Securing Your Digital Transformation: Cybersecurity and You

PUBLIC
March 21, 2017
Lakshmi Hanspal, Chief Security Officer, SAP Ariba Trust Office
Joseph Gomez, Business Security Specialist, SAP Ariba Trust Office
Securing your Digital Transformation
Cybersecurity and You

2PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Public
Simple Smart Secure
Cloud Security – Perception vs Reality

Public
Decision makers today have two fundamental choices to address their
business need
Business need:
Source globally, digitize collaboration,
execute business transactions efficiently
Networked solution
• Deploy application in cloud
• Invite partners to collaborate
throughout the process
• Exchange documents electronically
through business network
• Leverage integrated channels and
achieve transparency in invoicing
and payments
Traditional application
• Deploy application on-premise or
in-house
• Use phone/e-mail/letters/meetings
to collaborate
• Send and receive documents via
e-mail/fax/paper/EDI
• Leverage out-of-band channels for
invoicing and payments
Choice

Public
A network approach is attractive, but companies need to protect their data
and their business relationships
• Achieve legal compliance such
as fulfilling data protection
requirements
• Ensure information relating to
individuals is protected in
storage and processing
• Store business data safely
• Transmit transactional data
securely
• Prohibit unauthorized access to
data
Protect personal data Protect trade secrets

Public
• Securing the software development lifecycle
• Guarding your data against internal and external risks
• Access through least privilege/“need-to-know basis”
• Environment segmentation and demarcation
• Resiliency as core competency
• High availability, monitoring and business continuity
Trust Model for Cloud Providers
Cloud Providers should leverage a holistic, multi-dimensional approach to
establish and maintain state-of-the-art Security and Privacy.
Security
and Privacy
Technology
Processes
People
Scoping

Public
Business
Enablement
Ecosystem
Security
OperationsGovernance
Privacy
─ Data Protection
─ Regulations
─ Incident Response
─ Policies and
Standards
─ Compliance and
Audit
─ Risk Management
─ Training and
Awareness
─ Vulnerability
Management
─ Incident Management
and Response
─ Event Correlation
─ Emerging Threats
─ Customer
Collaterals
─ Contracts and
RFPs
─ Trend Analysis
─ Application
─ Data
─ Secure Development
─ Pen Testing
─ Solution Integration
Architecture
&
Engineering
─ Solution Architecture
─ Infrastructure and
Network
─ Security Engineering
─ Tools Engineering
Protecting Commerce in the Cloud – Build Secure, Run Secure, Be Secure

Public
Build Secure Products - SAP Ariba Secure Development Lifecycle
Ariba’s Secure Software Development to holistically integrate secure development principles in accordance with ISO 27034-1
1 2 3 4 5 6 7
Design Code Package Integrate Deploy

Public
Build Secure Products - Security Training
Information
Security
Fundamentals
Payment Card
Industry (PCI-
DSS) Basics
Secure
Programming
(OWASP Top
10)
Data
Protection
and Privacy
• Coming in 2017
Security
Expert
Curriculum
• Coming in 2017

Public
Build Secure Products - Software Security Champion Program
Requirements
• Minimum 3 to 5 years of
software development
experience
• Passion for Security “Thinks
like a Hacker”
• Willingness to take additional
security training
• Rotation every 6 months
between Primary and Backup
• Role activities should link to
10% – 15 % of the person’s
goals
Role
• Enforce the SAP Ariba SDL
• Become the Static and
Dynamic Tools Expert on
your team
• Be the advocate for
security within your core
development team
• Conduct Architecture
security analysis and
Threat modeling sessions
Responsibilities
• Attend monthly meetings with
larger Sec Champion/Product
Security Team
• Share gained Security
knowledge with other
Developers
• Act as the eyes and ears of
the Product Security team

Public
Run Secure - Security Risk Assessment
• 3rd Party Vendor review
• Data privacy impact
assessment
• Product Security Early
Engagement
Questionnaire
• Privacy and Legal
Review
• Threat Modeling
Activities
• Product Risk Profile Report
• Completed Engagement
Questionnaire
• Completed Privacy Impact
Assessment
• Certification Requirements
• List of third-party Software
• List of Applicable Laws and
Regulations
• Business Software
Requirements
• Data Flow Diagrams
• Threat Modeling Reports
•Risk Matrix for Threats
•Risk Mitigation Plan
•Threat Profile Report
Deliverables

