry the complete information
Ability to identify business transactions and trace them through to underlying source documents

Number ranges support the ability to distinguish entries

Availability of transparency to customers for precise retrieval

Inability to delete accounting-relevant data, and all changes made to financially relevant
data are recorded in a change-history log
Help for customers to perform audits

Supports IFRS accounting regulations

Help for customers to adhere to regulations of multiple markets
(International Financial Reporting Standards)

Solution documentation included

Provision of necessary procedure and task descriptions for end users and detailed technical
descriptions explaining data processing and storage

2014 SAP AG. All rights reserved.

13

SAP Cloud Security Confidentiality & Integrity

Customer View
Physical Security

Role Based
Access
Activity
Logging

Network Security

Backup & Recovery

Compliance

Confidentiality & Integrity

On-demand solutions support role based access

with user profiles to allow segregation of duties

On-demand solutions log all user activities

Support for contract termination

Data
Ownership

2014 SAP AG. All rights reserved.

Customer Data extraction

Customer Data handover in file format

Extended read-only system access after

contract termination

Data deletion only after customer approval

14

SAP Cloud Security Integrity & Confidentiality

Concept of Support User Access Control
Physical Security

Network Security

Backup & Recovery

Application and Customer Support*

Compliance

Confidentiality & Integrity

Platform and System Support*

Customer reports incident:

Ticket

System reports incident:

Ticket

One-time user with shortterm password (1 hour)

One-time user with shortterm password (4 hours)

Personalized log-traces

Personalized log-traces

Data integrity and availability is ensured by

proactive automated system monitoring
*Variances may exist depending on cloud offering
2014 SAP AG. All rights reserved.

15

SAP Cloud Security Summary

Certified operations
World-class data centers
Advanced network
security

Reliable data backup

Built-in compliance,
integrity, and
confidentiality

2014 SAP AG. All rights reserved.

16

Helpful Links:
SAP Contract
Details
Security FAQs
Standards and
Audits
Certificates
SAP DC Energy
Efficiency

http://www.sap.com/corporate-en/our-company/agreements/index.epx
Search e.g. ByD Terms and Conditions US
www.sme.sap.com Sell Security Topics FAQs
www.sme.sap.com Sell Security and Standard Accreditations

www.service.sap.com/certificates

http://www.sap.com/press.epx?pressid=13030

Data Center
Security Video

http://youtu.be/oK5OIaUPEZ4
http://youtu.be/wxOs1AdJXLs

(German)
(English)

Cloud Operations
Video

http://youtu.be/3EZy1jq_vjE
http://youtu.be/zGvKZkQixCg

(German)
(English)

Virtual Data CenterWalkthrough

www.sapdatacenter.com

(English)

2014 SAP AG. All rights reserved.

17

Appendix

SAP Cloud Security Standards and Certificates

Details
Physical Security

Network Security

Backup & Recovery

International Standard Organization

(ISO) 27001

International Organization for

Standardization (ISO) 9001

Specifies how an Information Security

Management System has to be set up
and operated. It defines an overall
management and control framework
for managing an organization's
information security risks.

Specifies requirements for a quality

management (QM) system. Within the
definition of the QM system itself, it is
important to aim for continuous
improvement.
Certified Energy efficient

British Standards Institution (BS)

25999
Is a standard in the field of business
continuity management (BCM) to
ensure continued operation in case of
critical situations. This standard sets
the requirements for how a data center
must be built and operated to
guarantee the highest availability.
Statement on Standards for
Attestation Engagements (SSAE)
No. 16
This is the US equivalent
international standard ISAE 3402.

to

SAP NEWSBYTE - April 12, 2010 Two SAP AG (NYSE: SAP) data
centers in Germany have been
certified as energy efficient by TV
Rheinland, a German group that
documents the safety and quality of
business and technology systems to
establish sustainability in social and
industrial development. To date, only
10 data centers from various
companies
have
received
this
certification. Out of those, the SAP
data center in St. Leon-Rot, Germany,
achieved the highest ratings

