TEC103 – Overview of Features, Functions

and Services in Security Products from SAP

Public
Speakers

Las Vegas, Sept 19 - 23 Bangalore, October 5 - 7 Barcelona, Nov 8 - 10

Gerlinde Zibulski Kristian Lehment Regine Schimmer

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 2

Disclaimer

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of
SAP. Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or
any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this
presentation or any related document, or to develop or release any functionality mentioned therein.

This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms
directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice.
The information in this presentation is not a commitment, promise or legal obligation to deliver any material, code or functionality.
This presentation is provided without a warranty of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement. This presentation is for informational
purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this
presentation, except if such damages were caused by SAP’s intentional or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially
from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only
as of their dates, and they should not be relied upon in making purchasing decisions.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 3

Agenda

Introduction and the SAP security products portfolio

Platform security capabilities
SAP on-premise solutions for identity & access governance
 SAP Single Sign-on
 SAP Identity Management and SAP Access Control
SAP Cloud Identity Access Governance: services
Cyber security
 SAP Enterprise Threat Detection
Secure software development
 SAP NetWeaver Application Server, add-on for code vulnerability analysis
Protecting your SAP systems
 Cloud and infrastructure security
 Secure product development

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 4

SAP security and GRC access governance portfolio

SAP Cloud SAP Cloud Identity Access Governance services

Applications Manage access,
users and identity access
compliance in the identity provisioning
cloud authentication analysis
service
service service

SAP
S/4 HANA

Add-On for Code

SAP Single SAP Identity SAP Access SAP Enterprise
SAP Vulnerability
Sign-On Management Control Threat Detection
Business Analysis
Suite
Ensure corporate Find and correct
Make it simple for users to do Know your users and what Counter possible threats and
compliance to vulnerabilities in customer
what they are allowed to do they can do identify attacks
regulatory requirements code

3rd Party
Systems Make sure that SAP SAP HANA Cloud SAP NetWeaver
solutions run securely SAP HANA
Platform Security Platform Application Server

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 5

Platform security capabilities
Explore the built-in security features of our technology platforms

Public
SAP platforms: common security capabilities

S/4 SAP SAP

HANA Business Cloud
Security certifications Suite Applications Security Standards
Common Criteria (SAML, OAuth, X.509, SNC,
FIPS SSL, WS-Sec,…)
SAP HANA
SAP HANA Cloud Platform
SAP NetWeaver Application Server

Auditing Security Architecture

Logging Run Time Virus Scan API
Monitoring Design Time

0010100
1110011
0011001

Authorization Management Authentication and Encryption of data at rest

Identity Administration single sign-on and in transit

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 7

SAP HANA security
Meet compliance requirements, implement different security policies, and integrate SAP HANA into the
existing security infrastructures

Public
SAP HANA’s unified security architecture

SAP HANA Client Client Browser

Studio

Application
XS Advanced
Server

JDBC/ODBC HTTP(S)

Cockpit Application
Database XS Classic

Authentication/SSO Encryption

Authorization Users/Roles Audit Logging

Design Time Repository SAP HANA

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 9

SAP HANA Cloud Platform
Leverage the security features of SAP HANA Cloud Platform to ensure security in cloud and
Internet of Things (IoT) scenarios

Public
SAP HANA Cloud Platform security services

The SAP HANA Cloud Platform security services provide delegated authentication and
authorization services across applications
Key capabilities
Access protected resource
 Identity federation with SAML 2.0-based identity providers
 Flexible groups- and role-based authorization management
 Secure API protection with OAuth 2.0
Applications
 Protection against common web attacks (XSS and XSRF) on SAP HANA
User
 Secure end-to-end identity propagation to on-premise systems Cloud Platform
Authentication
 On-premise user directory integration via SCIM 1.1 (e.g. for user search) Delegate
Authentication
 Full automation and integration of the service via platform APIs
Identity provider
Benefits
(SAP HANA Cloud Platform services:
 Out-of-the-box identity federation without changing a single line of code identity provisioning service, identity
 Easy-to-use security mechanisms to protect and control application authentication service, single sign-on,
access in pure cloud and hybrid scenarios 3rd. party identity provider)