Public
Run Secure - Vendor / Sub-Processor Oversight
Identify
SAP Ariba Cloud Unit to
identify all Vendors or Sub
Processors with access to
sensitive personal, business
or confidential information
via production environment.
Evaluate
Vendors and Sub
Processors are assessed by
the SAP Ariba Cloud Unit
based on potential security
threat, data breach or other
identified risks to the Cloud
Unit based on there
engagement.
Maintain
Update list when new
Vendors / Sub Processors
are contracted. Revaluate
Vendors / Sub Processors
based upon associated risk
ratings or at the time of
contract renewal.

Public
Run Secure - Third Party Risk Assessments
SA01 Has your site been audited by an outside agency (SysTrust, WebTrust, PCI-DSS,
SAS-70 Type II, BS7799, ISO or other)?
If so, how often do you get audited?
Provide audit report(s)
SA02 Do you perform internal audits?
If so, who conducts them and how often?
Provide audit report(s).
PP01 Does an Information Security Policy/Plan exist?
If so, please provide a copy.
PP02 Who is responsible for maintaining and enforcing this policy/plan?
PP03 Does an information classification and protection policy exist?
Security Assessments
Policy and Procedures
PS01 What is the location of the data center?
PS02 How is access to the building controlled?
PS03 Are any areas of the building open to the public?
PS04 Is there a 24x7 guard presence on site?
PS05 Do surveillance cameras monitor the building entrances and emergency exits?
PS06 Do surveillance cameras monitor other areas of the data center?
PS07 Describe the type of surveillance cameras used (CCTV, network cameras, etc.).
PS08 What type of authentication method is used for access to the building?
PS09 What type of authentication method is used for access to the data center?
PS10 Are staff required to wear photo identification badges at all times?
PS11 Are bags, boxes and other packages inspected prior to being permitted in the facility?
PS12 What work-around methods exist for access to the buildings in the event the above access methods fail?
PS13 Are guests/visitors permitted into the data center?
If so, what is the procedure for identification and authorization?
PS14 Are guests/visitors allowed unescorted access to any portion of the building?
PS15 What other physical security controls are in place for entrance into the data center?
PS16 Are systems in the data center protected by a cage to prevent unauthorized tampering?
PS17 Is the building shared with other tenants?
PS18 What controls are in place for receiving deliveries destined for the data center?
PS19 What controls are in place for the removal of equipment from the data center?
PS20 How many personnel have physical access to the systems?
Provide role of these individuals.
Physical Security Controls
Environmental Controls
EC01 What type of fire suppression is used within the data center?
EC02 What type of fire detection is used within the data center?
EC03 How is temperature and humidity monitored and controlled in the data center?
EC04 Are there redundant power supplies?
EC05 Are backup generators present to protect against long-term power failure?
If so, how long can operations be sustained on backup generators before refueling?
Do you have contracts for fuel supply in the event of an emergency?
EC06 Can building environmental systems be managed remotely?
IR01 Is there a Computer Security Incident Response Team (CSIRT) and plan in place?
IR02 Is the CSIRT plan tested on a regular basis?
If so, give the last date the plan was tested?
IR03 Do you have a policy for customer notification of security incidents?
IR04 Describe the process for notifying customers in the event of a security incident?
IR05 What intrusion detection systems are currently in place?
IR06 How are alerts received and managed?
IR07 Have you had any successful attempts to compromise a system?
Any failed attempts?
IR08 How do you currently protect against denial of service attacks?
IR09 Do you conduct penetration testing of your environment on a regular basis?
IR10 Are IDS and firewall logs monitored and reviewed?
How often?
How long are IDS and firewall logs maintained?
Incident Response