Compliance

German Audience
(PS880 included)

Integrity & Confidentiality

International Standard on
Assurance Engagements
(ISAE) No. 3402 Type B
It is globally recognized assurance
report on controls at a service
organization. It has been put forth by
the
International
Auditing
and
Assurance Standards Board (IAASB).
The focus of this quality standard lies
on controls that have a potential
impact on financial reporting.
ISAE 3402 is an "assurance" standard.
It is the international successor
standard of SAS 70.
PS 880 Certificate for ByDesign.
Prfung rechnungslegungsrelevanter
Softwareprodukte
Ensures the product is in line with
German GoB Grundstzen
ordnungsgemer Buchfhrung.
Renewed for each software release.

SSAE16 is an "attestation" standard.

2014 SAP AG. All rights reserved.

20

German Audience
(PS880 included)

SAP Cloud Security Compliance

Overview
Physical Security

Network Security

Backup & Recovery

Compliance

Integrity & Confidentiality

Compliance features
Journal entries that allow tracing of business transactions
to source documents
Number ranges that distinguish journal entries
Accounting-relevant data cannot be deleted from audit
trails

Supports IFRS accounting regulations

Supports German accounting regulations
Solution documentation included
Segregation of duties supported
ISAE3402

SSAE16

PS 880

TESTIFIED*

TESTIFIED*

CERTIFIED

2014 SAP AG. All rights reserved.

*formerly SAS 70 Type II

21

German Audience
(PS880 included)

SAP Cloud Security Compliance

Details
Physical Security

Network Security

Backup & Recovery

Compliance

Confidentiality & Integrity

Features that support customers in achieving compliance include:

Journal entries carry the complete information
Ability to identify business transactions and trace them through to underlying source documents

Number ranges support the ability to distinguish entries

Availability of transparency to customers for precise retrieval

Inability to delete accounting-relevant data, and all changes made to financially relevant
data are recorded in a change-history log
Help for customers to perform audits

Supports IFRS accounting regulations

Help for customers to adhere to regulations of multiple markets
(International Financial Reporting Standards)

Supports German accounting regulations

Help for customers to adhere to German accounting regulations.
(Certified for each new ByDesing solution release)

Solution documentation included

Provision of necessary procedure and task descriptions for end users and detailed technical
descriptions explaining data processing and storage
2014 SAP AG. All rights reserved.

22

Planning Status
April 2012

SAP Cloud Security Physical Security

Overview (2013)
Physical Security

Network Security

Backup & Recovery

Compliance

Integrity & Confidentiality

Data Center

World-class Tier-3/4 data centers

Customer data always stays in same national
jurisdiction

SAP managed data centers and select

partners operating according to SAP standards
2014 SAP AG. All rights reserved.

BS25999
CERTIFIED

ISO 27001
CERTIFIED
23

 2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP AG. The information contained herein may be
changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary
software components of other software vendors.
Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are
registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,
System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power
Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA,
pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP,
RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli,
Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the United States and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered
trademarks of Adobe Systems Incorporated in the United States and other countries.
Oracle and Java are registered trademarks of Oracle and its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps,
Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync,
Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are
trademarks or registered trademarks of Google Inc.
INTERMEC is a registered trademark of Intermec Technologies Corporation.
Wi-Fi is a registered trademark of Wi-Fi Alliance.
Bluetooth is a registered trademark of Bluetooth SIG Inc.

Motorola is a registered trademark of Motorola Trademark Holdings LLC.

Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, SAP HANA, and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of SAP AG in Germany
and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services
mentioned herein as well as their respective logos are trademarks or registered trademarks
of Business Objects Software Ltd. Business Objects is an SAP company.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin

are trademarks or registered trademarks of Citrix Systems Inc.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase
products and services mentioned herein as well as their respective logos are trademarks or
registered trademarks of Sybase Inc. Sybase is an SAP company.

HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C,
World Wide Web Consortium, Massachusetts Institute of Technology.

Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks
of Crossgate AG in Germany and other countries. Crossgate is an SAP company.

Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C,
Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.

All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only. National
product specifications may vary.

IOS is a registered trademark of Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry
Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App
World are trademarks or registered trademarks of Research in Motion Limited.

2014 SAP AG. All rights reserved.

The information in this document is proprietary to SAP. No part of this document may be
reproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.

24

 2012 SAP AG. Alle Rechte vorbehalten.

Weitergabe und Vervielfltigung dieser Publikation oder von Teilen daraus sind, zu
welchem Zweck und in welcher Form auch immer, ohne die ausdrckliche schriftliche
Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen
knnen ohne vorherige Ankndigung gendert werden.

Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps,
Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync,
Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik und Android sind
Marken oder eingetragene Marken von Google Inc.

Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte knnen

Softwarekomponenten auch anderer Softwarehersteller enthalten.

INTERMEC ist eine eingetragene Marke der Intermec Technologies Corporation.

Microsoft, Windows, Excel, Outlook, und PowerPoint sind eingetragene Marken der
Microsoft Corporation.

Bluetooth ist eine eingetragene Marke von Bluetooth SIG Inc.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,
System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power
Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA,
pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP,
RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli,
Informix und Smarter Planet sind Marken oder eingetragene Marken der IBM Corporation.
Linux ist eine eingetragene Marke von Linus Torvalds in den USA und anderen Lndern.
Adobe, das Adobe-Logo, Acrobat, PostScript und Reader sind Marken oder eingetragene
Marken von Adobe Systems Incorporated in den USA und/oder anderen Lndern.
Oracle und Java sind eingetragene Marken von Oracle und/oder ihrer
Tochtergesellschaften.
UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame und MultiWin
sind Marken oder eingetragene Marken von Citrix Systems, Inc.
HTML, XML, XHTML und W3C sind Marken oder eingetragene Marken des W3C,
World Wide Web Consortium, Massachusetts Institute of Technology.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C,
Retina, Safari, Siri und Xcode sind Marken oder eingetragene Marken der Apple Inc.
IOS ist eine eingetragene Marke von Cisco Systems Inc.
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry
Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook und BlackBerry App
World sind Marken oder eingetragene Marken von Research in Motion Limited.

2014 SAP AG. All rights reserved.

Wi-Fi ist eine eingetragene Marke der Wi-Fi Alliance.

Motorola ist eine eingetragene Marke von Motorola Trademark Holdings, LLC.
Computop ist eine eingetragene Marke der Computop Wirtschaftsinformatik GmbH.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, SAP HANA und weitere im Text erwhnte SAP-Produkte und Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken
der SAP AG in Deutschland und anderen Lndern.
Business Objects und das Business-Objects-Logo, BusinessObjects, Crystal Reports,
Crystal Decisions, Web Intelligence, Xcelsius und andere im Text erwhnte BusinessObjects-Produkte und Dienstleistungen sowie die entsprechenden Logos sind Marken
oder eingetragene Marken der Business Objects Software Ltd. Business Objects ist ein
Unternehmen der SAP AG.
Sybase und Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere und weitere im Text
erwhnte Sybase-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind
Marken oder eingetragene Marken der Sybase Inc. Sybase ist ein Unternehmen der
SAP AG.
Crossgate, m@gic EDDY, B2B 360, B2B 360Services sind eingetragene Marken der
Crossgate AG in Deutschland und anderen Lndern. Crossgate ist ein Unternehmen der
SAP AG.
Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen
Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte knnen lnderspezifische Unterschiede aufweisen.
Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und
Vervielfltigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und
in welcher Form auch immer, nur mit ausdrcklicher schriftlicher Genehmigung durch
SAP AG gestattet.

25