Thorsten Herre, SAP Chief Security Architect
April, 2016
Security KPI Dashboards at SAP
How we Upgraded our Reporting
Customer
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 2Internal
About SAP
More than 77,000 international employees
Worldwide locations in more than 130 countries
More than 300,000 customers in 190 countries
74% of the world’s transaction revenue touches an SAP system.
At SAP, we did not invent the digital economy, but we unquestionably understand where it’s
going... It is time to simplify, time to innovate and time to leverage digital connectivity.Bill McDermott, SAP CEO
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 4Internal
Disruptive Technologies
Today more smartphones are sold than babies
born in the world.
Today 50% of the world’s adult population
has a smartphone.
Disruptive IT Technologies:
• Cloud,
• Internet of Things,
• Big Data and
• Mobile
will cause massive
security disruption as well !
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 6Internal
Customer view: OnPremise Security vs. Cloud Security
OnPremise Security Cloud Security
Mindset change on
customer side required:
Replace some security
controls with trust
in cloud provider
Customer has full control
but also full responsibility
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 7Internal
Internet of Things
Big Data Explosion through Sensors
Combinatorial EXPLOSION of sensor data:
Amount of data each sensor generates increases exponentially
Amount of sensors within a device increase exponentially
Amount of used devices increase exponentially
𝐼𝑛𝑡𝑒𝑟𝑛𝑒𝑡 𝑜𝑓 𝑇ℎ𝑖𝑛𝑔𝑠 = 𝑢𝑠𝑒𝑟𝑑𝑒𝑣𝑖𝑐𝑒𝑠𝑠𝑒𝑛𝑠𝑜𝑟𝑠𝑑𝑎𝑡𝑎
Today
Exabyte
2025
Brontobyte
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 9Internal
Compliance at SAP CloudSAP’s Compliance Portfolio for the productive Cloud Landscapes
Financial Reporting:
SOC 1 / ISAE 3402 / SSAE16 /
(former SAS 70)
Baseline:
ISO 27001 / ISO 9001/ ISO 22301
Trust Service Principles:
SOC 2
PCI / DSS
(For some Cloud Offerings)
ISO27018
(New Cloud Std. under evaluation)
Aligned to Best Practice:
BSI Grundschutz
CSA Cloud Control Matrix
Common answer & approach:
Certify against industry standards and regulatory requirements like:
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 10Internal
SAP Enterprise CloudsSAP Security Compliance Strategy
Secure by Default
End-To-End Security
Certifications & Standards
Transparency & Reporting
Cloud Security Strategy
Cloud Services and Systems are delivered „secure by default“,
meaning compliant to the SAP Security requirements
Security Compliance is achieved over the whole stack:
Cloud Certifications (like SOC1/2 Type II, ISO27001) and
International Security Standards are our baseline
SAP provides the Customer via the Customer Portal
near real-time Security KPIs of his Cloud Systems (Transparency)
SAP provides the Internal Security KPI Reporting to the Managers and selected
employees by using an automated solution to ensure a unique understanding and
transparency of the current security situation
– Network Security
– Virtualization Security
– Operating System Security
– Database Security
– SAP Application Security
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 11Internal
Qualities of an automated Internal Security KPI Reporting
Foundational themes for being efficient
Consistent
Entry Points
Highly
Personal
Guide Me
in a Proactive / “Smart” way
Engaging & Participatory
High-Quality Services &
Content
Fluid across
Devices
& Locations
Truly useful for Business to
reach users effectively
Seamlessly Integrated
An easy and highly productive
workplace
Self Explaining
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 12Internal
SAP collects more than 20,000,000,000 log events per month
that contain roundabout 4,500 security events
which lead to more than 150 security incidents to follow up
and performs more than 9,700,000 automated security checks per month.
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 13Internal
SAP Internal Security KPI Dashboard
Demo
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 17Internal
Conclusion & Project Benefits
Central transparency and oversight
in all security areas
Increased security awareness and compliance
in Cloud and IT operations
Additional Cloud business advantage and
Customer trust in Cloud
Better reaction times to security gaps or incidents