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 11

SAP NetWeaver platform
Security engineered from the ground up: benefit from the comprehensive security infrastructure and
innovative features of the SAP NetWeaver technology platform

Public
Spotlight on: Unified Connectivity (UCON)

Reduce the overall attack surface of your remote-enabled function modules (RFMs). Enhance
RFC security by blocking the access to a large number of RFMs

 Most SAP ERP customers run just a

limited number of the business (and
technical) scenarios for which they need
to expose some RFMs
 A lot of RFMs are only used to parallelize
within a system
 Find out which RFMs need to be
exposed for specific customer scenarios
 Block access to all other RFMs

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 13

Spotlight on: Read Access Logging

Log all access to classified or sensitive data and support the evaluation of these events

Read access logging allows you to track

• Who accessed the data
Entry points Read access log framework
• Which data was accessed
• When was the data accessed
• How was the data accessed, UI channel
Configurations Log data in
(which transaction or user interface was Log writer
database
used)
Remote
Amount of detail to be logged is customizable API
Log conditions
 User interfaces used to access the data channel Log monitor
 Operations executed on remote APIs
 Users using remote APIs / user interfaces
 Entities and their content

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 14

SAP on-premise solutions for
identity and access governance

Public
SAP Single Sign-On

SAP Single Sign-On provides simple, secure access to IT applications for business users. It offers
advanced security capabilities to protect your company data and business applications

Simple and secure access

• Single sign-on for native SAP clients and web applications
• Single sign-on for mobile devices
Cloud and
• Support for cloud and on-premise landscapes
cross-company
Secure data communication
• Encryption of data communication for SAP GUI SAP and non-SAP
• Digital signatures
applications
• FIPS 140-2 certification of cryptographic functions
Advanced security capabilities
SAP
• Two-factor and risk-based authentication Business Suite
• Authentication with smart cards or RFID tokens
• Hardware security module support
• Simplified management of backend security capabilities

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 16

SAP Identity Management

Grant and manage user access to applications securely and efficiently while meeting audit and
compliance requirements
Full identity lifecycle support
● Integration with SAP ERP HCM and SuccessFactors
● Central workflows for permission requests SAP cloud SAP Business Suite
identity provisioning
● Context/rule based permissions and roles
service
● Integration with SAP Access Control for compliance checks
● Identity analytics
User interfaces
SAP SAP Identity Management
● Flexible identity schema via configuration only Access Control
● RESTful interfaces for SAP UI5 on different devices
● Eclipse-based development environment
Connectors
● Connectors and connector framework
● Support of new cloud-based applications
● Simple Cloud Identity Management Schema (SCIM) support
Virtualization and Federation
● Virtual directory server
● Identity federation

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 17

SAP Access Control
Manage access risk and prevent fraud

Monitor emergency X
SAP_ALL
Find and remediate
access and transaction SoD and critical
usage access violations

Automate access
Certify access
assignments are still assignments across
warranted SAP and non-SAP
Legacy
systems

Define and maintain roles in

business terms

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 18

SAP Cloud Identity Access
Governance: services

Public
SAP Cloud Identity Access Governance
SAP HANA Cloud Platform, identity authentication service

 Secure access via the internet

 Web & mobile single sign-on
 Identity Federation and
Authentication
 Social and strong authentication
 Central User Store
 Branding and policies
 User self-services
 On-premise integration
Identity
Authentication
 SAP Jam integration
Service

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 20

SAP Cloud Identity Access Governance
SAP HCP, identity authentication service: Business-to-Consumer scenario

