cyber security: aligning best practices and … incorporated into applications, delivering ultimate...
TRANSCRIPT
Cyber Security: Aligning best practices and solutions to protect across the
core, cloud, and connected “things”
Anne Marie Colombo | CISSP | Cybersecurity Solution Advisor | NA CIO Office
Growth of Data Breaches
2004 2016
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
• 35,000 Computers
• Free Gas
• Typewriters and Faxes
• Physically Unplugged Computers
• Worldwide Hard Drive Market Impact
• 5 Months to Recover
• Built Security Operations Center from Scratch
http://www.darkreading.com/attacks-breaches/inside-the-aftermath-of-the-saudi-aramco-breach/d/d-id/1321676
Oil & Gas Security - Saudi AramcoDark Reading: Inside the Aftermath of the Saudi Aramco Breach 8/8/2015 by Fahmida Y. Rashid
Oil & Gas Security – Energy Global
Cybersecurity risks in US oil and gas industryPublished by Callum O'Reilly, Editor, Energy Global, Friday, 17 February 2017 14:23
https://www.energyglobal.com/downstream/gas-processing/17022017/cybersecurity-risks-in-us-oil-and-gas-industry/
• 59% believe there is a greater risk in the OT environment than the IT environment.• 1% said their organization has difficulty mitigating cyber risks across the oil and gas value chain.• 41% of respondents said they continually monitor OT infrastructure to prioritize threats and
attacks.• 65% of respondents say the top cybersecurity threat is the negligent or careless insider• 15% of respondents say it is the malicious or criminal insider. • 61% say their organization’s industrial control systems protection and security is inadequate.
“This underscores the need for advanced monitoring solutions and critical safety zones to identify atypical behavior among personnel.”
Credit: State of Electric Utility
“Why utilities say grid security is the most pressing sector issue of 2017The successful hack of Ukraine's electric grid in late 2015 got the sector's attention, Utility Dive's recent survey shows”
AUTHOR Herman K. TrabishPUBLISHED April 10, 2017
Intrusion Months Earlier 1. Detect & Defend
Coordinated Attack 2. Opportunity to Disrupt
Any Malware - Approach 3. Strategies
Complexity & Attack Surface 4. Multiple Programs
Grid Interconnectedness 5. Info Sharing
http://www.utilitydive.com/news/why-utilities-say-grid-security-is-the-most-pressing-sector-issue-of-2017/440056/
Utility Security – Utility Dive
Security incorporated into applications,
delivering ultimate protection for content
and transactions
End-to-end secure cloud operations, defense of customer data and business operations
Security-aware staff, end-to-end physical security of SAP’s assets, and a comprehensive business continuity
framework: Secure SAP
Defendable Application
Zero Knowledge
Zero Vulnerability
Security by Default
Intelligent Infrastructure
Prevention
Perceptive Data Shield
Secure Augmented
Network
Security Shielded Ecosystem
Security Culture
SecureEnvironments
BusinessContinuity
Cornerstones of Security at SAP
TransparencyTransparency
Loss of reputation
Loss of intellectual property
Disruption to operations
Legal Issues
Expensive
Why do companies fear cyber attacks?
Alarm System
Anti-virus
Monitoring System
The threat environment is changing and more dangerous
– Traditional defenses no longer provide sufficient protection for business-critical software
– More exposure to risk:
• Interconnected systems, mobile applications, …
• Increased interest in SAP software by cybercriminals
• Threats from inside nullify technical precautions
– Attackers will penetrate to your critical systems
• Will you notice?
• What will you do then?
