Built-In Protection with SAP Cloud Platform
by Annette Fuchs, SAP
Businesses face data security threats every day, and stories about data breaches, service disruptions, and theft of personal data such as Social Security numbers, birthdates, addresses, and credit card information appear constantly in the news. A recent study by the Ponemon Institute surveyed 419 companies in more than 13 countries and found that almost half of these incidents are caused by malicious or criminal attacks, with the rest distributed between system glitches and human errors. The study also shows that some companies are better prepared to deal with such incidents than others.
So why are some companies better prepared? Do they have more accomplished programmers? Are their security measures better? Are they less often subject to attacks? In many cases, the answer is that better-prepared companies use a balanced combination of regulatory compliance and security technology. This article explains how SAP Cloud Platform provides this balanced combination to SAP customers.
However, before diving into the details of how SAP Cloud Platform ensures the protection of sensitive data, it’s important to understand the meaning of the terms “compliance” and “security” and how they work together to provide comprehensive data security.
Understanding Compliance Versus Security
Security and compliance are frequent topics of conversation, particularly in organizations with a digital business model, and the two terms are often used synonymously. However, while they are closely intertwined — and while requirements for both can be formally tested and certified against international and national standards — they do differ. Let’s take a closer look.
What Is Compliance?
In general, “compliance” refers to conformity with legal and regulatory requirements, industry standards, and best practices. Its aim is to comply with existing laws and guidelines, adhere to voluntarily established codes of conduct, introduce measures to observe specific rules, and by this, avoid rule violations and any accompanying penalties or prosecution.
The overall goals of being compliant can be placed in six categories:
- Protection means guarding a company’s reputation, tangible and intangible assets, and people (employees and customers).
- Counseling refers to best practices about what to do and how to do it.
- Information refers to a transparent reporting system that provides insight into how well the recommended actions have been implemented.
- Quality assurance and innovation deal with proper quality assurance to deliver products that meet their functional requirements. Adhering to regulations and standards ensures your innovations are resilient and reliable.
- Monitoring and surveillance are used to ensure that employees have the right to take an action and that they are performing that action properly according to regulations, laws, and standards. It is almost more important to have monitoring in place that can detect abnormal behavior, or any unexpected or unknown patterns.
- Marketing refers to the perception of your organization in the marketplace. Being compliant is a source of transparency and proof for customers, employees, and the general public that your company is working in a way that adheres to existing laws and best practices.
What Is Security?
In the context of securing information, “security” refers to sound security systems that help protect information from threats by controlling how the information is used, consumed, and provided.
The overall goals of information security can be placed in seven categories:
- Confidentiality is keeping secrets secret. This is achieved by encryption for data at rest and in transit, and physical and technical access control.
- Integrity refers to the accuracy and reliability of information and systems. Hardware, software, and communication mechanisms must work together to maintain and process data correctly, and to move data to intended destinations without unexpected alteration.
- Availability ensures reliable and timely access to data and resources to authorized individuals. Hardware and applications should recover from disruptions in a secure and quick manner so that productivity is not negatively affected.
- Authenticity is to reliably verify the genuineness of a message, a recipient, or a sender.
- Imputability is the ability to reliably assign interactions to specific instances or individuals.
- Non-reputability refers to associating actions or changes to a unique individual in a way that the individual is not able to deny the action.
- Reliability is the ability of an entity to perform a necessary function for a specified period under defined conditions.
Some might say that only the first three categories — confidentiality, integrity, and availability — are crucial to information security. While these are certainly core attributes when it comes to information security, authenticity, imputability, non-reputability, and reliability are arguably just as important — particularly when you are running systems or storing data on hosted systems or in the cloud.
The Connection Between Compliance and Security
So how do compliance and security interconnect? Comprehensive data security requires both: One without the other is insufficient. A company that is compliant but does not have a sound security framework or system cannot defend against security attacks or disruptive incidents. And a company with a sound security system but no compliance controls will miss some security considerations — but this scenario at least provides some amount of protection. For this reason, it’s best to start by designing and implementing a security system that fits your company’s needs, which includes identifying what needs to be protected so that you have some protections in place while you then implement controls to verify that system against compliance criteria.
Figure 1 shows an example of resources that typically need protection within an organization. Every enterprise is different, with unique needs and individual goals. A thorough analysis of protection requirements is necessary to design a security system that takes into account the goals and critical information that must be protected within an enterprise.
Once the protection requirements have been identified, the next step is to carry out a risk analysis. The risk analysis can be considered a connecting element between the security system and compliance controls. Based on the risk analysis, the scope for the compliance goals can be set. It is a good practice to start with a small scope to see if the security system has been designed and implemented properly, and then enlarge it within a continuous improvement approach.
In summary, you need a security system to protect your information, and compliance controls to check whether your security system is properly implemented and working. Compliance can be seen as a snapshot of how your security system meets your security requirements — which are derived from the risk analysis — at a given moment in time. Being compliant helps to minimize your company’s risks and increases the effectiveness and efficiency of your overall security framework, as your security system and compliance controls are continuously aligned and revised to match company goals.
Secure Data Protection with SAP Cloud Platform
Now that you have a foundational understanding of the distinctions and interconnectivity between security and compliance, let’s see how these two concepts come together in SAP Cloud Platform to provide comprehensive data protection.
