Thorsten Herre, SAP Chief Security Architect

April, 2016

Security KPI Dashboards at SAP

How we Upgraded our Reporting

Customer

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 2Internal

About SAP

More than 77,000 international employees

Worldwide locations in more than 130 countries

More than 300,000 customers in 190 countries

74% of the world’s transaction revenue touches an SAP system.

At SAP, we did not invent the digital economy, but we unquestionably understand where it’s

going... It is time to simplify, time to innovate and time to leverage digital connectivity.Bill McDermott, SAP CEO

Motivation & Challenges

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 4Internal

Disruptive Technologies

Today more smartphones are sold than babies

born in the world.

Today 50% of the world’s adult population

has a smartphone.

Disruptive IT Technologies:

• Cloud,

• Internet of Things,

• Big Data and

• Mobile

will cause massive

security disruption as well !

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 5Internal

Are we prepared?

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 6Internal

Customer view: OnPremise Security vs. Cloud Security

OnPremise Security Cloud Security

Mindset change on

customer side required:

Replace some security

controls with trust

in cloud provider

Customer has full control

but also full responsibility

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 7Internal

Internet of Things

Big Data Explosion through Sensors

Combinatorial EXPLOSION of sensor data:

Amount of data each sensor generates increases exponentially

Amount of sensors within a device increase exponentially

Amount of used devices increase exponentially

𝐼𝑛𝑡𝑒𝑟𝑛𝑒𝑡 𝑜𝑓 𝑇ℎ𝑖𝑛𝑔𝑠 = 𝑢𝑠𝑒𝑟𝑑𝑒𝑣𝑖𝑐𝑒𝑠𝑠𝑒𝑛𝑠𝑜𝑟𝑠𝑑𝑎𝑡𝑎

Today

Exabyte

2025

Brontobyte

SAP’s Security Reporting

Strategy

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 9Internal

Compliance at SAP CloudSAP’s Compliance Portfolio for the productive Cloud Landscapes

Financial Reporting:

SOC 1 / ISAE 3402 / SSAE16 /

(former SAS 70)

Baseline:

ISO 27001 / ISO 9001/ ISO 22301

Trust Service Principles:

SOC 2

PCI / DSS

(For some Cloud Offerings)

ISO27018

(New Cloud Std. under evaluation)

Aligned to Best Practice:

BSI Grundschutz

CSA Cloud Control Matrix

Common answer & approach:

Certify against industry standards and regulatory requirements like:

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 10Internal

SAP Enterprise CloudsSAP Security Compliance Strategy

Secure by Default

End-To-End Security

Certifications & Standards

Transparency & Reporting

Cloud Security Strategy

Cloud Services and Systems are delivered „secure by default“,

meaning compliant to the SAP Security requirements

Security Compliance is achieved over the whole stack:

Cloud Certifications (like SOC1/2 Type II, ISO27001) and

International Security Standards are our baseline

SAP provides the Customer via the Customer Portal

near real-time Security KPIs of his Cloud Systems (Transparency)

SAP provides the Internal Security KPI Reporting to the Managers and selected

employees by using an automated solution to ensure a unique understanding and

transparency of the current security situation

– Network Security

– Virtualization Security

– Operating System Security

– Database Security

– SAP Application Security

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 11Internal

Qualities of an automated Internal Security KPI Reporting

Foundational themes for being efficient

Consistent

Entry Points

Highly

Personal

Guide Me

in a Proactive / “Smart” way

Engaging & Participatory

High-Quality Services &

Content

Fluid across

Devices

& Locations

Truly useful for Business to

reach users effectively

Seamlessly Integrated

An easy and highly productive

workplace

Self Explaining

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 12Internal

SAP collects more than 20,000,000,000 log events per month

that contain roundabout 4,500 security events

which lead to more than 150 security incidents to follow up

and performs more than 9,700,000 automated security checks per month.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 13Internal

SAP Internal Security KPI Dashboard

Demo

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 14Internal

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 17Internal

Conclusion & Project Benefits

Central transparency and oversight

in all security areas

Increased security awareness and compliance

in Cloud and IT operations

Additional Cloud business advantage and

Customer trust in Cloud

Better reaction times to security gaps or incidents

Thank youContact information:

Thorsten Herre

Chief Security Architect

Global Security Team

SAP SE