TEC102 Security Strategy Overview

Public
Speakers

Las Vegas, Oct 19 - 23 Barcelona, Nov 10 - 12

Michael Friedrich Regine Schimmer

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
strategy and possible future developments are subject to change and may be changed by SAP at any
time for any reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly negligent.

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 3

Agenda

SAP Security Products Portfolio

Platform Security Capabilities
SAP Solutions for Identity & Access Governance
SAP Single Sign-On
SAP Identity Management and SAP Access Control
SAP Cloud Identity service

Cyber Security
SAP Enterprise Threat Detection

Secure Software Development

SAP NetWeaver Application Server, add-on for code vulnerability analysis
Protecting your SAP Systems
Cloud and infrastructure security
Secure product development
Security services, support, and consulting
2015 SAP SE or an SAP affiliate company. All rights reserved. Public 4
SAP Security Products
Portfolio
Strategic security solutions for your organization

Public
SAP Security Products Portfolio

SAP
Business
Suite

SAP Identity SAP Access SAP Cloud Add-On for Code

SAP Single SAP Enterprise
SAP Cloud
Management Control Identity service Vulnerability
Applications Sign-On Threat Detection
Analysis

Make it simple for users to do Ensure corporate Manage the identity life-cycle Counter possible threats and Find and correct
Know your users and what
SAP Mobile what they are allowed to do. they can do.
compliance to in the cloud. identify attacks.
vulnerabilities in customer
Applications regulatory requirements. code.

Make sure that SAP

3rd Party Platform solutions run securely SAP HANA Platform SAP NetWeaver Application Server
Systems
Security

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 6

Platform Security Capabilities
Explore the built-in security features of our technology platforms

Public
SAP Platforms: Common Security Capabilities

S/4 SAP SAP

HANA Business Cloud
Security certifications Suite Applications Security Standards
Common Criteria (SAML, Oauth, X.509, SNC,
FIPS SSL, WS-Sec,)
SAP HANA
SAP HANA Cloud Platform
SAP NetWeaver Application Server

Auditing Security Architecture

Logging Run Time Virus Scan API
Monitoring Design Time

0010100
1110011
0011001

Authorization Management Authentication and Encryption of data at rest

Identity Administration Single Sign-On and in transit

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 8

SAP HANA Security
Meet compliance requirements, implement different security policies, and integrate SAP HANA into existing
security infrastructures.

Public
Unified Security Architecture

SAP HANA Tools Browser

Application Server
Admin/Dev
Client

ODBC
JDBC/ODBC

JDBC
HTTP(S)

Admin/Dev Application

Database XS

Authentication/SSO Encryption

Authorization Identity Store Audit Logging

Design Time Repository SAP HANA

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 10

Authentication and Single Sign-On

JDBC/ODBC access HTTP access (SAP HANA XS)

User name and password User name and password (basic authentication,
(incl. password policy) form-based login; incl. password policy)
Kerberos SPNEGO
SAML (bearer token) SAML
SAP logon and assertion tickets SAP logon and assertion tickets
X.509

Authentication/SSO Encryption

Authorization Identity Store Audit Logging

SAP HANA

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 11

User and Role Management

For logon, users must exist in the identity store of the SAP HANA database
Roles (and privileges) can be assigned to users
Roles are used to bundle privileges create roles for specific groups of users
Role transport, can be integrated into development/production system landscape
Catalog and repository roles

Authentication/SSO Encryption

Authorization Identity Store Audit Logging

SAP HANA

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 12

Authorization

Database access privileges (see next slide)

Application privileges
Repository privileges

Authentication/SSO Encryption

Authorization Identity Store Audit Logging

SAP HANA

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 13

Encryption

Communication encryption: SSL (can be enforced for client connections)

Data encryption: Data volumes on disk
Backup encryption:
Recommended to use a suitable 3rd party backup tool
Currently certified: Symantec NetBackup, IBM Tivoli Storage Manager, Commvault Simpana, HP Data Protector, EMC
Data Domain Boost, EMC Networker, SEP Sesam. See Application Partner Directory (search for HANA-BRINT 1.1)

Authentication/SSO Encryption

Authorization Identity Store Audit Logging

SAP HANA

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 14

Audit Logging

Logging of critical events for security and compliance, e.g.