Public
Run Secure - Third Party Risk Assessments
Disaster Recovery Controls
DR01 Is there a disaster recovery plan in place?
DR02 What are your procedures for updating the plan?
DR03 What is the schedule for testing and training on the plan?
DR04 When was the last drill performed?
DR05 What critical systems are covered by the plan?
DR06 What systems are not covered by the plan?
DR07 What are the procedures for activating the plan?
DR08 How are inventories of critical systems maintained?
DR09 Are there formal backup procedures documented?
DR10 Describe your backup policy?
DR11 Do you have an offsite storage agreement in place?
If so, with whom?
DR12 Who has access to the backup tapes?
DR13 Is your site insured?
If so, with whom and describe the coverage.
OS01 Do you have 24/7 support? Please describe the escalation path. Is a live person available at
all hours?
OS02 How do you monitor your environment?
OS03 Describe your policy for delivering post mortem details after an outage.
OS04 Do you have multiple internet providers?
OS05 What are the terms of your SLA?
How do you measure your performance against it?
OS06 What are your maintenance windows?
OS07 Describe your procedures for notifying customers of downtime, both planned and
unplanned.
OS08 Do you support an encrypted interface with your systems like SSL?
OS09 Do you provide an online management tool for our account?
OS10 Please describe the technical capabilities of the on call staff.
Operational Support
LA01 Please describe your administrative/super user login procedures?
LA02 How is password security managed?
LA03 Please describe your password policy?
What is the minimum number of characters?
What level of complexity is required (letters, numbers, symbols, etc.)?
What is the password history?
How often must passwords be changed?
LA04 How are passwords stored and transmitted?
LA05 How are passwords communicated to users?
LA06 Do your systems support a lockout mechanism for failed login attempts?
If so, please describe.
LA07 Do you use a 2-factor authentication mechanism?
LA08 Is user access controlled by groups or roles?
LA09 Do procedures exist to disable access for terminated users?
LA10 Is there a procedure to periodically audit user accounts?
LA11 Are changes in user account privileges logged?
LA12 Do you have separation of duties when it comes to administrative access to your systems?
Logical Access Controls
Risk Management Controls
RM01 Is there a documented risk management plan with written procedures?
RM02 How often are risk assessments performed?
RM03 Please describe your risk assessment process?

Public
Run Secure - Advanced Secure Protocol and Ciphers

Public
Run Secure - EU General Data Protection Regulation (GDPR)
Replaces EU Data Protection Directive (1995) and harmonizes data privacy laws across Europe
Prep
Analysis &
Design Legal requirements: GDPR implementation
Jul Aug Sep Oct Nov Dec Q1/Q2
2016 2017 2018
May 25:
GDPR
effective
GDPR
compliance checks
Requirement Implementation
• Transparency & Accountability (Articles 5, 24, 30)
• Privacy Impact Assessment (Article 35)
• Data Inventory (Classification) and Documentation (Data
Flow; Encryption, Anonymization, Access control, Edit/ Read
Log etc.) for products and services processing customer data
• Gap Analysis, Mitigation and Non-compliance Risk
• Privacy by Design/ Impact Assessment
• Data Portability (30 days)/ Deletion/ Retention
• Data Breach (72 hr) involvement from DPA/ EDPB/ Individual
• Sub-processor Process and Inventory (Classification)
• Privacy Statement and Website (Consent for collecting PII
e.g. geo/IP address, non-interactively, Cookie Inventory,
Method of Tracking and Messaging)
• Training and Communications
• Certification - SSAE 16 SOC 2 Privacy, ISO 27018 (needs
27001)
• Record of processing activities (Article 30)
• Data Protection by design and default (Article 25)
• Special categories - enhancement (Article 9)
• Automated decision taking and profiling (Article 22)
• Data subject rights (Articles 15, 17, 20)
• Data breaches & notification (Articles 33, 34)
• Using service providers (Article 28)
• Data subject rights (Articles 15, 17, 20)
• Information notices (Articles 12, 13, 14)
• Consent (Articles 4, 6, 7, 8, 9)

Public
Be Secure - Protecting commerce in the cloud
2016 2017 2018
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Upgrade Legacy to SHA-2 compliance Q1 2017
Advanced Front Door Customer Adoption
Ariba Network Encryption Q2 2017
Key Management – Software Vault Q3 2017
Q4 2016
Q2 2016 Upstream Data Encryption
Downstream Data Encryption Customer AdoptionQ4 2016
Customer Adoption
Key Management – Hardware Vault(HSM) Q4 2017