Customer Experience Omni-Channels
Workforce Engagement
Big Data & Internet of
Things
Supplier CollaborationBusiness Networks
Digital Business Transformation
DIGITAL CORE
1. Customers and employees are hyper-connected
with seamless access anytime, anywhere
2. Cloud and hybrid cloud environments challenge
traditional “protect the 4 walls” security approach
3. Digitally connected supply chains are based on
high trust and availability of all parties
4. Internet of Things and Big Data bring
unprecedented data streams and volumes
5. Confidentiality, integrity and availability of data
and systems is the basis for secure operations and
trusted relationships
Transactions and data must be secured throughout the entire end-2-end business process
Questions to ask1. Do you have a formal Risk Management or Cybersecurity program in place? 2. How long could your business run if your SAP system was down? What would
be the financial impact?3. What regulations and compliance requirements exist in your business? Is the
General Data Protection Regulation (GDPR) a concern?4. Do you know where your critical assets and sensitive data are located within
your systems? 5. What is the strategy to handle security for your SAP systems? Is there a patch
management process in place? 6. How do you manage access to the SAP system? Are you able to grant and
remove access quickly when someone leaves the company? 7. How do you currently monitor your SAP system? How do you know who is in
your SAP system and that they are who you think they are? Is user behavior being monitored? Is access to data being monitored real time? How would you know your SAP system has been breached?
8. Are you managing custom code in your SAP system? Are you testing custom code for vulnerabilities both on the ABAP and non ABAP applications?
9. How are you protecting your data in your SAP system? Do you know what data is leaving your SAP system?
10.Digital Transformation: What’s your cloud strategy? Are you planning an S/4 HANA migration? Do you have an IoT or Blockchain initiative?
Security Services - Finding Vulnerabilities
• SAP ERP Systems
• Security Patches
• RFC Gateways
• User Authorizations
• Missing Emergency Concept
• Users w/ Admin Privileges
• Incident Monitoring
• Data Storage
• Data Export
Security Services – The Basics
Security Compliance
Secure Operation
Secure Setup
Secure Code
Audit Cloud SecurityEmergency
Concept
Security Maintenanceof SAP Code
Custom Code Security
Users andAuthorizations
Frontend SecurityInfrastructure Security
Secure Configuration
Network Security
Support SecuritySecurity Review and Monitoring
Authentication andSingle Sign-On
SecurityGovernance
Data SecurityCommunication Security
Operating System andDatabase Security
Secure Operations Map: http://support.sap.com/sos
Security Recommendations 10 Focus Areas for Customers
Custom CodeSecurity
Network Security
Secure Maintenanceof SAP Code
Front-EndSecurity
OS and Database Security
• Define a network concept with clearly structured different zones• Separate high-security areas• Ensure encryption and authentication of communication• Determine concepts for dedicated servers and administrative roles
• Implement dedicated security requirements for Windows and UNIX or LINUX operating systems (OS), including corresponding OS services and handling of default users
• Implement restrictive database access mechanisms
• Deploy security configuration for both clients and mobile endpoints• Frequently update the SAP GUI on all clients• Distribute and activate administrator rules• Activate access control lists (ACLs)
• Regularly update all SAP software (at least every 12 months)• Implement SAP Notes on security – released on the security patch
day
• Establish a custom code lifecycle management process• Use security source code scan tools to identify vulnerabilities in your
custom coding
We have captured our best-practice approach to share with our customers.