 Secure access and single sign-on across sites, based on SAML

 User self-services
 Configurable user registration form
 Account activation with email verification
 Password reset
 User profile page
******
Logon
 Social logon – account linking/unlinking
 Unified user experience optimized for all devices
 Flexibility out-of-the-box
 Configurations per web application
 Branding (logo and colors)
 Own privacy policy and terms of use
 Password policy
 Central user management
 Import existing users

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 21

SAP Cloud Identity Access Governance
SAP HCP, identity authentication service: Business-to-Employee scenario
 Secure access and single sign-on across cloud or on-premise web
applications, based on SAML
 Central user management
 Rich choice of authentication methods:
 Two-factor authentication and mobile SSO
 Authentication against
- Corporate user store (LDAP, NetWeaver)
******
Logon
- Other identity provider
 SPNEGO authentication – no login required after authentication in the corporate
domain
 User self-services
Corporate Network  Account activation via email
 User profile page and password reset
 Unified user experience optimized for all devices
 Flexibility of configurations per application
 Branding and policies
 Risk-Based authentication
© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 22
SAP Cloud Identity Access Governance
SAP HANA Cloud Platform, identity provisioning service
The SAP HANA Cloud Platform, identity provisioning service offers a centralized and automated setup of user
accounts and authorizations across business applications, ensuring an up-to-date identity lifecycle management

Solution overview
Automatic setup and management for user accounts and
authorizations
Optimized for SAP cloud applications
Integrated with single sign-on and governance micro-services
Jointly working with the SAP Identity Management product

Key value proposition

From day one: fast and simple availability of the applications
to end users
Centralized end-to-end lifecycle management of corporate
identities in the cloud
Automated provisioning of existing on-premise identities to
cloud applications

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 23

SAP Cloud Identity Access Governance
SAP HANA Cloud Platform, identity provisioning service

Simple and reliable solution for your identity lifecycle management processes

Identity lifecycle management delivered as a

service on the SAP HANA Cloud Platform
 Automatically set up user accounts and authorizations
 Dynamically update authorizations based on business
needs and segregation of duty analysis
 Instantly revoke privileges that are no longer required

Simple, seamless, adaptive

 Easy consumption, fast time-to-value, low TCO
 Minimize costly delays in avoidable administrative
tasks and lost productivity
 Reduce security risk via transparent and compliant
identity management processes

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 24

SAP Cloud Identity Access Governance, access analysis service
Simple, seamless, adaptive

Pre-configured audit Configurable and pre-defined

reporting access policies and rules

HCP

Integrated control
monitoring and testing Analyze SoD and critical
access for on-premise and
cloud solutions

Optimize user access for

security and compliance

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 25

What can the access analysis service do for you?

SIMPLE SEAMLESS ADAPTIVE

 Simplify and reduce the complexity of access governance  Seamless user experience with dashboard-driven UI,  Adapt and scale to grow with the business cost-
and compliance for administrators, auditors and visual prompts and analytic intelligence for timely focus efficiently, easily extending control to enterprise apps
business users on business-critical issues and users on any device, anywhere
 Achieve greater business agility with ability to  Guided remediation and dynamic access changes make it  Gain better visibility of risk remediation and mitigation
dynamically update user access for changing business easier to resolve access risks, while reducing ongoing monitoring process
needs admin and audit costs
 Manage and reduce enterprise access risks with
 Obtain instant value with minimal upfront investment as  Optimize security through greater accuracy in access immediate insights to control performance at low TCO
well as lower ongoing costs assignments

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 26

Cyber Security
Leverage SAP Enterprise Threat Detection to counter cyber attacks

Public
SAP Enterprise Threat Detection

Provide insight into suspicious security events throughout the system landscape
Detection
 Readily and efficiently identify security lapses in the
landscape
 Use the power of a real-time data platform to detect
threats
 Optimally protect your key business data
Insight
 Gain insight into what is happening in
your IT landscape
 Integrate with SAP and non-SAP data
 Make use of attack detection patterns
 Enable custom integration and configuration
 Find SAP software-specific threats related to know attacks
Analysis & prevention
 Perform forensic investigations and discover new patterns
 Efficiently analyze and correlate logs