SAP Cloud Platform is SAP’s platform-as-a-service (PaaS) offering for creating new applications or extending existing applications in a secure cloud computing environment (see Figure 2). Comprehensive application development services and capabilities allow businesses to collect, manage, analyze, and leverage information of all types; to extend and connect to business systems; and to innovate new edge scenarios that enable businesses to continuously adapt and advance. From a security governance perspective, SAP Cloud Platform is embedded within the corporate SAP security framework, which consists of a comprehensive set of security policies, standards, guidelines, and controls to which all SAP products are obliged to adhere.1
SAP Cloud Platform offers a variety of security functionality and products, many of which have been covered in previous SAPinsider articles. In addition, to ensure that SAP Cloud Platform meets customer security needs and that security is properly implemented on all levels, SAP Cloud Platform includes a specific Information Security Management System (ISMS), undergoes thorough risk analysis, and follows a regular compliance cycle. During this cycle, adherence to the standards against which SAP Cloud Platform is certified is examined and tested.
Let’s look at some of the key international and national certifications with which SAP Cloud Platform complies or is working to comply, including International Organization for Standardization (ISO) certifications for systems management, Service Organization Controls (SOC) for US-based auditing, International Standard on Assurance Engagements (ISAE) regulations for European auditing, and Information Security Registered Assessors Program (IRAP) certifications for Australian government data (see the sidebar “Securing Information Through Standardization” for more on some of the different types of standards relevant to information security).
International Certifications: ISO
As a basis for all its certifications, SAP Cloud Platform implemented an ISMS according to ISO 27001. The ISO 27001 standard specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of an organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The ISMS for SAP Cloud Platform extends and complements SAP’s corporate ISMS to cover SAP Cloud Platform-specific protection needs, such as service level agreements, or confidentiality and integrity of customer data. The ISMS for SAP Cloud Platform defines the scope, objectives, and targeted entities at which the system is aimed.
ISO 22301 is the standard for setting up and managing an effective Business Continuity Management System (BCMS). It specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to, and recover from disruptive incidents when they arise, such as earthquakes, floods, pandemics, and terrorist attacks. The goal of these requirements is to be able to return to normal operations in a planned and controlled way within a tolerable period of time after a disruptive incident. This means that you must know your critical processes and what is needed to operate them, and you must know how fast you need to be back up and running before your business will suffer a severe loss.
SAP holds a corporate ISO 22301 certificate that covers corporate resilience and continuity requirements. In comparison, the BCMS for SAP Cloud Platform more specifically covers resilience and continuity requirements for customer systems and data running or being operated on SAP Cloud Platform.
National Certifications: SOC, IRAP, and ISAE
In addition to ISO certifications, SAP Cloud Platform also complies with various national standards, including the US-based SOC regulations, the European ISAE regulations, and the Australian IRAP certification.
Where the ISO standards are more generic, the SOC standards, which are reporting standards maintained by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), focus on cloud environments. These standards take the form of audits that are performed against an AICPA regulation called Statement on Standards for Attestation Engagements (SSAE) No. 16, resulting in SOC reports.
An SOC 1 report is related to the protection of financial statements, and is relevant for financial reporting services. There is also a European equivalent, named ISAE 3402, which is maintained by the International Federation of Accountants (IFAC) and applies only to Europe. When a company holds both attestations, as SAP does, the certification is usually referred to as SOC1 SSAE16/3402.
An SOC 2 report is related to specific assurance principles addressing non-financial areas. SOC 2 audits are performed against the Trust Services Criteria, which are a set of principles — security, availability, processing integrity, confidentiality, and privacy — to which a company must adhere. These principles are organized into seven categories: organization and management, communication, risk management and design and implementation of controls, monitoring of controls, logical and physical access controls, systems operations, and change management. A company does not need to fulfill all criteria right away — depending on the business, it can define an appropriate scope to be tested against to prove adherence.
SOC 1 and SOC 2 reports can be either Type 1 or Type 2. Type 1 assesses how the security controls are designed. It does not include an assessment of how effectively the controls are operating. Type 2 includes an assessment of the design and operating effectiveness of the security controls. SAP Cloud Platform holds attestations for both types.
SOC 3 reports contain essentially the same content as SOC 2 reports, only the SOC 2 reports are very detailed and may contain critical information. For this reason, they often can be obtained only upon request and are addressed at interested professional audiences. SOC 3 reports are much shorter and can be publicly available as they contain less critical information and are less detailed.
Another standard is IRAP, which is a security assessment required and designed by the Australian government for government information and communication technology systems. The goal of this assessment is to ensure that systems operated within government agencies where sensitive data is accessed and processed comply with best-practice security standards. The assessment is carried out in two stages. In the Stage 1 audit, the assessor identifies security deficiencies that the system owner rectifies or mitigates. In the Stage 2 audit, the assessor assesses the residual compliance. SAP Cloud Platform has undergone both stages and is currently waiting for the certificate.
Details on all certificates and attestations for SAP Cloud Platform can be viewed in the SAP Trust Center.
As persisting news on security breaches shows, there is no absolute security. Or as Eugene H. Spafford put it: “The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards — and even then I have my doubts.”2 However, with a commitment to transparent and recurring reviews and audits by internal and external certification bodies, SAP Cloud Platform helps organizations achieve the highest levels of security by meeting the latest compliance and security standards, and by providing a certification program that is continuously extended and advanced to adapt to new requirements to ensure the security of your business into the future.
1 For an introductory look at how SAP’s overarching security strategy is realized with SAP Cloud Platform, see the article “Securing the Cloud with SAP Cloud Platform” in the October-December 2017 issue of SAPinsider (SAPinsiderOnline.com). [back]