EmergencyConcept
SecurityAuditLog
Usersand
Authorizations
CommunicationSecurity
SecureConfiguration
Set dedicated ABAP profile parameters for: • Password security• Authentication• Encryption
• Ensure encryption of passwords and of all information classified as confidential• Use encrypted communication such as most current Secure Sockets Layer (SSL),
transport layer security (TLS), or secure network communications (SNC)• Follow a clearly defined security concept for all required remote function call (RFC)
connections
• Activate the security audit log (SAL)• Activate filters for critical users such as SAP support staff and emergency
users
• Define emergency, backup, and recovery concepts to ensure seamless business and services continuity in your organization
• Consider preparation of complete fallback systems for business-critical processes and applications
• Ensure dedicated handling and administration of certain ABAP default users and critical basis authorizations
• Do not assign the SAP_ALL authorization profile to any user except for emergency accounts
26 | Customer
Security
ComplianceSecurity Governance Audit Cloud Security Emergency Concept
Applications /
Services
SAP Risk Management
SAP Regulation Management, Cyber Edition by
Greenlight
SAP Cloud Identity Access Governance Access
Analysis Service
SAP Audit Management
SAP Fraud Management
SAP HANA Cloud Platform, Identity
Provisioning
SAP HANA Cloud Platform, Identity
Authentication
Business Continuity
Partner
Secure
OperationsUsers and Authorizations
Authentication and Single
Sign-OnSupport Security Security Review and Monitoring
Applications /
Services
SAP Identity Management
SAP Access Controls
SAP Access Violation Management by Greenlight
SAP Dynamic Authorization Management by
Nextlabs
SAP Single Sign-On MAX Attention SAP Enterprise Threat Detection
SAP Solution Manager
SAP Early Watch Alert Security Chapter
SAP Monitoring and Alerting Infrastructure
SAP Security Optimization Services
Secure Setup Secure Configuration Communication Security Data Security
Applications /
Services
SAP Process Controls
SAP Solution Manager
SAP Configuration Validation
SAP Unified Connectivity
SAP Mobile Secure
IoT Security
SAP Digital Rights Management by Nextlabs
SAP UI Field Masking
SAP UI Logging
Secure Code Security maintenance of SAP Code Custom Code Security
Applications /
Services
SAP System Recommendations Service SAP NetWeaver AS, add-on for code vulnerability analysis
SAP Fortify by HPE
Infrastructure
SecurityNetwork Security Operating System and Database Security Front End Security
Applications Configuration for SAP HANA FIORI
SAP Secure Operations MapBusiness Applications and Security Infrastructure Available
Confidence in SAP Cloud Secure service with transparency
SAP Cloud Secure
Comprehensive ContractsPrivacy, security framework, and
applicable local regulations
Cyber DefenseMultiple layers of defense
Holistic: Prevent, detect, and react
Independent AuditsService Organization Control reports
certifications
Secure Cloud ModelHolistic approach
Secure architecture
Management System of standards and best practices*
*) The Management systems are used across all SAP Cloud Secure services, execution of independent certification and audit depend on service and organizational unit respectively.Details available at: http://go.sap.com/corporate/de/company/innovation-quality/excellence.html
**) Component of the Integrated Information Security Management System (IISMS) of SAP
Code of PracticeISO 27002
Foundation
Data ProtectionBS 10012ISO 27018
Data PrivacyBDSG
EU Directive 95/46/EC
Privacy
Security Best Practice(extract)
Service DeliveryISO 20000
Business Continuity
ISO 22300
ApplicationSecurityISO 27034
OWASP
Hardening Guidelines
SANs, ISOCERT, NIST
QualityManagement
ISO 9000ISO25010
Destruction of Media
ISO 27040
Incident Management
ISO 27035
CertificationISO 27001**
ISO 22301**, ISO 9001** BS10012
Operations and ComplianceSOC 2, SOC 3
(AT 101 / ISAE 3000)
Financial ControlsSOC 1
(SSAE16 / ISAE 3402)
Transparency
Solutions for GRC and Security from SAPApplication Security
Application Security
SAP Enterprise Digital Rights Management by NextLabs
Data-centric security for the extended enterprise; secure any file type
SAP Enterprise Threat Detection Detect, investigate, and respond to
incidents
Risk and governance
Identify and manage risks, regulations, and polices to minimize potential business impact
Protect data, control access, and detect threats
Business application security
Access governanceThree lines of defense
UI Field Masking, UI Logging
Conceal data in fields and columns as required; log and analyze access
Code Vulnerability Analysis, Fortify by SAP
Dynamic and Static Testing
SAP S/4HANA Supports Live BusinessConsiderations for Governance, Risk, Compliance and Security topics
Three Lines of Defense
Access governance Application security International trade
Digital Core
SAP Cloud PlatformSAP HANA
Business
Transactions
Intelligen
t Insights
Workforce
Engagement
Spend
Management
IoT
& Supply Chain
Customer
ExperienceINDUSTRY
MACHINE LEARNING
BLOCKCHAIN SECURITY
API
s
Fraud management and screening
IOT - Technical and Physical Security both play a role in IIoT
• IoT devices and protocols security lacking
• Consider the physical security and ability to access the infrastructure
• Ideally we have both rich security features and restricted physical access, but that is rarely the case in IIoT
• Many IIoT scenarios depend on insecure hardware in rather public places
rest
rict
edp
ub
lic
rich poorSecurity Features
Ph
ysic
al A
cces
s
Nuclear power plant
Smart City
Smart Vehicles
Smart Lighting
Lights-out Manufacturing
IoT’ed-legacy Manufacturing
Oil & Gas (generation)
Smart Office
ATM
Oil & Gas (refinery)
Oil & Gas (pipeline)
Video camera in prison
Impact of various IIoT scenarios very different, however
• Impact of various use cases differ widely
• Hacking smart lighting is annoying but is unlikely to lead to loss of life or injury (mostly)
• Compromise of an oil refinery or nuclear power plant could lead to catastrophic disasters
• Use of insecure devices might therefore be acceptable in trivial scenarios
• In IIoT scenarios in critical infrastructure, energy, transportation, manufacturing, etc. it most certainly would not be, and security for IIoTshould be carefully designed in, including device choice, encrypted communication channels, security and monitoring tools, etc.