Public
Be Secure - Effective Risk Management
• Corporate decisions on how risk must be managed (strategy, principles, policies, standards etc.);
• Knowing how much risk the organization is willing to accept (risk tolerance/appetite);
• An understanding of who accepts risk on behalf of the organization (understanding and adherence);
• A method or process to understand the risk and how to deal with it (risk assessments, risk treatment);
• Knowing what needs to be protected (inventory, information classification);
• A method to effectively communicate responsibilities and obligations (escalate risks and decisions);
• A comprehensive and balanced set of requirements;
• A method and process for managing everyone’s expectations (sign off); and
• A common framework to put it all together.
Information security needs to be a continuously operating management system

Public
Data
Breach
Policy &
Compliance
Third
Party
App
Compromise
Cyber
Attacks
Infrastructure
Breach
Physical Security
Access Management
Configuration Management
Patching
Asset Management
SDLC
Penetration Testing
Encryption Between Tiers
Audit Findings
Policy/Procedure
Adherence/Gaps
Policy Exceptions
Training and Awareness
Sub-Proc. Data Center Audit Findings
Third Party MDPA/DPQ Outliers
Third Party Information System Security
Review Outliers
Encryption (Disk, Application)
Access Control
Data Leakage Protection
(DLP)
Deletion
SIEM/Event Detection
Vulnerability Assessment/Scans
Threat Intel
Containment Capability
Event Response
Be Secure – Risk Categories and Controls

Public
Be Secure – Building assurance via attestation
Code of Practice
ISO 27002
Foundation
Data Protection
Safe Harbor
BS 10012
Data Privacy
BDSG
EU Directive 95/46/EC
GDPR
Privacy
Security Best
Practice
Service
Delivery
ISO 20000
Business
Continuity
ISO 22300
Application
Security
ISO 27034
OWASP
Hardening
Guidelines
CIS, RAPID7,
SANs, ISO
CERT, NIST
Quality
Management
ISO 9000
ISO25010
Destruction of
Media
ISO 27040
Incident
Management
ISO 27035
Certification
ISO 22301, ISO 9001,
ISO27001, ISO 27018
Operations and
Compliance (including IP)
SOC 2, SOC 3
(AT 101 / ISAE 3000), IRAP
Financial Controls
SOX, SOC 1
(SSAE16 / ISAE 3402), PCI
Transparency

Public
• Management accountable for committing (time, effort, funding,
resources, etc.) to data protection
• Management is accountable to select controls based on risk
acceptance and enforce those controls within the organisation
Management Commitment
• Demonstrate pro-active compliance with regulators
• Common framework for other standards, regulatory requirements
• Reduced liability risk
Compliance and Legal
Requirements
• Validate security and privacy practices and provide confidence in the
use of third parties
• Approach is consistent with other cloud companies
Building and Maintaining
Trust
• Increase awareness of Data Protection within the organisation
• Appropriate protection of cloud assets
• Efficiencies gained through repeatable processes for compliance
monitoring; Effectiveness of controls measured and reported;
Continual Improvement
Be Secure - Protecting Customer Personal and Business Data

Public
Protecting Customer Data - How can you help?
In case:
• You accidently send your data to the wrong recipient
• Your coworker notifies you of emailing sensitive data to the wrong recipient
• You notice a security issue in an application that may expose your data to others
• You are not sure if there is a security issue, but believe there could be one
Then:
• Contact ARIBA.SECOPS@SAP.COM with the relevant information IMMEDIATELY. We may be contractually
bound to report incidents to appropriate parties and timing is critical.

Public
Securing your Digital TransformationSAP Cloud Secure
Build Secure, Run Secure, Be Secure
Comprehensive Contracts
Privacy, Security Framework
Applicable local regulations
Cyber Defense
Multi Layers of defense
Holistic: Prevent, Detect,
Remediate
Independent Audits
Service Organization Report
Certifications
Secure Cloud Model
Holistic Approach
Secure Architecture

Public
Please complete session survey
Locate Session Click Surveys Button Select Breakout Survey Rate Session

Thank you.
Contact information:
Lakshmi Hanspal Joseph Gomez
Chief Security Officer Business Security Specialist
SAP Ariba Trust Office SAP Ariba Trust Office
lakshmi.hanspal@sap.com joseph.gomez@sap.com
@lakshmihanspal

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components
of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release
any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,
and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various
risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.

Securing Your Digital Transformation: Cybersecurity and You

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Securing Your Digital Transformation: Cybersecurity and You (20)

More from SAP Ariba (20)

Recently uploaded (20)

Securing Your Digital Transformation: Cybersecurity and You