More Related Content Similar to Moving to the Cloud: Adopting & Integrating the SAP Ariba Portfolio in your SAP Landscape (20) Moving to the Cloud: Adopting & Integrating the SAP Ariba Portfolio in your SAP Landscape1. Moving to the Cloud:
Adopting & Integrating the SAP Ariba
Portfolio in your SAP Landscape
Lakshmi Hanspal, Chief Security Officer, SAP Ariba / October 26, 2016
2. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 2Public
3. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 3Public
Forward looking statements
Important Notice
SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this
document or any related presentation, or to develop or release any functionality mentioned therein. This
document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice.
The information in this document is not a commitment, promise, or legal obligation to deliver any material,
code, or functionality. All forward-looking statements are subject to various risks and uncertainties that
could cause actual results to differ materially from expectations.
Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not
be relied upon in making purchasing decisions.
4. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 4Public
Decision makers today have two fundamental choices to
address their business need
Business need
Source globally, streamline procurement, execute business transactions efficiently
Networked solution
• Deploy application in cloud
• Invite suppliers to collaborate throughout the
process
• Exchange documents electronically through
business network
• Leverage integrated channels and achieve
transparency in invoicing and payments
Choice
Traditional application
• Deploy application on premise or in house
• Use phone/e-mail/letters/meetings to
collaborate with suppliers
• Send and receive documents through
e-mail/fax/paper/EDI
• Leverage out-of-band channels for invoicing and
payments
5. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 5Public
A network approach is attractive, but companies need
to protect their data and their business relationships
• Achieve legal compliance such as fulfilling data
protection requirements
• Ensure information relating to individuals is
protected in storage and processing
Protect personal data
• Store business data safely
• Transmit transactional data securely
• Prohibit unauthorized access to data
Protect trade secrets
6. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 6Public
A network approach is attractive, but companies need
to protect their data and their business relationships
• Achieve legal compliance such as fulfilling data
protection requirements
• Ensure information relating to individuals is
protected in storage and processing
Protect personal data
• Store business data safely
• Transmit transactional data securely
• Prohibit unauthorized access to data
Protect trade secrets
7. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 7Public
Protect personal data: top concerns of data protection officers
and works councils to comply with data protection laws
* SAP Ariba solutions use a new brand name that was launched in January 2016. Ariba continues to operate as a separate legal entity.
Type of personal data
What type of personal data is collected when using SAP Ariba* solutions?
Is there any sensitive personal data involved?
Where personal data is stored
What is the physical location of data and where is it processed?
Where personal data transferred is to
How do SAP and Ariba approach the legality of transferring personal data internationally?
Who has access to personal data
Which companies are involved with SAP or Ariba as subprocessors or integrated services providers and may have
access to the personal data?
How personal data is protected
What technical and organizational measures are in place to protect personal data from unauthorized access, use, or
disclosure?
8. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 8Public
Type of personal data
What type of personal data is collected when using SAP Ariba solutions? Is any sensitive personal data involved?
• SAP Ariba solutions contain simple business contact information about individuals as users or business contacts but should NOT contain
any sensitive personal data (individual healthcare data, individual financial information, religious affiliation, and the like).
• The Ariba Privacy Statement prohibits use of the solutions for processing sensitive personal data.
Personal data potentially associated to users in SAP
Ariba solutions is business contact information:
• E-mail address
• Employee number
• Employee name
• Business phone
• Business fax
• Alternate e-mail addresses
• Business postal address
9. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 9Public
Where personal data is stored/processed
What is the physical location of data, and where and by whom is it processed?
Illustrative example for cloud application in European data center
Network traffic orchestrated at global hub in the United States
• Customer (buyers) have the option to run solutions such as Ariba Procure-to-Pay in
the European data center.
• Personal data of customer (buyer) users is administered in the selected application
data center.
• Most SAP Ariba solutions exchange data with the Ariba Network (operated in the
United States) to facilitate communication with suppliers.
• Such communications and exchange of documents can include personal data such
as contact info on a purchase order.
• Data flow between regional data centers and the Ariba Network is carried over
secure encrypted connection.
