#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance

June 15, 2016

#askSAP GRC Innovations

Community Call:

Cybersecurity Risk and

Governance

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 2Customer

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the

permission of SAP. This presentation is not subject to your license agreement or any other service or subscription

agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related

presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation

and SAP's strategy and possible future developments, products and or platforms directions and functionality are all

subject to change and may be changed by SAP at any time for any reason without notice. The information in this

document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document

is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties

of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes

and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document,

except if such damages were caused by SAP´s willful misconduct or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ

materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,

which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

Legal disclaimer


SAP GRC InnovationsCommunity Call Series

3

• Webcast series for the GRC

community hosted by SAP Analytics

(View replays:

http://bit.ly/askSAP_Playlist)

• An opportunity for you to direct the

discussion, get your questions

answered, and end the session with

some useful advice

• Live and interactive 90 minutes

• Connect on topics before, during, and

after the call via twitter using #askSAP

Speakers

Michael Golz

CIO

Americas, SAP

@MikeGolz

Kevin McCollom

Group Vice President

SAP Solutions for Governance,

Risk and Compliance

@SAPTradeGeek

Erin Hughes

Head of Marketing

Greenlight Technologies

@greenlight_corp


Agenda

Welcome

Gain an understanding of the state of cybersecurity threats and evolving security perspectives

Get a preview of SAP’s security strategy

Poll Question

Q&A

Get a closer look at SAP’s perspective on cyber risk and governance and business application security

Solutions Overview

Poll Question

Q&A

Demo

Customer case study

Final Q&A

Resources and Closing

© 2016 SAP SE. All rights reserved.

The state of cybersecurity


Defining security risk

$2.8 trillion GDPincrease from online data flows

Dramatic Increase in Value of

Data

521.000 PBof data storage capacity to be shipped by 2020

Exponential Volume of Data

21 billion new devices connected by 2020

Increasing Vulnerability of

Endpoints

65 percent of companies surveyed experienced more Advanced Persistent Threats (APT)/ targeted attacks

Greater Proliferation of

Attackers

Companies can think of the security risks to their business as being a product of 4 key components related to one of a company’s most important assets - its data


Growth of data breaches

World’s biggest data breaches

2004 2016

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/


Customer Experience Omni-Channels

Workforce Engagement

Big Data & Internet of

Things

Supplier CollaborationBusiness Networks

The age of digital business

DIGITAL CORE

Cybersecurity is a critical element in the Digital Transformation journey

1. Customers and employees are hyper-connected, always on, with seamless access anywhere and anytime

2. Cloud and hybrid cloud environments have become the norm challenging traditional “protect the 4 walls” security approaches

3. Digitally connected supply chains are based on high trust and availability of all parties

4. The Internet of Things and Big Data bring unprecedented data streams and volumes

5. Confidentiality, integrity and availability of data and systems is the basis for secure operations and trusted relationships

Transactions and data must be secured throughout the entire end-2-end business process

SAP® S/4HANA


Cybersecurity is a top-of-mind boardroom discussion

Are external as well as internal threats being addressed?

Are gaps identified and addressed?

Do we have sufficient visibility into the real threat?

How would a breach impact the ability of the business to perform?

Do we have the right risk-based approach to management and oversight?


Evolving security perspectives


Evolving security perspectives

Historical IT security perspectives

Today’s leading cybersecurity insights

Scope of the ChallengeLimited to your “four walls” and extended to the enterprise

Spans your interconnected global and business ecosystem

Ownership and Accountability IT led and operatedBusiness-aligned and owned; CEO and board accountable

Adversaries’ Characteristics

One-off and opportunistic; motivated by notoriety, technical challenge and individual gain

Organized, funded and targeted; motivated by economic, monetary and political gain

Information Asset Protection One-size-fits-all approach Prioritize and protect the “crown jewels”

Defense Posture Protect the perimeter; respond if attackedProtect the application and dataPlan for a breach, monitor and rapidly respond