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 28

Secure software development
SAP NetWeaver Application Server, add-on for code vulnerability analysis

Public
SAP NetWeaver Application Server,
add-on for code vulnerability analysis
Find vulnerabilities in customer code to prevent cyber attacks against SAP systems

Code scanning Static Application Security Testing

 Checks custom coding for security vulnerabilities (SAST)
 Includes Open Web Application Security Project Extensive
Exemption workflows to documentation to
(OWASP) top 10, like SQL injection, directory traversal, ease handling of false support developers in
backdoor & authorizations, web exploits, code injection positives fixing the detected
issues
and call injections
Supports
Integration Reduced false-
automation
positive rate
 Fully integrated into ABAP development environment as through data flow requirements by
analysis quality assurance
part of the automated test cockpit (ATC) teams
Support
 Supports developer in fixing the vulnerability, Priority of each
Integrated into
and delivers extensive documentation standard ABAP check can be
development adjusted to match
infrastructure requirements

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 30

Protecting your SAP systems
Cloud and infrastructure security
Secure product development
Security services, support, and consulting

Public
Protecting your SAP systems

Secure software operations in

SAP the SAP Cloud
Business Suite Cloud Security

Certified security for your

SAP Cloud Applications protection
Infrastructure Security

Systematic engineering for security

SAP Mobile Applications Secure Software and privacy in a networked
economy
Development

3rd Party Systems Secure implementation and operation

Security Services & of SAP system landscapes
Support

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 32

Cloud and infrastructure
security

Public
SAP HANA Cloud Platform infrastructure security
Benefits at a glance

• Certified operations

• World-class data centers

• Advanced network security

• Reliable data backup

• Built-in compliance, integrity,

and confidentiality

• State-of-the-art security
platform services

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 34

SAP HANA Cloud Platform security
Physical security
Physical Security Network Security Backup & Recovery Compliance Confidentiality & Integrity

High Availability
• Role-based access: On-
BS25999 demand solutions support role-
CERTIFIED based access with user
profiles to allow segregation of
Quality Management duties
ISO 9001 • Audit logging:
CERTIFIED On-demand solutions log all
• Planned coverage for SAP • Reverse proxy farms user activities
Cloud data centers: Two • Multiple redundant International Accounting
• Data encryption: Encryption
data centers per major internet connections Regulations of confidential data at rest
region • Data encryption ISAE3402 • Operations:
• SAP HANA Cloud currently • Intrusion Detection TESTIFIED* Two-factor authentication
hosted in data centers in System (IDS) • Authorization on need-to-
SSAE16
Germany, Netherlands, • Multiple firewalls TESTIFIED* know basis
Australia, and the USA • Minimal privileges and
• Sandboxed application Energy Efficiency
• Roadmap for global segregation of duties
environment
coverage available from GREEN IT • Personalized log traces
• Regular third party
SAP upon request CERTIFIED • Controlling system and regular
audits and penetration reviews
• Location is subject of tests IT Operations
choice by customers
ISO 27001
CERTIFIED
BS25999
CERTIFIED
ISO 27001 ISO 27001 ISO 27001
CERTIFIED CERTIFIED CERTIFIED
© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 35
Secure software development

Public
Secure software development

Making security a priority

 3rd largest software company in the world
 SAP systems handle 74% of the world‘s financial transaction
 Our customers include a majority of Fortune 500 companies
 1.8 billion text messages pass through SAP Mobile Platform
 SAP Ariba connects more than 1 million companies in 190 countries
 SAP partner ecosystem and open source components extend software
security issue exposures
 Most of our competitors have experienced major vulnerability reports
 Internet of Things applications enhance attack surface for SAP software

protect&&develop
© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 37
Prevent, detect, react

