18 |
How do you ensure that no authorized access is allowed to customer data by the cloud admins? |
- By default, access to the customer's business client (customer-managed) is not permitted for SAP cloud admin unless explicitly authorized and granted by the customer. Customer owns customer data. Cloud Admin only have access to Client 000. In order for SAP cloud admin to access Client 000, the following controls must be in place
- HTTPS and VPN connections are encrypted
- Strong authentication is enforced
- Terminal servers are utilized
- Jump hosts are used
- Session Recording
- SAP SIEM monitors all sessions
- DLP (Data Loss Prevention) technology is in place.
In SAP S/4HANA, both read access logs and change audit logs play an essential role in maintaining transparency and ensuring data security. These logs allow customers to track and monitor user activities within the system, helping to identify any unauthorized access or potential security risks |
19 |
How do you protect against Lateral Movement? |
- By default, all administrative ports are blocked between the systems. The only way an administrator can generate a new session is from the jump host area (admin plane). Also, our Endpoint Detection & Response (EDR) tool run specific detections as per our playbooks that are tightly integrated into our SIEM/SOAR tools.
|
20 |
How do you protect against Malware? |
- SAP cloud operations employs several security measures to protect against malware which include among others:
- Endpoint & Server Protection - End-Point Security, Detection & Response (EDR), Malware Protection, Secure Booting
- Backup and Restore - Regular Automated Backups and Encryption of Backups,
- Periodic patching of all infrastructure, applications, and DB
- Security Awareness Training on Phishing, Awareness, Simulate Testing
- Network Segregation to reduce the attack surface.
- Implement Network Security controls like Dedicated Network Connection, WAF, Security Groups, Load Balancers
- Threat Intelligence and Continuous Security Monitoring
- Internet Proxy and DNS Security
- Periodic Testing
|
21 |
How do you protect against ransomware? |
- The threat of ransomware continues to grow for larger organizations all over the world. To mitigate this threat, SAP Enterprise Cloud Services helps ensure that key actions, best practices, and controls are in place in your private cloud. These controls are split into three main categories: preventive, detective, and reactive. For further details, please refer to “Mitigate the Threat of Ransomware to Business-Critical SAP Applications” whitepaper.
|
22 |
If data is corrupted or any other scenario, how system SLA is offered? |
- To ensure the highest level of system availability and data protection, SAP offers a comprehensive Service Level Agreement (SLA) that covers the end-to-end stack, including infrastructure, operating system, database, and application layers. The standard System Availability SLA is 99.7%
- While SAP is responsible for maintaining system availability and protecting the data at the infrastructure, operating system, and database levels, it is important to note that the logical integrity of the data falls under the responsibility of Customer. SAP's availability SLA provides customers with a reliable, secure, and consistent environment for their data and applications, while customer ensures the logical integrity of the data as it is processed within the applications.
|
23 |
What are the shared services involved in managing RISE, and what are the common elements with respect to security and data privacy? |
- S/4HANA Cloud, private edition is a private cloud solution in which all application and database instances, as well as the underlying infrastructure components, are exclusively dedicated to a specific customer. For each customer, SAP utilizes a dedicated Virtual Private Cloud (VPC) within a Hyperscaler.
- The management plane, however, is shared among all customers and connected via SAP Admin VPCs.
|
24 |
Where can I look for Roles and Responsibilities pertaining to SAP S/4HANA cloud, private edition? |
- RISE roles and responsibilities document as part of the contract describes regular operational tasks in cloud delivery and security aspect is mostly implicit on all of those tasks that SAP performs under our responsibility. Major security operational topics are implemented and managed globally across all cloud solutions offered by SAP. Hence such tasks are not explicitly called out in specific product’s roles & responsibilities documents.
|
25 |
What security certifications audited via external 3rd party auditors are maintained for SAP S/4HANA cloud, private edition? |
- SAP S/4HANA cloud, private edition maintains following certifications:
- ISO27001, ISO27017, ISO 27018
- ISO 9001 Quality Management Systems
- BS10012 Personal Information Management
- ISO22301 Certification for Business
Continuity Management Systems
- SOC 1 Type 2
- SOC2 Type 2
|
26 |
What are the broad security responsibilities for customers in SAP S/4HANA cloud, private edition? |
- The customer is responsible for managing configuration, implementation, integration, monitoring, and application support, among other tasks, at the application level.