low
hig
h
low highEase of Attack
Imp
act
Nuclear power plant
Smart City
Smart Vehicles
Smart Lighting
Lights-out Manufacturing
IoT’ed-legacy Manufacturing
Oil & Gas (generation)
Smart Office
ATM
Oil & Gas (refinery)
Oil & Gas (pipeline)
Video camera in prison
Security must be stronger where impact is higherre
stri
cted
pu
blic
rich poorSecurity Features
Ph
ysic
al A
cces
s
Nuclear power plant
Smart City
Smart Vehicles
Smart Lighting
Lights-out Manufacturing
IoT’ed-legacy Manufacturing
Oil & Gas (generation)
Smart Office
ATM
Oil & Gas (refinery)
Oil & Gas (pipeline)
Video camera in prison lo
wh
igh
low highEase of Attack
Imp
act
Nuclear power plant
Smart City
Smart Vehicles
Smart Lighting
Lights-out Manufacturing
IoT’ed-legacy Manufacturing
Oil & Gas (generation)
Smart Office
ATM
Oil & Gas (refinery)
Oil & Gas (pipeline)
Video camera in prison
The Criticality of End-to-End encryption
• Many IoT devices (especially consumer) use an IoT gateway model, using IoT-specific protocols like Zigbee, Z-wave, BLE, Modbus, etc.
• Strong encryption usually only from the IoT gateway
• Security of these protocols often proven to be poor and can be subject to manipulation
• End-to-End encryption is the only way to guarantee data from the device is received without eavesdropping, tampering or spoofing and comes from the device we think believe it comes from
• On-device data encryption, where the device design (and manufacturer) allows it
• Registration and Onboarding still a bit of an issue
See also: [SAP Community] The importance of client certificates in IoT
Gartner 5 High Priorities for GDPR
3. Demonstrate accountability in
processing activities4. Check your cross-border data flows
5. Prepare for data subjects
exercising their rights1 . Determine your role
under the GDPR2. Appoint DPA
• Cooperation with security experts
• Integration awareness campaign
• Architecture decisions
• Determine whether your organization is affected by GDPR
• Identify and appoint process owners for personal data processing
• Internal framework for accountability from start of processing to deletion of data
• Codes of conduct
• Certification
• Consent
• Breach Notification
• Data Portability
• Right to be forgotten
• Encryption and Anonymization
• Privacy by Design
GDPR Scope
• Personal data• Any information relating to an identified or
identifiable natural person
• Data subject• Can be identified, directly or indirectly• Name, an identification number, location data,
physiological, genetic, mental, economic...
