Transcription
SAP solutions for SAP cyber security and dataprotectionArndt Lingscheid04, 2022PUBLIC
DisclaimerThe information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP.Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or any other serviceor subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or any relateddocument, or to develop or release any functionality mentioned therein.This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms directions andfunctionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in thispresentation is not a commitment, promise or legal obligation to deliver any material, code or functionality. This presentation is providedwithout a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for aparticular purpose, or non-infringement. This presentation is for informational purposes and may not be incorporated into a contract. SAPassumes no responsibility for errors or omissions in this presentation, except if such damages were caused by SAP’s intentional or grossnegligence.All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially fromexpectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates,and they should not be relied upon in making purchasing decisions. 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC2
SAP Solutions for Cyber Security and Data ProtectionWhat Cyber Attacks do we see?Protecting the Intelligent EnterpriseStructured Approach to SAP Cyber SecurityNIST Cybersecurity FrameworkCyber Security and Compliance Solutions from SAP mapped to NIST 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC3
Systems are under attack 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC4
SAP Secure Operations MapOrganizationAwarenessSecurity GovernanceRisk ManagementProcessRegulatory ProcessComplianceData Privacy &ProtectionAudit &Fraud ManagementApplicationUser & IdentityManagementAuthentication& Single Sign-OnRoles &AuthorizationsCustom CodeSecuritySystemSecurity HardeningSecure SAP CodeSecurity Monitoring& ForensicsEnvironmentNetwork SecurityOperating System& Database SecurityClient Security 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC7
SAP Depth and Breadth, supporting the Intelligent EnterpriseEnterprise riskand complianceIdentity and accessgovernanceProtecting the Intelligent EnterpriseAssessQuantify RiskIdentity and AccessManagementAwarenessDashboardingProcess ControlPeopleUser Lifecycle ManagementProcessesSingle Sign-OnAudit ManagementPrivileged AccessManagementThree lines of defenseBusiness IntegrityAccess AnalysisCybersecurityThreat ManagementData protection,and privacyBig DataData MaskingSecure ChangeManagementTechnologyPatch ManagementSecurity Configuration ManagementSAP S/4HANA, SAP HANA, SAP NetWeaver& J2EEPrivacy GovernanceData ControlSecurity ResearchRegulationsData PrivacySecurity Content 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICCode Security ManagementABAP, Fiori, UI5Key Management Service8
Identity and access governanceSAPSuccessFactorsSAPBusiness TechnologyPlatformSAPFieldglassSAPConcurSAP IBPSAP Cloud PlatformIdentity AuthenticationService SAP SustainabilitySingle sign-on forcloud- andhybrid-scenariosSAP Cloud PlatformIdentity ProvisioningService Identity LifecycleManagement forSAP’s cloudapplicationsSAP Cloud solutionsOn Prem SAP S/4HANASAP S/4HANA PCE(Private Cloud Edition) 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICSecure authenticationand communicationSimplification andproductivity Segregation of duty Access-request, design, -analysis, certification Privilege accessmanagementSAP IdentityManagementSAP Single Sign-On SAP Cloud IdentityAccess Governance Business-drivencompliant entire identitylife cycleHiring, substitution,promotion, terminationSAP AribaSAP Access Control Segregation of duty Manage access Monitor, analyze,maintain, provide,certify9
Cyber security and data protectionSAPSuccessFactorsSAPBusiness TechnologyPlatformSAPFieldglassSAPConcurSAP IBPSAP AribaSAP Data CustodianSAP EnterpriseThreat Detection Cloud EditionSAP SustainabilityPublic Cloud SIEM solution tailored to theneeds of SAP applicationsOn Prem SAP S/4HANA Effectively identify andanalyze threats in SAPapplicationsSAP S/4HANA PCE(Private Cloud Edition)SAP Focused Run Monitor and report on dataaccess, storage, movement,processing, and location Create and enforce dataaccess, location,movement, and processingpolicies Key managementIdentity AccessGovernanceSecurity ConfigurationManagementSAP S/4HANA, SAP HANA,SAP NetWeaver & J2EE UI Masking and loggingPatch ManagementSAP CodeVulnerability analyzer Identify and remedy securityvulnerabilities in ABAPcustom code Protect sensitiveinformation in the userinterface layer Block or log data access Secure & refine accessCheckmarxFortify 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC10