Security Intelligence and Information Sharing

Keep to yourselfPublic/private partnerships; collaboration with industry working groups


Shifts in approach to security and spending

*IDC Future of Security Survey – Preliminary Results, sponsored by SAP, May 2016


Next-generation Security

360-degree

correlation analytics across network, endpoints, applications, and data

Real-time incident

response and forensics to accelerate detection limiting threat impact

CYBERSECURITY INNOVATIONS

Next-generation

context and application-aware firewalls to enhance both protection and performance

Deep learning

powered cybersecurity analytics able to respond to threats in an adaptive manner


Next-generation Security


SAP security strategy


SAP security vision

Defendable Application• Identify and prevent attacks from within the application

Zero Knowledge• Ability to store data in the cloud and protect it from outside control

Zero Vulnerability• Minimize vulnerability to ensure maximum protection

Security by Default• Building security into product right from the start

Transparency • Full and pro-active transparency for the customer

SAP is in the business of securing our customer’s business”

Justin Somaini - Chief Security Officer (CSO)


SAP security strategy

Secure Products and Services

• Driving security into the core of the application and services to provide depth

of visibility and control

Security Ecosystem Integration

• Enabling our customers’ to integrate SAP into their Security Ecosystem

SAP’s Security DNA

• Leveraging SAP’s long standing expertise in Analytics and Business Process

Management to help solve customers’ security challenges

SAP is in the business of securing our customer’s business”

Justin Somaini - Chief Security Officer (CSO)


SAP secure software development lifecycle

At the core of SAP’s development processes is a comprehensive security strategy based on three pillars: Prevent > Detect > React

The secure software development lifecycle (secure SDL):

Is a risk-based approach, which uses threat modeling

ISO 27034 Compliance, ISO 9001 Certifications

More information: http://go.sap.com/solution/platform-technology/security.html


Security is a shared responsibility

Monitor configuration changes

Check custom code

Consistently apply patches and updates

Review RFC connections and interfaces

Monitor logs for anomalies and attacks

Review critical access and relevant transactions

Govern access and manage identities

Protect data inside / outside the application

Ensure appropriate policies and training

Life cycle of the application

Applica-tion

1

Installation, configuration, customization

3

Patches and updates

2

System access, remote and mobile

4

Upgrades and interfaces


POLL QUESTION #1

QUESTION #1

How has the Security topic currently viewed within your organization?

a) Top of mind – sense of urgency

b) One of many strategic risks to manage

c) Some focus but not considered strategic


Q&A


Cyber risk and governance; business application security


Business application security


Consider what SAP can do to help you strengthen your:

Help protect trade secrets, intellectual property, financials, and personal data

Cyber risk and governance



What should we be doing?

What are the gaps compared to what we’re doing today?

Are our cybersecurity practices effective?

How do we communicate our vision and status with stakeholders?

How do we benchmark against best practices, frameworks, and regulations?

Are our security processes centralized and simplified?

What emerging threats are we not considering today?

Where should we be investing further in security?

Are we able to detect breaches in a timely manner?

Are our security policies effective?

Is access secured?

Is our custom code secure?

Where are our critical business processes exposed?

How protected are our high-value assets?

Are we meeting our KPIs?



How do we efficiently support user on boarding and off boarding?

Do we enable our end users for self service?

How do we manage the identities for our customers and partners?

How do we engage in new business models, yet protect our IP?

How do we prevent loss and leakage of our critical data?

Can we enforce our data and file sharing policies?

How do we ensure that users have the appropriate system assignments?

How do we apply business rules and processes?

How do we have the appropriate auditing and reporting for our business applications?

Can we detect anomalies and possible security issues?

Can the security team respond quickly to stop the attack?

Are we managing users across our processes?

How do we share information and data securely?

Are the right users involved in critical business processes?

Can we detect security and anomalies in our system?