• The supplier profiles are stored in the Ariba Network data center.
Buyers and suppliers want to trade globally to increase the selection of vendors and to reach more customers.
This requires a global platform, enabled by the Ariba Network.
10. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 10Public
Data category
Upstream
(sourcing,
contracts)
Downstrea
m (procure
to pay)
Ariba
Network
Data in EU
Data in global DC
(located in U.S.)
Notes
Employee data Yes Yes Yes Yes Possible
If a user from the customer organization is logging into the Ariba
Network, then some identifying fields might need to be stored in the
U.S. data center (DC)
Contracts Yes No No Yes No
Supplier contracts Yes No No Yes No Contract remains in EU data center
Supplier contracts Yes No Yes Yes Yes
If POs are generated based on contracts and routed through Ariba
Network, then the PO copy will be stored in the network in the U.S.
DC. The PO copy may contain the contract ID.
Bill of material/item list Yes No No Yes No
Commercial data Yes No No Yes No
All data in EU if all commercial data is to support setting up sourcing
events only
Commercial data
procurement
Yes Yes Yes Yes Yes
All documents which are exchanged with the supplier as part of P2P
(such as goods receipt) will routed through the AN so US.
Drawings Yes No No Yes No RFx attachments, then EU only
Product, product
information
Yes Yes Yes Yes Yes
Supplier imports catalogs into Ariba Network, then catalogs will be
stored in the network in the U.S. DC.
But if buyer creates catalog it will remain in the EU.
Supplier data general Yes Yes Yes Yes Yes
Portal for suppliers data entry into SAP Ariba applications is through
Ariba Network, so supplier data will be stored in the network in the
U.S. DC. Rest of communication will be stored in EU DC
Supplier know-how Yes No No Yes No If part of a response to sourcing event data in EU
Supplier price information Yes No No Yes No Response to sourcing event ‒ data in EU
Master data in R/3 Yes No No Yes No No master data in Ariba Network, only transactional data
Where personal data is transferred to
How do we approach the legality of transferring personal data internationally?
Transfer to Ariba
The Ariba contract contains
Ariba’s obligations regarding
personal data processing,
customer consent to transfer
personal data, and agreement
to obtain consent for the
processing of such data.
Transfer by Ariba
Ariba maintains data transfer
agreements with SAP and
Ariba affiliates and
subprocessors that comply
with the EU requirements for
personal data transfer.
* Using the data enrichment service involves sending procurement data into the U.S. network data center for data enrichment (transfer does not involve personal data) to allow for spend visibility.
EU data center customers:
Data, including user administration data, entered by the buyer into upstream (Ariba
Sourcing, Ariba Contract Management) and downstream (Ariba Procure-to-Pay)
solutions is stored in the EU data center.*
Once a purchase order (PO) is sent by the buyer, it is routed to the Ariba Network (U.S.
server) for access by your supplier or further routing to the supplier (similar to sending a
PO by e-mail on the Internet).
Suppliers route invoices through the Ariba Network (U.S. server) to the buyer.
Suppliers self-maintain their data (invoices, master data, and catalogs) globally through
the Ariba Network (U.S. server).
Certain transaction history is available to buyers through direct access to the Ariba
Network.
User credentials allowing buyer-side users to access the Ariba Network are stored on the
Ariba Network (U.S. server).
11. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 11Public
SAP’s contractual approach to data protection
SAP has unified the approach for all its cloud solutions with the data
processing agreement (DPA).
The DPA goes beyond standard contractual clauses in providing privacy
assurances.
The DPA incorporates an unmodified version of standard contractual clauses
that control in case of conflict with rest of the DPA.
The DPA defines terms – such as SAP as “processor” and “importer,”
customer as “controller” and “exporter.”
Customer HQ can sign the amendment on behalf of its EU affiliates; affiliates
may sign an accession document with HQ and be considered parties to the
clauses.
SAP has intercompany agreements with SAP affiliates and data processing
agreements with partners (subprocessors).
The DPA lists data protection policies, procedures, standards, and
certifications.