Enterprise risk and complianceSAPSuccessFactorsSAPBusiness TechnologyPlatformSAPFieldglassSAPConcurSAP IBPSAP AribaSAP FinancialComplianceManagementSAP SustainabilityPublic CloudOn Prem SAP S/4HANASAP S/4HANA PCE(Private Cloud Edition)SAP BusinessIntegrity Screening Implement detection &screening strategies fortransactions Design, analyze, detect,investigate, report 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC Document and managecontrols Demonstrate effectiveinternal controls overfinancial reporting3 Lines offeringSAP ProcessControl Ensure effective controlsand ongoing compliance Document, plan, perform,monitor, evaluate, reportSAP RiskManagement Defined risks within thecontext of value to theorganizationSAP AuditManagement Managing Audit Activities Risk–based approachfollowing IIA best practicesPlan, identify, analyze,respond, monitor & reportbusiness risks.11
NIST al Institute of Standards and Technology Cybersecurity FrameworkIt "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes” 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC12
NIST FrameworkIdentifyProtectAsset ManagementAccess ControlBusinessEnvironmentAwareness andTrainingGovernanceData SecurityRisk AssessmentInformationRisk ManagementStrategyMaintenanceSupply Chain RiskManagementDetectAnomalies andEventsContinuousSecurity MonitoringDetectionProcessesRespondRecoverResponse PlanningRecovery ationsMitigationImprovementsProtectiveTechnology 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC13
Cybersecurity- and Compliance Solutions from SAP based on NISTIdentifyDetectProtectArchitecture & Planning servicesEmpowerment ServicesSAP EarlyWatch AlertRespondExecution & Implementation Services Continuous Improvement ServicesSAP Enterprise Threat Detection and cloud editionRecoverSecurity expertsManaged Service via ETDUI data protection masking & loggingSAP Configuration Validation / Security Optimization ServiceSAP Business Integrity ScreeningSAP System RecommendationsSAP Focused RunABAP test cockpit & SAP Code Vulnerability AnalyzerSAP Fortify by MicroSingle Sign-OnUser & Identity ManagementSAP Standard ToolCybersecurity SolutionAccess ManagementCompliance SolutionSAP Data CustodianService & Support 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC14
Cybersecurity- and Compliance Solutions from SAP based on NISTIdentifyArchitecture & Planning servicesProtectEmpowerment ServicesDetectExecution & Implementation Services Continuous Improvement ServicesSAP EarlyWatch AlertSAP Enterprise Threat DetectionRecoverRespondSecurity expertsManaged Service via ETDUI data protection masking & loggingSAP Configuration ValidationBusiness Integrity ScreeningSAP System RecommendationsSAP Focused RunSAPApplicationlayerABAP test cockpit & SAP Code Vulnerability AnalyzerSAP Fortify by Micro FocusSingle Sign-OnUser & Identity ManagementAccess ManagementSAP Data CustodianAuthorizationsSAP HANADatabaseEncryptionHANA Data MaskingHANA Data Privacy OptionHANA Data Anonymization 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICSAP Standard ToolCompliance SolutionCybersecurity SolutionService & Support15
Solutions for Control & InsightProcess ControlIdentifyArchitecture & Planning servicesProtectEmpowerment ServicesRisk ManagementSAC Cybersecurity DashboardDetectSAP Enterprise Threat DetectionRecoverRespondExecution & Implementation Services Continuous Improvement ServicesSAP EarlyWatch AlertSAP Privacy GovernanceSecurity expertsManaged Service via ETDUI data protection masking & loggingSAP Configuration ValidationBusiness Integrity ScreeningSAP System RecommendationsSAP Focused RunSAPApplicationlayerABAP test cockpit & SAP Code Vulnerability AnalyzerSAP Fortify by Micro FocusSingle Sign-OnUser & Identity ManagementAccess ManagementSAP Data CustodianAuthorizationsSAP HANADatabaseEncryptionHANA Data MaskingHANA Data Privacy OptionHANA Data Anonymization 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICSAP Standard ToolCompliance SolutionCybersecurity SolutionService & Support16
