Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance

1.350 Aufrufe

Veröffentlicht am

How is your organization tackling ever increasing cybersecurity threats? Do you have the proper structure and methods in place to effectively mitigate this constantly evolving risk?

Get a sneak preview on how SAP is helping companies embrace the age of digital transformation while rethinking their security strategy, especially as it relates to protecting business applications and improving overarching risk and governance programs.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance

  1. 1. June 15, 2016 #askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
  2. 2. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 2Customer The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP's strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP´s willful misconduct or gross negligence. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. Legal disclaimer
  3. 3. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 3Customer SAP GRC Innovations Community Call Series 3 • Webcast series for the GRC community hosted by SAP Analytics (View replays: http://bit.ly/askSAP_Playlist) • An opportunity for you to direct the discussion, get your questions answered, and end the session with some useful advice • Live and interactive 90 minutes • Connect on topics before, during, and after the call via twitter using #askSAP
  4. 4. Speakers Michael Golz CIO Americas, SAP @MikeGolz Kevin McCollom Group Vice President SAP Solutions for Governance, Risk and Compliance @SAPTradeGeek Erin Hughes Head of Marketing Greenlight Technologies @greenlight_corp
  5. 5. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 5Customer Agenda  Welcome  Gain an understanding of the state of cybersecurity threats and evolving security perspectives  Get a preview of SAP’s security strategy  Poll Question  Q&A  Get a closer look at SAP’s perspective on cyber risk and governance and business application security  Solutions Overview  Poll Question  Q&A  Demo  Customer case study  Final Q&A  Resources and Closing
  6. 6. © 2016 SAP SE. All rights reserved. The state of cybersecurity
  7. 7. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 7Customer Defining security risk $2.8 trillion GDP increase fromonline dataflows Dramatic Increase in Value of Data 521.000 PB of datastorage capacity to be shippedby 2020 Exponential Volume of Data 21 billion new devices connectedby2020 Increasing Vulnerability of Endpoints 65 percent of companies surveyed experienced more Advanced Persistent Threats (APT)/ targetedattacks Greater Proliferation of Attackers Companies can think of the security risks to their business as being a product of 4 key components related to one of a company’s most important assets - its data
  8. 8. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 8Customer Growth of data breaches World’s biggest databreaches 2004 2016 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  9. 9. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 9Customer Customer Experience Omni-Channels Workforce Engagement Big Data & Internet of Things Supplier Collaboration Business Networks The age of digital business DIGITAL CORE Cybersecurity is a critical element in the Digital Transformation journey 1. Customers and employees are hyper-connected, always on, with seamless accessanywhereand anytime 2. Cloud and hybrid cloud environments have become the norm challenging traditional “protect the 4 walls” security approaches 3. Digitally connected supply chains are based on high trust and availability of all parties 4. The Internet of Things and Big Data bring unprecedented data streams and volumes 5. Confidentiality, integrity andavailabilityof data and systems is the basis for secure operations and trusted relationships Transactions and data must be securedthroughout the entire end-2-endbusiness process SAP®S/4HANA
  10. 10. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 10Customer Cybersecurity is a top-of-mind boardroom discussion Are external as well as internal threats being addressed? Are gaps identified and addressed? Do we have sufficient visibility into the real threat? How would a breach impact the ability of the business to perform? Do we have the right risk-based approach to management and oversight?
  11. 11. © 2016 SAP SE. All rights reserved. Evolving security perspectives
  12. 12. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 12Customer Evolving security perspectives Historical IT security perspectives Today’s leading cybersecurity insights Scope of the Challenge Limited to your “four walls”and extended to the enterprise Spans your interconnected globaland business ecosystem Ownership and Accountability IT ledand operated Business-aligned and owned; CEO and board accountable Adversaries’ Characteristics One-offand opportunistic; motivated by notoriety, technical challenge and individual gain Organized, funded and targeted; motivated by economic, monetary and political gain Information Asset Protection One-size-fits-allapproach Prioritize and protect the “crown jewels” Defense Posture Protectthe perimeter; respond if attacked Protectthe application and data Plan for a breach, monitor and rapidly respond Security Intelligence and Information Sharing Keep to yourself Public/private partnerships; collaboration with industry workinggroups
  13. 13. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 13Customer Shifts in approach to security and spending *IDC Future of Security Survey – Preliminary Results, sponsored by SAP, May 2016
  14. 14. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 14Customer Next-generation Security 360-degree correlation analytics across network, endpoints, applications, and data Real-time incident response and forensics to accelerate detection limiting threat impact CYBERSECURITY INNOVATIONS Next-generation context and application-aware firewalls to enhance both protection and performance Deep learning powered cybersecurity analytics able to respond to threats in an adaptive manner
  15. 15. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 15Customer Next-generation Security
  16. 16. © 2016 SAP SE. All rights reserved. SAP security strategy
  17. 17. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 17Customer SAP security vision Defendable Application • Identify and prevent attacks from within the application Zero Knowledge • Ability to store data in the cloud and protect it from outside control Zero Vulnerability • Minimize vulnerability to ensure maximum protection Security by Default • Building security into product right from the start Transparency • Full and pro-active transparency for the customer SAP is in the business of securing our customer’s business” Justin Somaini - Chief Security Officer (CSO)
  18. 18. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 18Customer SAP security strategy Secure Products and Services • Driving security into the core of the application and services to provide depth of visibility and control Security Ecosystem Integration • Enabling our customers’ to integrate SAP into their Security Ecosystem SAP’s Security DNA • Leveraging SAP’s long standing expertise in Analytics and Business Process Management to help solve customers’ security challenges SAP is in the business of securing our customer’s business” Justin Somaini - Chief Security Officer (CSO)
  19. 19. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 19Customer SAP secure software development lifecycle At thecoreof SAP’sdevelopment processes is a comprehensivesecuritystrategybasedon threepillars:Prevent > Detect > React The secure software development lifecycle (secure SDL):  Is a risk-based approach, which uses threat modeling  ISO 27034 Compliance, ISO 9001 Certifications More information: http://go.sap.com/solution/platform-technology/security.html
  20. 20. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 20Customer Security is a shared responsibility  Monitor configuration changes  Check custom code  Consistently apply patches and updates  Review RFC connections and interfaces  Monitor logs for anomalies and attacks  Review critical access and relevant transactions  Govern access and manage identities  Protect data inside / outside the application  Ensure appropriate policies and training Lifecycleof theapplication Applica- tion 1 Installation, configuration, customization 3 Patches and updates 2 System access, remote and mobile 4 Upgrades and interfaces
  21. 21. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 21Customer POLL QUESTION #1 QUESTION #1 How has the Security topic currently viewed within your organization? a) Top of mind – sense of urgency b) One of many strategic risks to manage c) Some focus but not considered strategic
  22. 22. © 2016 SAP SE. All rights reserved. Q&A
  23. 23. © 2016 SAP SE. All rights reserved. Cyber risk and governance; business application security
  24. 24. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 24Customer Business application security © 2016 SAP SE or an SAP affiliate company. All rights reserved. 24Customer Consider what SAP can do to help you strengthen your: Help protect trade secrets, intellectual property, financials, and personal data Cyber risk and governance
  25. 25. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 25Customer Cyber risk and governance What should we be doing? What are the gaps comparedto what we’re doing today? Are our cybersecurity practices effective? How do we communicate our vision and status with stakeholders? How do we benchmark against best practices, frameworks, and regulations? Are our security processes centralized and simplified? What emerging threats are we not considering today? Where should we be investing further in security? Are we able to detect breaches in a timely manner? Are our security policies effective? Is access secured? Is our custom code secure? Where are our critical business processes exposed? How protected are our high-value assets? Are we meeting our KPIs?
  26. 26. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 26Customer Business application security How do we efficiently support user on boarding and off boarding? Do we enable our end users for self service? How do we manage the identities for our customers and partners? How do we engage in new business models, yet protect our IP? How do we prevent loss and leakage of our critical data? Can we enforce our data and file sharing policies? How do we ensure that users have the appropriate system assignments? How do we apply business rules and processes? How do we have the appropriate auditing and reporting for our business applications? Can we detect anomalies and possible security issues? Can the security team respond quickly to stop the attack? Are we managing users across our processes? How do we share informationand data securely? Are the right users involvedin critical business processes? Can we detect security and anomalies in our system?
  27. 27. © 2016 SAP SE. All rights reserved. Solutions overview
  28. 28. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 28Customer Solutions for GRC and security from SAP Cybersecurity risk and governance Identify and manage risks, regulations and polices to minimize potential business impact Cyber risk and governance SAP Regulation Management by Greenlight,cybergovernanceedition SAP Audit Management SAP Process ControlSAP RiskManagement  Manage cyber-related regulatory requirements and align with internal controls  Document and monitor security risks as part of the enterprise risk management program  Continuously monitor critical security configuration  Establish security policies  Test adherence and understanding  Document and test response and recovery plan  Audit the security program to provide independent assurance
  29. 29. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 29Customer Solutions for GRC and security from SAP Business application security Protect data, manage access, and detect threats SAP Dynamic Authorization Management by NextLabs SAP EnterpriseThreat Detection SAP Access Control SAP SingleSign-On SAP IdentityManagement  Monitor business applications for anomalies and attacks  Integrate with existing security infrastructure  Protect data with fine-grained access and data protection  Analyze access risk, define roles, support emergency access  Manage identities and administer users, employees, and customers across business applications Cybersecurity risk and governance
  30. 30. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 30Customer Solutions for GRC and security from SAP  SAP secure functionality  Security patches and updates  Focused on custom code  Find and fix unknown vulnerabilities  Security services by SAP Analyze Custom Code Manage Software Updates SAP Services Leverage Standard Functionality SAP Fortify by HPE SAP NetWeaverApplicationServer, add-onfor code vulnerabilityanalysis * * SAP
  31. 31. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 31Customer Governance, Risk & Compliance portfolio  SAP Access Control  SAP Process Control  SAP Risk Management  SAP Audit Management  SAP Fraud Management  SAP Identity Analytics  SAP Business Partner screening  SAP Global Trade Services  SAP Electronic Invoicing for Brazil Security and Threat Intelligence  SAP Identity Management  SAP Cloud Identity service  SAP Single Sign-On  SAP Enterprise Threat Detection  SAP Code Vulnerability Analysis  SAP Fortify by HP GRC Solution Extensions  SAP Access Violation Management by Greenlight  SAP Regulation Management by Greenlight (cyber governance solution)  SAP Dynamic Authorization Management by NextLabs  SAP Technical Data Export Compliance application by NextLabs Secure Digital Business Transformation
  32. 32. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 32Customer POLL QUESTION #2 QUESTION #2 Which of the following SAP offerings were you most familiar with prior to today’s conversation? a) SAP’s solutions related to traditional access management b) SAP’s solution extensions c) SAP’s solutions related to Identity Management and Single Sign On d) SAP standard functionality to support security e) I wasn’t really familiar with any of these areas
  33. 33. © 2016 SAP SE. All rights reserved. Q&A
  34. 34. © 2016 SAP SE. All rights reserved.DEMO Demo
  35. 35. © 2016 SAP SE. All rights reserved. Case study
  36. 36. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 45Customer Internal Control Design, Financial or Operational Risk Mapping Collect Evidence, Assess Financial Impact of Risk & Non-Compliance Prioritization, Impact Analysis, Requirement Interpretation, Cataloguing Regulatory Intelligence (applicable to Orgs) Multiple regulations Regulatory changes feeds & Surveillance New & Changing Regulations Monitoring and Reporting Governance Dashboards and reports External Reporting and “In Control” Monitor Regulations • Monitor GMP, Privacy, & Cybersecurity external requirements (300+) Baseline Regulations • Life Sciences & Pharma: FDA, ISO/IEC 27000, IEC/TR 62443 and 80001, NERC CIP, SEC, GSA, DHHS and OIG, USDA, EPA, ICH, Europa, FCC, COSO, FTC, Eudralex, EFPIA, PhRMA, EMEA, EFSA, ABPI, MHRA, Health Canada, DHAC of Australia, TGA Catalog Requirements • CGMP – Current Good Manufacturing Guidelines • Cybersecurity – Cybersecurity Standards Define & Reuse Controls mapped to Risks • CSC4005— Ensure all windows registry entries are consistent across the domain. Identify and configure key registry entries and monitor for any changes to those registry entries • CNC195— Windows server vulnerabilities are checked on a regular basis. Exception reporting to alert administrators • PM200— Password policy across Oracle databases is consistent and enforced Collect & Report • Regulatory Intelligence on changes to regulatory requirements and surveillance • Exception reporting on automated controls Database Windows LDAP Improving Security Governance with Regulation Management
  37. 37. © 2016 SAP SE. All rights reserved. Final Q&A
  38. 38. © 2016 SAP SE. All rights reserved. Resources
  39. 39. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 48Customer Need more information on SAP HANA security? Read the SAP HANA security whitepaper! Want to know more? Check out the SAP HANA security page: http://hana.sap.com/security
  40. 40. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 49Customer Security patches Keep up to date by installing the latest security patches and monitoring SAP security notes Security improvements/corrections ship with SAP HANA revisions  Current SAP HANA version: SAP HANA SPS11, revisions 11x  Installed using SAP HANA’s lifecycle management tools  See also SAP Note 2021789 – SAP HANA revision und maintenance strategy SAP security notes contain further information  Affected SAP HANA application areas and specific measures that protect against the exploitation of potential weaknesses  Released as part of the monthly SAP Security Patch Day  See also http://support.sap.com/securitynotes and SAP Security Notes – Frequently asked questions Operating system patches  Provided by the respective vendors SuSE/Redhat
  41. 41. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 50Customer Security services by SAP SAP offers a wide range of security tools and services to ensure the smooth operation of your SAP solution by taking action proactively, before security issues occur More information:  SAP Support Portal - EarlyWatch Alert  SAP Security Optimization Services
  42. 42. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 51Customer Solutions for GRC and security from SAP • SAP Access Control - Productpage • SAP Process Control - Product page • SAP Risk Management - Product Page • SAP Audit Management - Product page • SAP Identity Management - Product Page • SAP Single Sign-On - Product Page • SAP Enterprise Threat Detection - ProductPage • SAP Regulation Management by Greenlight, cyber governance edition - Product Page • SAP Dynamic AuthorizationManagement by NextLabs - Product Page
  43. 43. Thank you

×