- Dedicated private connectivity to Hyperscale provider
- Application user identity management
- Management of authentication and authorization for application users
- Definition of user roles, groups, and access control
- Customer data ownership
- Compliance with government and industry regulations
- Application security audit logging
- Integration and extension support, including custom application development
- Configuration of customer business processes
- Application change management.
|
27 |
What are the broad security responsibilities of SAP as a Cloud Service Provider? |
- Managing detective, protective and remediation controls on cloud accounts
- Resilient platform architecture (HA and DR)
- Single Tenanted Landscape
- Managed Backup and Restore
- Building Secure Virtual Machines, Operating systems, networking, HANA Database
- HANA DB Management
- Technical Managed Services (R&R Link)
- Operational Security and Managing security incidents
- 24x7 Security Monitoring
- Personal Data Breach Notification
- SLA and Support Services
- Threat Management & Patch Management
|
28 |
How do I raise a support or security incident ticket with SAP? |
|
29 |
How does SAP provide security assurance? |
- The SAP Data Processing Agreement is designed to comply with local data privacy regulations worldwide, incorporating technical and organizational measures to safeguard personal data.
- SOC reports and ISO certifications offer independent proof of security, availability, confidentiality, and privacy. SAP products are evaluated against globally recognized standards, and platform hardening is implemented.
- An integrated management system ensures information security, data protection, and service delivery. A comprehensive security architecture covers applications and processing systems.
|
30 |
Can customer perform Vulnerability and Penetration testing? |
- Yes. Customer can request for performing VAPT at the application layer only, and this can be performed only by due approval and authorization by SAP. For details, please refer to this SAP Notes.
|
31 |
Security Patch Management |
- SAP ECS performs OS/DB security patches regularly. For Technical Basis Security Patch Management, SAP examines the available patches and creates deployment bundles, which are subjected to testing before their release. As stipulated in the contract, customers must initiate requests for security patches and permit downtimes during the Maintenance Period. The Service Request for patch requests should be submitted via the Customer Dashboard.
|
32 |
What are the other contractual assurances related to cloud services that may be applicable? |
- Service Level Agreement - Defines the cloud service specific system availability, uptime, update windows, credits, and others
- SAP data Processing Agreement: SAP and its sub processors obligations and restrictions to process Personal Data in the provision of the Cloud Service, including:
- Description of Processing
- Technical Organisational Measures (TOMs)
- General Terms and Conditions: The essential legal terms that apply to the Cloud Service
- Cloud Support Policy: The service specific scope of support and success offerings
- Cloud Service Supplemental Terms and Conditions: The service specific legal terms that apply to the Cloud Service
|
33 |
Do you maintain Cyber SOC operating 24x7? |
- Yes, the SAP Security Operation Centre (SOC) operates 24x7 following one global process.
- SAP maintains playbooks for common security incidents, for example phishing, malware/virus outbreak, privilege escalation, improper usage, unauthorised access, unauthorised disclosure, data deletion and data theft.
- SAP Security Operations maintain these playbooks and ensure all operations staff are trained in the execution of incident response procedures.
- Incident response teams follow standard incident response procedures, including detection, analysis, containment, eradication, recovery, and post-incident analysis.
|
34 |
What logs are made available to customers? |
- SAP provides Application Security Audit Logs which customer can fully access
- SAP collects and centrally manages Infrastructure Logs for shared infrastructure layers such as Firewalls, Load Balancers, Proxies, Applications Servers, Databases
- SAP will perform event correlation across all log events to detect and remediate security incidents working in tandem with customers.
- SAP will be able to provide near real-time customer specific OS/DB logs to customer’s log server or SIEM via “LogServ” additional service.
|
35 |
How does customer data is returned to customer upon contract expiry or termination? |
- Customers have the option to obtain a system export or a copy of the native database backup, which can be restored on their own Hyperscale platforms. Additionally, customers can export SAP data from the SAP application using tools provided by SAP or our partners. Please refer to relevant SAP contractual assurance for details.
|