Art. 4 Sec. 1 GDPR
Individual Rights
The right to
• Information
• Subject access
• Rectification
• Erasure (the 'right to be forgotten')
• Time limits
• Restrict processing
• Data portability
• Object
• Not be evaluated on the basis of automated processing
• The obligation to notify relevant third parties
Source: https://www.scl.org/articles/3575-rights-of-data-subjects-under-the-gdpr
GDPR Process Owners
Chief Compliance Officer Chief Information Security OfficerData Protection Officer
CEO and Board of Directors
• Overall GDPR compliance
• GDPR governance
• GDPR testing
• Overall GDPR compliance and reporting
• Data protection strategy and implementation
• Manage data protection risk
• Overall GDPR compliance
• Infrastructure strategy and deployment
1. Security Awareness2. Patch Management3. Monitoring through Reports, Software4. Data Protection5. Review Access – Privileged Access6. Custom Code7. Think Like an Attacker – Threat Modeling8. Build IoT Plan w/ Security 9. S/4 Implementation Review Opportunity10. Continue Education
Top Ten Items to Address Security
Next Steps
Leverage what you have
• Security Optimization Service
• Early Watch Report
• GRC Access Control
Explore additional options
• SAP Single Sign-on
• SAP UI Masking & Logging
• SAP Code Vulnerability Analysis
• Enterprise Threat Detection
Action Items
• Patch Management Process
• Solution Manager Expertise
• EWA, SOS, Config Validation, System Recommendations
• Develop Security Roadmap
• IT/OT Planning
Learning more
• Tech Ed 2017
• SAP Cybersecurity Summits
• SAP GRC and GDPR Webinars
• ASUG Cybersecurity Webinars
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Thank you
Anne Marie [email protected]
Security@SAP
SAP security, data protection, and privacyhttp://go.sap.com/solution/security.html
This SAP Security Point of View briefing outlines key security trends, shares how your peers are thinking about security, and provides an overview of SAP's security strategy and portfolio. Download the Document
Getting an overview on the Secure Operations Map
Security Value Map and Optimization
Value Map for Security – Private JAM site (Invite only)
• Ask questions• Quick Wins and Deep Dives• Cloud security• Security Maintenance• Users security authorizations• Security in Solution manager• Secure set up
Security Value Map:
Get empowered to:Discover operational SAP Security and find your quick winsDiscover Cloud Security and corresponding Support offeringsEstablish secure HANA configurationEstablish a secure environment for your mobile scenariosEstablish an SAP Security Patch Management process and discover quick wins Takin a “Deep Dive” into the security chapter of your SAP Early Watch AlertManaging Security in your SAP Solution Manager and available Security Dashboards Set-up your SAP Security complianceSAP Authorization Settings, SAP Identity Management and SAP NetWeaver Secure Configuration for Business Objects
Please refer to link for further details: https://support.sap.com/support-programs-services/programs/enterprise-support/academy/valuemaps.htmlYou can register in the following link: https://surveys.sap.com/SE/?SID=SV_6RPo2nYfcyJHzcF
https://jam4.sapjam.com/groups/about_page/6oHBM5rL47sHDjWG9e63XF
Security Optimization Continuous Quality Check The continuous quality check for SAP Security Optimization is designed to check the security of your SAP system. This service comprises a system analysis and the resulting recommendations for system settings.For more information, please see the following information sheet: https://support.sap.com/content/dam/library/SAP%20Support%20Portal/support-programs-services/support-programs/enterprise-support/academy/delivery-format/cqcis/cqcso.pdf
Security services by SAP (included in as part of Enterprise Maintenance)
• SAP offers a wide range of security tools and services to ensure the smooth operation of your SAP solution by taking action proactively, before security issues occur
• More information:
• SAP Support Portal - EarlyWatch Alert
• SAP Security Optimization Services
• Security White Papers
• Security News Letter for Customers - Here
Solutions for GRC and security from SAP
• SAP Access Control - Product page
• SAP Process Control - Product page
• SAP Risk Management - Product Page
• SAP Audit Management - Product page
• SAP Identity Management - Product Page
• SAP Single Sign-On - Product Page
• SAP Enterprise Threat Detection - Product Page
• SAP Regulation Management by Greenlight, cyber governance edition - Product Page
• SAP Dynamic Authorization Management by NextLabs - Product Page
• SAP Enterprise Digital Rights Management by NextLabs - Product Page
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distr ibutors contain proprietary software components
of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affil iate company products and services are those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release
any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,
and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various
risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.