PRODUCT SECURITY

SAP Secure Software Development Lifecycle Surveillance of Threat Landscape Incident Handling
S2DL  Security response
 SAP Product Security Social Media
• People, tools, and processes for building secure Analytics  SAP Security Patch Day
products
 Security conferences  Optimizing patch
• Our guidance: ISO 27034
Customer-Specific Services management
Enhanced Security Features
• SAP Single Sign-On (Cloud / On-Premise)  SAP Enterprise Threat Detection solution Emergency Handling
• Common Crypto Lib (FIPS 140-2)  SAP NetWeaver Code Vulnerability Security Service Offerings
Security Research Analyzer available for customers
 Active Global Support
• Encryption in the cloud  Automated detection of misconfigurations in
customer systems  Consulting
• JavaScript security
• Big Data for security: Content creation for SAP
Enterprise Threat Detection

Prevent Detect React

• SAFECode • ISO 27034 Compliance

• German “Alliance for Cyber Security” COOPERATION AND CERTIFICATIONS • Common Criteria Certification
• SAP Security Advisory Board • ISO 9001 Certifications

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 38

SAP Secure Software Development Lifecycle (S2DL)

SAP’s standard software development holistically integrates secure development principles in

accordance with ISO 27034-1
Start of standard Release
development decision

Preparation Development Transition Utilization

Risk Plan Security Secure Security Security Security

Training
Identification Measures development testing Validation Response

Security awareness SECURIM Plan product standard Secure programming Dynamic testing Independent security Execute the security
Secure programming (Security Risk Identification compliance Static code scan Manual testing assessment response plan
and Management) Plan security features Code review External security
Threat modelling
Data Privacy Impact Plan security tests assessment
Security static analysis Assessment Plan security response
Data protection and privacy Threat Modeling
SAP Secure Software Development Lifecycle S2DL
Security expert curriculum

Common denominator: Product standard security as knowledge base across all phases

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 39

Security services and support

Public
SAP security services offerings

SAP Active Global Support best practices are

translated into security tools and services:
SAP Solution Manager System Recommendations
SAP EarlyWatch Alert (EWA) with security section
SAP Solution Manager Configuration Validation
SAP Security Optimization Service (SOS)
MaxAttention Next Generation with key security
elements
secure&&support
 Remote and on-site delivery remote via Global SAP Security Patch Day
Security Hub  SAP security notes second Tuesday every month
Security Back Office
 Security Back Office provides security expert SAP Security Consulting services
knowledge and back office support to customers  Professional consulting services for SAP security
and SAP employees. products and service offerings

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 41

SAP security training and documentation

SAP Security Training

 Secure operation trainings by SAP
 Secure development trainings by partners

SAP Security Documentation

 Security notes published on Support Portal
 SAP security guides for every product
 SAP security recommendations on some patch
days
 Secure programming guides
 RunSAP end-to-end solution operations
 Books published by SAP Press

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 42

Summary

Public
SAP security strategy – solutions, services, infrastructure

Significant investments into security for networked solutions, identity and access
governance, and integrated security management allow customers to implement
secure business processes on premise and in the cloud

Integration is key to simplify security in today’s hybrid IT landscapes.

Comprehensive security offerings help SAP customers thrive in the

networked economy

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 44

SAP TechEd Online

Continue your SAP TechEd

education after the event!
Access replays of
 Keynotes
 Demo Jam
 SAP TechEd live interviews
 Select lecture sessions
 Hands-on sessions
 …

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 45

Further information

Related SAP TechEd sessions:

All sessions in the SEC-track !

SAP Public Web

www.sap.com/security
http://scn.sap.com/community/security
http://scn.sap.com/community/sso
http://scn.sap.com/community/idm
https://scn.sap.com/community/hana-in-memory

SAP Education and Certification Opportunities

www.sap.com/education

Watch SAP TechEd Online

www.sapteched.com/online

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 46

Feedback
Please complete your
session evaluation for
TEC103

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 47

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://www.sap.com/corporate-en/about/legal/copyright/index.html for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 48