It includes rights and obligations with respect to technical and organizational
measures (such as monitoring, incidents, notifications).
Data privacy measures for SAP Ariba solutions are aligned with the SAP Data
Privacy Office, and we have our own data privacy officer.
12. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 12Public
Who has access to personal data
Which companies are involved with SAP or Ariba as subprocessors or integrated services providers and may have access to the personal data?
Customer acts as the data controller concerning personal data.
SAP acts as data processor and processes personal data in accordance with customer
instructions.
For processing personal data, SAP and its subprocessors will use only personnel who are
reliable and subject to a binding obligation to observe data secrecy or secrecy of
telecommunications, to the extent applicable, pursuant to the applicable data protection law.
Technical and organizational measures are in place to secure and protect personal data.
SAP may engage subcontractors for processing of personal data; however, SAP stays fully
responsible. Customers can review the list of subprocessors.
Subcontractors are carefully selected with objection right for customer, and subcontractors
not operating in the EU sign the standard contractual clauses.
Customer has defined monitoring rights.
SAP will cooperate with customer to address any personal data deletion or modification
requests.
“Data controller” as defined in the
applicable data protection law
“Data processor” as defined in the
applicable data protection law
“Data exporter” is the customer as
listed in an order form or its data
controller(s)
“Standard contractual clauses” as per
Directive 95/46/EC
“Subprocessor” – SAP affiliates and
third-party subprocessors engaged by
SAP or SAP’s affiliates
13. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 13Public
How personal data is protected
What technical and organizations measures are in place to protect the personal data from unauthorized access, use, or disclosure?
ORGANIZATIONAL AND TECHNICAL MEASURES IN PLACE
Data control
• Data protection controls (at rest)
• Electronic transfer controls (in transit)
• Data protection agreement
Access control
• General measures and policies on access control
• Layered protection such as multifactor
• Special areas (for example, data center, file storage rooms)
• Training and awareness for employees
• Authorization using roles and privileges
• Access protection, logging
Threat control
• Logging and monitoring
• Analysis of event correlation
Vendor control
• Due diligence on selection of contractors and contracts
• Periodic reassessment of vendor compliance
Availability control
• Guaranteeing routine operation
• Emergency measures
• Database backup
• Database restoration
Network control
• Separation of production and development environments
INDEPENDENT AUDITS CERTIFY SECURITY CONTROLS
• Periodic audits performed by reputed independent third-
party organizations
• Ariba data centers are certified for the payment card
industry data security standard of PCI DSS
Designed for computer networks that handle credit card
transactions, covering people, processes, technologies,
locations
• Ariba data centers are certified for AICPA (American
Institute of Certified Public Accountants) SOC 1 and SOC 2
certifications
Service Organization Control reports to assess and
address risk with outsourced services around security,
availability, integrity and confidentiality
• Ariba data centers are certified for AICPA (American
Institute of Certified Public Accountants) and CICA
(Canadian Institute of Chartered Accountants) SOC 3
WebTrust certifications
Seal awarded to businesses that consistently adhere to
defined security and privacy standards
14. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 14Public
Protect personal data: Top concerns of data protection officers
and works councils to comply with data protection laws
Type of personal data
What type of personal data is collected during use of SAP Ariba solutions?
Is there any sensitive personal data involved?
Where personal data is stored
What is the physical location of data and where is it processed?
Where personal data transferred is to
How do SAP and Ariba approach the legality of transferring personal data internationally?
Who has access to personal data
Which companies are involved with SAP or Ariba as subprocessors or integrated services providers and may have
access to the personal data?
How personal data is protected
What technical and organizational measures are in place to protect personal data from unauthorized access,
use, or disclosure?
15. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 15Public
A network approach is attractive, but companies need
to protect their data and their business relationships
• Achieve legal compliance such as fulfilling data
protection requirements
• Ensure information relating to individuals is
protected in storage and processing
Protect personal data
• Store business data safely
• Transmit transactional data securely
• Prohibit unauthorized access to data
Protect trade secrets
16. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 16Public
Trust model for SAP Ariba solutions
Securing the software development lifecycle
Guarding your data against internal and external risks
Access through least privilege/“need-to-know basis”
Environment segmentation and demarcation
Resiliency as core competency
High availability, monitoring, and business continuity
SAP leverages a holistic, multidimensional approach to establish and maintain state-of-
the-art security and privacy.
Security and privacy
Technology
Processes
People
Scoping
17. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 17Public
Data protection and privacy ‒ layers of assurance
Goal: Protection of individuals’ the rights
Legal and contract
Data processing agreement that meets applicable local data privacy regulations
globally, provides transparency, and limits liability
Technical and organizational measures (TOM) ‒ for example, incident management
Audit and certification
Certifications providing independent evidence for security, confidentiality,
availability, data protection and quality
Policies and procedures
Integrated management system for information security, data protection, and
service delivery
Comprehensive security architecture covering application, processing systems, and
network
18. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 18Public
Protecting commerce in the cloud –
current and future
Current
Secure software development
Patching, vulnerability, and incident response
Physical security, segregation, and intrusion prevention
Application, platform, and network security, data
segregation, and intrusion prevention
Encryption, certificates, and key management
Availability and data management
Risk management and audit
Internal security policies and procedures
Future (2016)
Connectivity and customer adoption
Certificates
Transport protocols
Cipher suites
HTTP Strict Transport Security Header (HSTS)
Data encryption
ActiveX replacement
Future (beyond 2016)
Advanced support access controls
Authentication enhancements
Enhanced data deletion
19. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 19Public
A network approach is attractive, but companies need
to protect their data and their business relationships
• Achieve legal compliance such as fulfilling data
protection requirements
• Ensure information relating to individuals is
protected in storage and processing
Protect personal data
• Store business data safely
• Transmit transactional data securely
• Prohibit unauthorized access to data
Protect trade secrets
20. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 20Public
You and SAP –
partners in protecting your digital commerce
What are best practices you can establish as part of leveraging SAP Ariba solutions ?
Single sign on (SSO): Leverage SSO authentication to streamlined identity and access management
Access reviews: Perform periodic access reviews of your users’ access to SAP Ariba solutions
Segregation of duties: Ensure that users are in defined business roles and that conflict of interest in conducting
business is prevented by segregating roles and requiring access approval workflow
Supplier linkages: Ensure that linkages can be initiated only by suppliers; review the accuracy and relevance of
your current linkages
Works council: Follow best practices to engage early and leverage expertise
Compliance: As the data controller, the customer has primary responsibility for compliance; for ensuring that
legally adequate data processing methods are in place; for obtaining end user consent for use of personal data
(some countries require this); and for ensuring that sensitive personal information such as SSN is not in the
solution.
21. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 21Public
Protecting customers’ personal and business data
Management is accountable for committing time, effort, funding, and resources to data protection.
Management is accountable for selecting controls based on risk acceptance and for enforcing those controls
within the organization.
Management
commitment
Demonstrate proactive compliance with regulators
Use common framework for other standards and regulatory requirements
Reduce liability risk
Compliance and
legal requirements
Validate security and privacy practices and provide confidence in the use of third parties
Use an approach that is consistent with other cloud companies
Building and
maintaining trust
Increase awareness of data protection within the organization
Provide appropriate protection of cloud assets
Gain efficiencies through repeatable processes for compliance monitoring; ensure that controls are effectively
measured and reported
Continual
improvement
22. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 22Public
Confidence in the cloud with SAP Cloud Secure
SAP Cloud
Secure
Comprehensive contracts
Privacy, security framework,
applicable local regulations
Cyber defense
Multiple layers of defense,
holistic: prevent, detect,
remediate
Independent audits
Service organization report
certifications
Secure cloud model
Holistic approach,
secure architecture
23. Thank You and Q&A
Lakshmi Hanspal, Chief Security Officer
Lakshmi.Hanspal@sap.com
24. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 24Public
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and
notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or
its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products
and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to
develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any
time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All
forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are
cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making
purchasing decisions.
© 2016 SAP SE or an SAP affiliate company. All rights reserved.