Cybersecurity- and Compliance Solutions from SAP based on NISTIdentifyDetectProtectArchitecture & Planning servicesEmpowerment ServicesExecution & Implementation Services Continuous Improvement ServicesSAP Enterprise Threat DetectionSAP EarlyWatch AlertRespondRecoverSecurity expertsManaged Service via ETDUI data protection masking & loggingSAP Configuration ValidationBusiness Integrity ScreeningSAP System RecommendationsSAP Focused RunABAP test cockpit & SAP Code Vulnerability AnalyzerSAP Fortify by Micro FocusSingle Sign-OnUser & Identity ManagementSAP Standard ToolCybersecurity SolutionAccess ManagementCompliance SolutionSAP Data CustodianService & Support 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC17
SAP EarlyWatch Alert WorkspaceCentralized application managementGain overview on your system landscapehealth Cost free. Shows most critical configuration vulnerability'sacross prod landscape. Prioritized Worklist – share and track progress. Accesses the most important systems on a weeklybase. SAP Governance and Risk Management Team usethe Security Card to see what urgently is require. 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC18
SAP EarlyWatch Alert WorkspaceSAP Product Excellence Award 2018 – voted by SUGEN customers EarlyWatch Alert workspace One data lake with 2 years history of system data Designed for Predictive and Preventive service Basis for Continuous Quality Checks Build for Simplicity with Design Thinking Build on SAP Cloud Platform & SAP HANAShows critical Security issues across prod landscape(Pre-requisite: S-User Authorization Display Security Alerts in SAP EarlyWatch AlertWorkspace) Prioritized Worklist – share and track progress. Get Clean! 76.40063,000 17,000 1 millionVisits in August 2019Customer systemsSystems based on SAP HANASAP HANA objects analyzedevery week to predicted2 billion record limit 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC19
SAP EarlyWatchDisplay Security Alerts in SAP EarlyWatch Alert WorkspaceHow many systems are vulnerable (“YELLOW” or “RED”) 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICStandard Users including DDIC or SAP* have default passwordsHANA user SYSTEM is active and valid (6 Systems)RFC Gateway and Message Server Security – Doors wide open (3 Systems)HANA Internal or System Replication Communication is not secured Weak Password Policy (ABAP, HANA)HANA: SQL Trace configured to display actual data Systems having an old SPS (no longer supported with new SAP Security Notes) (15 Systems) Users having critical basis authorizations like SAP ALL, Debug, Display/Change all tables, HANA users having critical authorizations like DATA ADMIN privilege Audit Log is not active or written to an unsecure audit trail target20
Cybersecurity- and Compliance Solutions from SAP based on NISTIdentifyDetectProtectArchitecture & Planning servicesEmpowerment ServicesSAP EarlyWatch AlertRespondExecution & Implementation Services Continuous Improvement ServicesSAP Enterprise Threat DetectionRecoverSecurity expertsManaged Service via ETDUI data protection masking & loggingSAP Configuration ValidationBusiness Integrity ScreeningSAP System RecommendationsSAP Focused RunABAP test cockpit & SAP Code Vulnerability AnalyzerSAP Fortify by Micro FocusSingle Sign-OnUser & Identity ManagementSAP Standard ToolCybersecurity SolutionAccess ManagementCompliance SolutionSAP Data CustodianService & Support 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC21
SAP Focused RunThe ultimate solution for OperationsAddresses advanced customer needs inscalability, data volumes, security, automation,openness, dashboarding & artificial intelligence Manage landscapes with thousands of systems with minimaloperations costs Monitor real as well as synthetic user requests across systemsand technology Manage complex landscapes with millions of interface callsand/or message flows Efficiently operate thousands of system, user, and integrationalerts, including integrated IT infrastructure events Enable central governance of software levels and configurationsettings Deep detailed root cause analysis capabilities tailored to yourneeds Use SAP’s out-of-the-box Analytics & Intelligence capabilities 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC22
Focused Run – Security and Compliance Key FeaturesAdvancedEvent & ncedRoot CauseAnalysis(ARA)AdvancedAnalytics &Intelligence(AAI) Pre defined & policy based security & compliance validation of configurations Monitoring of server side certificates Security note deployment validation / transparency about gaps vs. achievement Integration into operational processes Insights into actual usage / system communication & document flow & user behaviour Great graphical charts and build in dashboarding incl. Management overviewTechnology Foundation: SAP HANA / SAP NetWeaver ABAP SAPUI5 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC23