User, role and privilege changes, configuration changes
Data access logging
Read and write access (tables, views), execution of procedures
Firefighter logging, e.g. for support cases
Audit trail written to Linux syslog or to database table within SAP HANA

Authentication/SSO Encryption

Authorization Identity Store Audit Logging

SAP HANA

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 15

Network Security

Network communication documented in the

SAP HANA Security Guide and Master Guide
Recommendations for use of network zones
Separation of external and internal communication
Certified SAP HANA hosts use a separate
network adapter with a separate IP address for
each of the different networks
SSL support
Between SAP HANA and clients
Between nodes in a scale-out SAP HANA
system
Between data centers in system replication
scenarios

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 16

SAP HANA Cloud Platform
Leverage the security features of SAP HANA Cloud Platform to ensure security in cloud and Internet of
Things (IoT) scenarios.

Public
Federated Authentication and SSO in SAP HANA Cloud Platform

SAP HANA Cloud

Application(s)
Access protected XS
Web Browser
Web Resources

User SAP HANA

Cloud Platform

Authenticate / Delegate
Single Sign-On Authentication &
Identity Management via
SAML 2.0

Identity Provider (IdP)

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 18

Identity Provider Options on SAP HANA Cloud Platform

Cloud solution for identity lifecycle management

Pay-per-request
Isolated user base per tenant
SAP Cloud Identity
User import and export
SAP HANA
Rich customization and branding features
Cloud Platform Main scenarios: B2C and B2B

SAPs public Identity Provider (IdP) on the Internet

Free service, similar to social IdPs
SAP ID Service Shared user base with SCN, SAP Service Marketplace and
others (~8 Million identities)
Internet Authentication only - no user lifecycle management

Corporate
Network Prerequisite: SAML 2.0 compliance
Bring Your Own Identity
Main scenario: B2E
Provider

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 19

Outlook: SAP HANA Internet of Things (IoT) Edition

Machine Cloud (SAP)

IoT Applications (SAP, Partner and

Custom apps)

HANA Cloud HANA Cloud Business

IoT Services Integration Owner
IoT Machine Process
Integration Integration
Connector ERP
HANA Cloud Platform
CRM
Data Processing

In-Memory dynamic tiering Storage
Engines
Hadoop
smart data streaming
remote data sync

HANA Big Data Platform

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 20

SAP HANA IoT Edition: Security Infrastructure

Firewall

Authentication SAP Cloud

Denial of Identity
IoT Connector Service
Device Data Network
Adapter Processor Module Attack Detection

Authorization
Management
SAP HANA
Cloud Platform
IoT Services

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 21

SAP NetWeaver Platform
Security engineered from the ground up: Benefit from the comprehensive security infrastructure and
innovative features of the SAP NetWeaver technology platform

Public
Spotlight on: Unified Connectivity (UCON)
Reduce the overall attack surface of your remote-enabled function modules (RFMs). Enhance RFC security by
blocking the access to a large number of RFMs

Most SAP ERP customers run just a

limited number of the business (and
technical) scenarios for which they need
to expose some RFMs
A lot of RFMs are only used to parallelize
within a system
Find out which RFMs need to be
exposed for specific customer scenarios
Block access to all other RFMs

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 23

Spotlight on: Read Access Logging
Log all access to classified or sensitive data and support the evaluation of these events.

Read access logging allows you to track

Who accessed the data
Entry points Read access log framework
Which data was accessed
When was the data accessed
How was the data accessed, UI channel
Configurations Log data in
(which transaction or user interface was Log writer
database
used)
Remote
Amount of detail to be logged is customizable API
Log conditions
User interfaces used to access the data channel Log monitor
Operations executed on remote APIs
Users using remote APIs / user interfaces
Entities and their content

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 24

SAP Solutions for Identity and
Access Governance

Public
SAP Single Sign-On
Provide simple and secure access to IT applications for business users, encrypt company data and protect
business-critical applications.

Simple and secure access

Single sign-on for native SAP clients and web applications
Single sign-on for mobile devices
Support for cloud and on-premise landscapes
Open Standards: SAML, Kerberos, X.509 Certificates
Cloud and
cross-company
Secure data communication
Encryption of data communication for SAP GUI
Digital signatures SAP and non-SAP
FIPS 140-2 certification of security functions applications
Advanced security capabilities
Two-factor authentication SAP
Risk-based authentication using access policies
RFID-based authentication Business Suite
Hardware security module support

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 26

SAP Identity Management and SAP Access Control

Grant and manage user access to applications securely and efficiently while meeting audit and compliance requirements.
Full identity lifecycle support
Integration with SAP ERP HCM and SuccessFactors
Central workflows for permission requests
Context/rule based permissions and roles SAP Business Suite
SAP Cloud
Integration with SAP Access Control for compliance checks Identity service
Identity analytics
User interfaces
Flexible identity schema via configuration only SAP SAP Identity Management
RESTful interfaces for SAP UI5 on different devices Access Control
Eclipse-based development environment
Connectors
Connectors and connector framework
Support of new cloud-based applications
Simple Cloud Identity Management Schema (SCIM) support
Virtualization and Federation
Virtual directory server
Identity federation

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 27

SAP Cloud Identity service
Provide simple and secure access to IT applications as a service (SaaS).

Simple and secure access

Web single sign-on for cloud and on-
premise applications based on SAML
Support of SAP and 3rd party applications
Secure on-premise integration to reuse an
existing authentication system
Optional two-factor authentication
User management
Self-services for password management
and invitation
Central user administration
Enterprise features
Branding of user interfaces for seamless
integration in customer developments
Password policies

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 28

Cyber Security
Leverage SAP Enterprise Threat Detection to counter cyber attacks

Public
SAP Enterprise Threat Detection
Provide insight into suspicious security events throughout the system landscape
Detection
Readily and efficiently identify security lapses in the
landscape
Use the power of a real-time data platform to detect
threats
Optimally protect your key business data
Insight
Gain insight into what is happening in
your IT landscape
Integrate with SAP and non-SAP data
Make use of attack detection patterns
Enable custom integration and configuration
Find SAP software-specific threats related to know attacks
Analysis & Prevention
Perform forensic investigations and discover new patterns
Efficiently analyze and correlate logs

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 30

Demo

Public
Secure Software Development
SAP NetWeaver Application Server, add-on for code vulnerability analysis

Public
SAP NetWeaver Application Server,
add-on for code vulnerability analysis
Find vulnerabilities in customer code to prevent cyber attacks against SAP systems.

Code scanning
Static Application Security Testing
Checks custom coding for security vulnerabilities
(SAST)
Includes Open Web Application Security Project
Extensive
(OWASP) top 10, like SQL injection, directory traversal, Exemption workflows to documentation to
backdoor & authorizations, web exploits, code injection ease handling of false support developers in
positives fixing the detected
and call injections issues
Integration Supports
Reduced false-
Fully integrated into ABAP development environment as positive rate automation
requirements by
through data flow
part of the automated test cockpit (ATC) analysis quality assurance
teams
Support
Supports developer in fixing the vulnerability,
and delivers extensive documentation Integrated into Priority of each
standard ABAP check can be
development adjusted to match
infrastructure requirements

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 33

Can You Hack this Code?

Public
Public
Input for street:
xyz' salary = '1500

set_expr:
STREET = 'xyz'
salary = '1500'

...
SET STREET = 'xyz'
salary = '1500'

Public
Protecting your SAP Systems
Cloud and infrastructure security
Secure product development
Security services, support, and consulting

Public
Protecting your SAP Systems

Secure software operations in the SAP Cloud

SAP
Business Suite Cloud Security

Certified security for your protection

SAP Cloud Applications
Infrastructure Security

Systematic engineering for security and privacy in a

SAP Mobile Applications networked economy
Secure Software Development

3rd Party Systems Secure implementation and operation of

SAP system landscapes
Security Services & Support

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 38

Cloud and Infrastructure
Security

Public
SAP HANA Cloud Platform Infrastructure Security
Benefits at a glance

Certified operations

World-class data centers

Advanced network security

Reliable data backup

Built-in compliance, integrity,

and confidentiality

State-of-art security platform

services

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 40

SAP HANA Cloud Platform Security
Physical security
Physical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity

High Availability
Role-based access: On-
BS25999 demand solutions support role-
CERTIFIED based access with user
profiles to allow segregation of
Quality Management duties
Planned coverage for SAP ISO 9001 Audit logging:
Cloud data centers: Two CERTIFIED On-demand solutions log all
data centers per major Reverse proxy farms user activities
International Accounting
region Multiple redundant Data encryption: Encryption
SAP HANA Cloud currently internet connections Regulations of confidential data at rest
hosted in data centers in Data encryption ISAE3402 Operations:
Germany, Netherlands, Intrusion Detection TESTIFIED* Two-factor authentication
Australia, and the USA Authorization on need-to-
System (IDS) SSAE16
TESTIFIED* know basis
Roadmap for global Multiple firewalls
coverage available from Minimal privileges and
Sandboxed application Energy Efficiency segregation of duties
SAP upon request. environment
GREEN IT Personalized log traces
Location is subject of Regular third party CERTIFIED Controlling system and regular
choice by customers. audits and penetration reviews
tests IT Operations
ISO 27001
CERTIFIED
BS25999
CERTIFIED
ISO 27001 ISO 27001 ISO 27001
CERTIFIED CERTIFIED CERTIFIED
2015 SAP SE or an SAP affiliate company. All rights reserved. Public 41
SAP Cloud Security
Attestations and certifications for the SAP Cloud

Cloud Area Attestations Certifications

Available Next Cycle Available Next Cycle
HANA Enterprise Cloud April 2015 next SOC 1,2,3 ISO 9001:2008, ISO 27001:2013, 2016 & 2017: Surveillance Audits
2x SOC 1, 2x SOC 2, 1x SOC3
Attestations required ISO 22301:2012 2018: Re Certification

SuccessFactors April 2015 next SOC 1,2 Attestations

1x SOC 1, 2x SOC 2 n/a n/a
required

SF EC Payroll April 2015 next SOC 1,2 Attestations 2016 & 2017: Surveillance Audits,
2 x SOC 1 ISO 27001:2013
required 2018: Re Certification

Ariba March 2015 next SOC 1,2,3

1x SOC 1, 1x SOC 2, 1x SOC 3 PCI-DSS May 2015: Re-Certification
Attestations required

Business by Design April 2015 next SOC 1,2 Attestations 2016 & 2017: Surveillance Audits,
2x SOC 1, 2x SOC 2 ISO 27001:2013
required 2018: Re Certification

s-Innovation (S/4HANA) Validation started n/a Validation started n/a

HANA Cloud Platform 2016 & 2017: Surveillance Audits,

Validation started n/a ISO 27001:2013
2018: Re Certification

HANA Cloud Integration / 2016 & 2017: Surveillance Audits,

Validation started n/a ISO 27001:2013
Financial Services Network 2018: Re Certification

Status per April 20th, 2015

Reports on attestations or certifications are typically available within 2 months after the review.

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 42

Secure Software Development

Public
Secure Software Development

Making Security a Priority

3rd largest software company in the world
SAP systems handle 74% of the worlds financial transaction
Our customers include a majority of Fortune 500 companies
1.8 billion text messages pass through SAP Mobile Platform
SAP Ariba connects more than 1 million companies in 190 countries
SAP partner ecosystem and open source components extend software
security issue exposures
Most of our competitors have experienced major vulnerability reports
Internet of Things applications enhance attack surface for SAP software

protect&&develop
2015 SAP SE or an SAP affiliate company. All rights reserved. Public 44
Prevent, detect, react

PRODUCT SECURITY

SAP Secure Software Development Lifecycle Surveillance of Threat Landscape Incident Handling
S2DL Security response
SAP Product Security Social Media
People, tools, and processes for building secure Analytics SAP Security Patch Day
products
Security conferences Optimizing patch
Our guidance: ISO 27034
Customer-Specific Services management
Enhanced Security Features
SAP Single Sign-On (Cloud / On-Premise) SAP Enterprise Threat Detection solution Emergency Handling
Common Crypto Lib (FIPS 140-2) SAP NetWeaver Code Vulnerability Security Service Offerings
Security Research Analyzer available for customers
Active Global Support
Encryption in the cloud Automated detection of misconfigurations in
customer systems Consulting
JavaScript security
Big Data for security: Content creation for SAP
Enterprise Threat Detection

Prevent Detect React

SAFECode ISO 27034 Compliance

German Alliance for Cyber Security COOPERATION AND CERTIFICATIONS Common Criteria Certification
SAP Security Advisory Board ISO 9001 Certifications

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 45

SAP Secure Software Development Lifecycle S2DL

SAPs standard software development holistically integrates secure development principles in

accordance with ISO 27034-1

Start of standard Release

development decision

Preparation Development Transition Utilization

Risk Plan Security Secure Security Security Security

Training
Identification Measures development testing Validation Response

Security awareness
Secure programming
Threat modelling
Security static analysis
Data protection and privacy
Security expert curriculum
SECURIM Plan product standard Secure programming Dynamic testing Independent security Execute the security
(Security Risk Identification compliance Static code scan Manual testing assessment response plan
and Management) Plan security features Code review External security
Data Privacy Impact Plan security tests assessment
Assessment Plan security response
Threat Modeling
SAP Secure Software Development Lifecycle S2DL

Common denominator: Product standard security as knowledge base across all phases

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 46

Security Services and Support

Public
SAP Security Services Offerings

SAP Active Global Support best practices are

translated into security tools and services:
SAP Solution Manager System Recommendations
SAP EarlyWatch Alert (EWA) with security section
SAP Solution Manager Configuration Validation
SAP Security Optimization Service (SOS)
MaxAttention Next Generation with key security
elements
secure&&support
Remote and on-site delivery remote via Global SAP Security Patch Day
Security Hub SAP security notes second Tuesday every month
Security Back Office
Security Back Office provides security expert SAP Security Consulting services
knowledge and back office support to customers Professional consulting services for SAP security
and SAP employees. products and service offerings

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 48

SAP Security Training and Documentation

SAP Security Training

Secure operation trainings by SAP
Secure development trainings by partners

SAP Security Documentation

Security notes published on Support Portal
SAP security guides for every product
SAP security recommendations on some patch
days
Secure programming guides
RunSAP end-to-end solution operations
Books published by SAP Press

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 49

Summary

Public
SAP Security Strategy Solutions, Services, Infrastructure

Significant investments into security for networked solutions, identity and access
governance, and integrated security management allow customers to implement
secure business processes on premise and in the cloud

Integration is key to simplify security in todays hybrid IT landscapes.

Comprehensive security offerings help SAP customers thrive in the

networked economy

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 51

SAP TechEd Online
Continue your SAP TechEd education after the event!

Access replays of keynotes, Demo Jam, SAP TechEd live interviews, select lecture sessions, and more!
Hands-on replays

http://sapteched.com/online

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 52

Further Information: Related TechEd Sessions

Related SAP TechEd sessions:

All sessions in the Security track plus sessions with security focus in other tracks; recommended lectures include:
SEC201 Whats new with SAP Identity Management 8.0
SEC102 Find the hackers in your landscape with SAP Enterprise Threat Detection
SEC106 The cloud solution for authentication, single sign-on and user management
SEC101 Best practices for IAM across cloud and on-premise
SEC103 SAP HANA Cloud Platform A security overview
SEC105 SAP runs certified best-in-class cloud security
SEC100 Authentication and encryption news with SAP Single Sign-On
SEC202 Cross-system validation using SAP Solution Manager
SEC200 Security in different SAP HANA scenarios
SEC104 SAP NetWeaver security
SEC203 Hacking RFC communication protecting RFC communication
SEC204 Implementing SAP Security Notes: Tools and best practices

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 53

Further Information: Communities and Online Resources

SAP Public Web

http://scn.sap.com/community/security
http://scn.sap.com/community/sso
http://scn.sap.com/community/idm
https://scn.sap.com/community/hana-in-memory
www.sap.com/security
Watch SAP TechEd Online
www.sapteched.com/online

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 54

 2015 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 55