Solutions overview


Solutions for GRC and security from SAP

Cybersecurity risk and

governance

Identify and manage risks, regulations and polices to minimize potential business impact


SAP Regulation Management by Greenlight, cyber governance edition

SAP Audit Management

SAP Process ControlSAP Risk Management

Manage cyber-related regulatory requirements and align with internal controls

Document and monitor security risks as part of the enterprise risk management program

Continuously monitor critical security configuration

Establish security policies

Test adherence and understanding

Document and test response and recovery plan

Audit the security program to provide independent assurance




Protect data, manage access, and detect threats

SAP Dynamic Authorization Management by NextLabs

SAP Enterprise Threat Detection

SAP Access Control

SAP Single Sign-On SAP Identity Management

Monitor business applications for anomalies and attacks

Integrate with existing security infrastructure

Protect data with fine-grained access and data protection

Analyze access risk, define roles, support emergency access

Manage identities and administer users, employees, and customers across business applications

Cybersecurity risk and

governance



SAP secure functionality

Security patches and updates

Focused on custom code

Find and fix unknown vulnerabilities

Security services by SAP

Analyze Custom Code

Manage Software Updates

SAP Services

Leverage Standard Functionality

SAP Fortify by HPE

SAP NetWeaver Application Server, add-on for code vulnerability analysis

*

*

SAP


Governance, Risk & Compliance portfolio SAP Access Control

SAP Process Control

SAP Risk Management

SAP Audit Management

SAP Fraud Management

SAP Identity Analytics

SAP Business Partner screening

SAP Global Trade Services

SAP Electronic Invoicing for Brazil

Security and Threat Intelligence SAP Identity Management

SAP Cloud Identity service

SAP Single Sign-On

SAP Enterprise Threat Detection

SAP Code Vulnerability Analysis

SAP Fortify by HP

GRC Solution Extensions SAP Access Violation Management by Greenlight

SAP Regulation Management by Greenlight (cyber

governance solution)

SAP Dynamic Authorization Management by NextLabs

SAP Technical Data Export Compliance application by

NextLabs

Secure Digital Business Transformation


POLL QUESTION #2

QUESTION #2

Which of the following SAP offerings were you most familiar with prior to today’s

conversation?

a) SAP’s solutions related to traditional access management

b) SAP’s solution extensions

c) SAP’s solutions related to Identity Management and Single Sign On

d) SAP standard functionality to support security

e) I wasn’t really familiar with any of these areas


Q&A


Case study


Internal Control Design,

Financial or Operational Risk Mapping

Collect Evidence, Assess Financial

Impact of Risk & Non-Compliance

Prioritization, Impact Analysis,

Requirement Interpretation, Cataloguing

Regulatory

Intelligence

(applicable to

Orgs)

Multiple

regulations

Regulatory changes feeds &

Surveillance

New & Changing Regulations

Monitoring and Reporting

Governance

Dashboards

and reports

External Reporting

and “In Control”

Monitor Regulations

• Monitor GMP, Privacy, & Cybersecurity external requirements (300+)

Baseline Regulations

• Life Sciences & Pharma: FDA, ISO/IEC 27000, IEC/TR 62443 and 80001, NERC CIP,

SEC, GSA, DHHS and OIG, USDA, EPA, ICH, Europa, FCC, COSO, FTC, Eudralex,

EFPIA, PhRMA, EMEA, EFSA, ABPI, MHRA, Health Canada, DHAC of Australia, TGA

Catalog Requirements

• CGMP – Current Good Manufacturing Guidelines

• Cybersecurity – Cybersecurity Standards

Define & Reuse Controls mapped to Risks

• CSC4005— Ensure all windows registry entries are consistent across the domain.