Cybersecurity- and Compliance Solutions from SAP based on NISTIdentifyDetectProtectArchitecture & Planning servicesEmpowerment ServicesSAP EarlyWatch AlertRespondExecution & Implementation Services Continuous Improvement ServicesSAP Enterprise Threat DetectionRecoverSecurity expertsManaged Service via ETDUI data protection masking & loggingSAP Configuration ValidationBusiness Integrity ScreeningSAP System RecommendationsSAP Focused RunABAP test cockpit & SAP Code Vulnerability AnalyzerSAP Fortify by Micro FocusSingle Sign-OnUser & Identity ManagementSAP Standard ToolCybersecurity SolutionAccess ManagementCompliance SolutionSAP Data CustodianService & Support 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC24
SAP NetWeaver Application Server, add-on for code vulnerability analysisDevelop highly secure SAP ABAP applicationsIdentify and remedy securityvulnerabilities in ABAP custom code Tighten application security by scanningcustom ABAP code Protect against malicious code attacksand data breaches Rely on a solution that has beenrigorously tested on a massive scale 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC25
Cybersecurity- and Compliance Solutions from SAP based on NISTIdentifyDetectProtectArchitecture & Planning servicesEmpowerment ServicesSAP EarlyWatch AlertRespondExecution & Implementation Services Continuous Improvement ServicesSAP Enterprise Threat DetectionRecoverSecurity expertsManaged Service via ETDUI data protection masking & loggingSAP Configuration ValidationBusiness Integrity ScreeningSAP System RecommendationsSAP Focused RunABAP test cockpit & SAP Code Vulnerability AnalyzerSAP Fortify by Micro FocusSingle Sign-OnUser & Identity ManagementSAP Standard ToolCybersecurity SolutionAccess ManagementCompliance SolutionSAP Data CustodianService & Support 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC26
UI Data Security: two step approach to protect data from insidersUI MaskingUI Loggingconceal specific data –unless required for taskskeep data accessible – and create abroad deep log of data access make sensitive dataunavailable for data abuse induce compliant behavior identify & prove irregular data usage Baseline for decision on actions“Lock it” 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC ”or log it!27
Cybersecurity- and Compliance Solutions from SAP based on NISTIdentifyDetectProtectArchitecture & Planning servicesEmpowerment ServicesSAP EarlyWatch AlertRespondExecution & Implementation Services Continuous Improvement ServicesSAP Enterprise Threat DetectionRecoverSecurity expertsManaged Service via ETDUI data protection masking & loggingSAP Configuration ValidationBusiness Integrity ScreeningSAP System RecommendationsSAP Focused RunABAP test cockpit & SAP Code Vulnerability AnalyzerSAP Fortify by Micro FocusSingle Sign-OnUser & Identity ManagementSAP Standard ToolCybersecurity SolutionAccess ManagementCompliance SolutionSAP Data CustodianService & Support 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC28
Challenges In the Multi-Cloud EraData is EverywhereIaaS PaaS SaaSMulti-CloudPublic cloud deploymentsare on the riseNew GovernanceStandardsCompliance SecurityLocalization AuditsRegulatory compliancedriving data protectionNew DemandsAccess ControlGeo-Location EncryptionShared Responsibility 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC29
SAP Data CustodianMulti-Cloud Data Insight and ProtectionThe SAP Data Custodian solution is a Multi-Cloud SaaSapplication designed to achieve the following businessobjectives:Multi-Cloud and multi-application data insight and protection(Azure, AWS, GCP, AliCloud, S/4H, ECC)Data governance, compliance and audit reportingRapid identification and notification of data protectionbreaches 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC30
Cybersecurity- and Compliance Solutions from SAP based on NISTIdentifyDetectProtectArchitecture & Planning servicesEmpowerment ServicesRespondExecution & Implementation Services Continuous Improvement ServicesSAP Enterprise Threat Detection & Cloud EditionSAP EarlyWatch AlertRecoverSecurity expertsManaged Service via ETDUI data protection masking & loggingSAP Configuration ValidationBusiness Integrity ScreeningSAP System RecommendationsSAP Focused RunABAP test cockpit & SAP Code Vulnerability AnalyzerSAP Fortify by Micro FocusSingle Sign-OnUser & Identity ManagementSAP Standard ToolCybersecurity SolutionAccess ManagementCompliance SolutionSAP Data CustodianService & Support 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC31
SAP Enterprise Threat Detection & Cloud EditionStop security breaches in today’s SAP S/4HANA business applications.Enterprise Threat Detection gives transparency in to suspicious (user) behavior and anomalies in SAPbusiness applications to identify and stop security breaches in real-time.Enterprise Threat Detection uses highly efficient and automated processes based on HANA technology andMachine learning to track hacker activity using SAP's predefined and easy customizable attack paths. Increasing number of hacker attacks Regulatory requirements for security andcompliance controls.Stop security breaches in today’s SAP S/4HANAbusiness applications. SAP system Transparency with respect toSecurity- and Compliance-Events. Roles and Authorizations only will not protect anSAP S/4HANA environment.Perimeter and IT infrastructure security is notsufficient to protect the SAP S/4HANA businesscore.Analyzing the huge amount of events coming fromthe SAP S/4HANA Business Applications. 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICBenefitsSolutionChallenge Correlate the complete picture of an hackerattack, not only a few small puzzle peace’s.Perform forensic investigations, search for threatsand detect anomalies in SAP S/4HANAapplications.All audit logs available in a central instance(manipulation save, unfiltered, normalized,readable). Detect threats in your SAP S/4HANA applicationsto avoid financial loss, legal and reputationaldamage. Safeguard the operation of your SAP S/4HANA. Reduce effort for conducting audits. Gain transparency and simplify the analysis ofsuspicious activities, Identify security gaps, and understand theimpact on your business. Analyze huge amounts of information quickly andto take the right decision in time.32
Cybersecurity- and Compliance Solutions from SAP based on e & Planning services Empowerment Services Execution & Implementation Services Continuous Improvement Services Security expertsSAP EarlyWatch AlertSAP Enterprise Threat DetectionManaged Service via ETDUI data protection masking & loggingSAP Configuration ValidationBusiness Integrity ScreeningSAP System RecommendationsSAP Focused RunABAP test cockpit & SAP Code Vulnerability AnalyzerSAP Fortify by Micro FocusSingle Sign-OnUser & Identity ManagementSAP Standard ToolCybersecurity SolutionAccess ManagementCompliance SolutionSAP Data CustodianService & Support 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC33
SAP Cyber Security MaxAttention Services 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC34
Key takeaways1.SAP systems or applications can be affected by hacker attacks2.SAP can provides a structured approach to customers and partners covering the SAP relateddisciplines3.SAP provides solutions and services to support organizations protection their SAP environment4.Useful tfolio.html 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC35
Thank you.Contact information:Arndt LingscheidSolution owner GRC & Cyber SecurityE-Mail: [email protected]: 49 160 90 84 11 88SAP SE Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany
Follow uswww.sap.com/contactsap 2022 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission ofSAP SE or an SAP affiliate company.The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and itsdistributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation orwarranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warrantystatements accompanying such products and services, if any. Nothing herein should be construed as constituting an additionalwarranty.In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document orany related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, andfunctionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reasonwithout notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, orfunctionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differmaterially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and theyshould not be relied upon in making purchasing decisions.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registeredtrademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service namesmentioned are the trademarks of their respective companies.See www.sap.com/copyright for additional trademark information and notices.
Cyber security and data protection On Prem SAP S/4HANA SAP S/4HANA PCE (Private Cloud Edition) SAP Ariba SAP Sustainability SAP SuccessFactors SAP Fieldglass Public Cloud SAP Concur SAP IBP SAP Business Technology Platform SAP Data Custodian UI Masking and logging Protect sensitive information in the user interface layer Block or log data .