Identify and configure key registry entries and monitor for any changes to those registry

entries

• CNC195— Windows server vulnerabilities are checked on a regular basis. Exception

reporting to alert administrators • PM200— Password policy across Oracle databases is consistent and enforced

Collect & Report

• Regulatory Intelligence on changes to regulatory requirements and surveillance

• Exception reporting on automated controls

Database Windows LDAP

Improving Security Governance with Regulation Management

https://rack.deloitte.com/esswebui/DetailsView.aspx?id=E52D5925-1C51-4793-8391-06A07A4B374A&industryID=6b9ea0ee-dbfe-4a2b-a9a8-862753c85ed1&Title=Premium&ParentStr=Insurance : Account&relatedprocess=1&relatedcycle=1&relatedaccount=1

https://rack.deloitte.com/esswebui/DetailsView.aspx?id=E0BA6006-1B08-4500-BF5F-5564DA42AAB1&industryID=6b9ea0ee-dbfe-4a2b-a9a8-862753c85ed1&Title=Premium&ParentStr=Insurance : Account&relatedprocess=1&relatedcycle=1&relatedaccount=1

https://rack.deloitte.com/esswebui/DetailsView.aspx?id=5F3C0DEA-A033-45C0-BF6F-28DBF2923698&industryID=6b9ea0ee-dbfe-4a2b-a9a8-862753c85ed1&Title=Premium&ParentStr=Insurance : Account&relatedprocess=1&relatedcycle=1&relatedaccount=1


Final Q&A


Resources


Need more information on SAP HANA security?

Read the SAP HANA security whitepaper! Want to know more? Check out the SAP HANA security page: http://hana.sap.com/security

https://hana.sap.com/content/dam/website/saphana/en_us/PDFs/hana-security/SAP_HANA_Security_Whitepaper_SPS11.pdf

http://hana.sap.com/security


Security patches

Keep up to date by installing the latest security patchesand monitoring SAP security notes

Security improvements/corrections ship with SAP HANA revisions

Current SAP HANA version: SAP HANA SPS11, revisions 11x

Installed using SAP HANA’s lifecycle management tools

See also SAP Note 2021789 – SAP HANA revision und maintenance strategy

SAP security notes contain further information

Affected SAP HANA application areas and specific measures that protect against the exploitation of potential weaknesses

Released as part of the monthly SAP Security Patch Day

See also http://support.sap.com/securitynotes and SAP Security Notes – Frequently asked questions

Operating system patches

Provided by the respective vendors SuSE/Redhat

https://websmp130.sap-ag.de/sap/support/notes/2021789

http://support.sap.com/securitynotes

https://support.sap.com/kb-incidents/notifications/security-notes/faq.html


Security services by SAP

SAP offers a wide range of security tools and services to ensure the smooth operation of your SAP solution by taking action proactively, before security issues occur

More information:

SAP Support Portal - EarlyWatch Alert

SAP Security Optimization Services

https://support.sap.com/support-programs-services/services/earlywatch-alert.html

https://support.sap.com/support-programs-services/services/security-optimization-services.html



• SAP Access Control - Product page

• SAP Process Control - Product page

• SAP Risk Management - Product Page

• SAP Audit Management - Product page

• SAP Identity Management - Product Page

• SAP Single Sign-On - Product Page

• SAP Enterprise Threat Detection - Product Page

• SAP Regulation Management by Greenlight, cyber governance edition - Product Page

• SAP Dynamic Authorization Management by NextLabs - Product Page

http://www.sap.com/solutions/grc/accessandauthorization/index.epx?response=shared

http://www54.sap.com/solutions/analytics/governance-risk-compliance/software/process-control/index.html

http://www.sap.com/pc/analytics/governance-risk-compliance/software/risk-management/index.html

http://www.sap.com/pc/analytics/governance-risk-compliance/software/audit-management-hana/index.html

http://scn.sap.com/community/idm

http://scn.sap.com/community/sso

http://scn.sap.com/docs/DOC-58501

http://go.sap.com/product/analytics/cybersecurity.html

http://www.sap.com/pc/analytics/governance-risk-compliance/software/access-control-authorization-mgmt/index.html

Thank you

#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance

Technology

Transcript of #askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance