Security Guide SAP Supplier InfoNet

Similar documents
SAP Workforce Performance Builder 9.5

Afaria Document Version: Windows Phone Enterprise Client Signing

SAP Enable Now. Desktop Components (Cloud Edition)

SAP Workforce Performance Builder

SAP Workforce Performance Builder 9.5

Master Guide for SAP HANA Smart Data Integration and SAP HANA Smart Data Quality

Advanced Reporting in the Online Report Designer Administration Guide

CUSTOMER Upgrade: SAP Mobile Platform SDK for Mac OS

SAP IoT Application Enablement Reuse Components and Templates

SAP Workforce Performance Builder 9.5

Configuring Client Keystore for Web Services

SAP Enable Now. Desktop Assistant

PUBLIC Rapid Deployment Guide

ATTP Settings for ATTP to ATTP Connection

SAP Vora - AWS Marketplace Production Edition Reference Guide

Development Information Document Version: CUSTOMER. ABAP for Key Users

PUBLIC DQM Microservices Blueprints User's Guide

What's New in SAP HANA Smart Data Streaming (Release Notes)

Non-SAP Backend System Readiness Check

SAP Enable Now. System Requirements

Creating RFC Destinations

SAP Enable Now What s New. WHAT S NEW PUBLIC Version 1.0, Feature Pack SAP Enable Now What s New. Introduction PUBLIC 1

PUBLIC SAP Vora Sizing Guide

SAP Anywhere Security Guide

1704 SP2 CUSTOMER. What s New SAP Enable Now

edocument for Italy - SAP Cloud Platform Integration Guide

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

ADDITIONAL GUIDES Customer SAP Enable Now System Requirements Customer

System Requirements and Technical Prerequisites for SAP SuccessFactors HCM Suite

edocument for Hungary Invoice Registration - SAP Cloud Platform Integration Guide (SAP S/ 4HANA Cloud)

SAP Jam Application Launcher for Microsoft Windows Reference Guide

VERSION 1.0, FEATURE PACK What s New SAP Enable Now

BMW Group ebox Partner Archive Hotline

Onboarding Guide THE BEST RUN. IMPLEMENTATION GUIDE PUBLIC Document Version:

SAP Jam Communities What's New 1808 THE BEST RUN. PUBLIC Document Version: August

Security Information for SAP Asset Strategy and Performance Management

opensap Extending SAP S/4HANA Cloud and SAP S/4HANA SAP S/4HANA UX Fundamentals PUBLIC

Secure Login for SAP Single Sign-On Sizing Guide

Starting Guide for Data Warehousing Foundation Components on XSA

Configuring the Web Service Runtime for ATTP

Configuring the SAP Cryptolibrary on the ABAP Application Server

Xerox Audio Documents App

HPE Intelligent Management Center

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

CUSTOMER SAP Afaria Overview

SAP Policy Management, group insurance add-on 1.1

Data Protection and Privacy for Fraud Watch

Single Sign-On Extensions Library THE BEST RUN. PUBLIC SAP Single Sign-On 3.0 SP02 Document Version:

Managing Business Rules THE BEST RUN. PLANNING AND DESIGN PUBLIC SAP Global Track and Trace Document Version: Cloud 2018.

SAP Jam for Microsoft Office integration Reference Guide THE BEST RUN

HA215 SAP HANA Monitoring and Performance Analysis

Manual 1704 Document Version: SAP SE or an SAP affiliate company. All rights reserved. PUBLIC. SAP Enable Now.

How-To Guide SAP 3D Visual Enterprise Author 8.0 Document Version: How To Part Replace

SECURITY PRACTICES OVERVIEW

HA240 Authorization, Security and Scenarios

SAP Jam add-in for Microsoft Office Outlook Administration Guide and Release Notes

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

enalyzer enalyzer security

Hosted Testing and Grading

Complementary Demo Guide

Security Architecture

INTERNAL USE ONLY SAP BusinessObjects EPM Add-in for Microsoft Office Support Package 17 / Patch XX Installation Procedure

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

SAP Business One Upgrade Strategy Overview

Visual Business Configuration with SAP TM

DS10. Data Services - Platform and Transforms COURSE OUTLINE. Course Version: 15 Course Duration: 3 Day(s)

Business Add-Ins (BAdIs) for SD Jam Integration Document Version:

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

SAP Business One Integration Framework

SAP HANA SPS 08 - What s New? SAP HANA Web-based Development Workbench. (Delta from SPS 07 to SPS 08) SAP HANA Product Management May, 2014

SAP IoT Application Enablement Best Practices Authorization Guide

BC403 Advanced ABAP Debugging

SECURITY & PRIVACY DOCUMENTATION

Integrated Cloud Environment Security White Paper

HA215 SAP HANA Monitoring and Performance Analysis

C4C30. SAP Cloud Applications Studio COURSE OUTLINE. Course Version: 21 Course Duration: 4 Day(s)

ADM506. Database Administration Oracle II COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

Device Operation Process Diagrams. SAP Mobile Secure rapid-deployment solution September 2014

Juniper Vendor Security Requirements

How-To Guide SAP 3D Visual Enterprise Author Document Version: Markups and Measurements

Safeguarding Cardholder Account Data

BC405 Programming ABAP Reports

Demand Management. Job Processing Guide for SAP DM. Release 6.4

FAQs OData Services SAP Hybris Cloud for Customer PUBLIC

Device Application Onboarding Process Diagrams. SAP Mobile Secure: SAP Afaria 7 SP5 September 2014

Data Processing Amendment to Google Apps Enterprise Agreement

ADM505. Oracle Database Administration COURSE OUTLINE. Course Version: 15 Course Duration: 3 Day(s)

HA240 SAP HANA 2.0 SPS02

KantanMT.com. Security & Infra-Structure Overview

BC414. Programming Database Updates COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

SAP Business One Upgrade Strategy Overview

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

HA301. SAP HANA 2.0 SPS03 - Advanced Modeling COURSE OUTLINE. Course Version: 15 Course Duration:

HA300 SAP HANA Modeling

SAP 3D Visual Enterprise 9.0: Localization of Authoring Content

QuickSpecs. Aruba ClearPass OnGuard Software. Overview. Product overview. Key Features

SAP Global Track and Trace Onboarding Guide

An Oracle White Paper September Security and the Oracle Database Cloud Service

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

TERMS & CONDITIONS. Complied with GDPR rules and regulation CONDITIONS OF USE PROPRIETARY RIGHTS AND ACCEPTABLE USE OF CONTENT

Transcription:

SAP Supplier InfoNet

Table of Contents 1 About this document....3 2 Network and communication security....4 2.1 Network security....4 2.2 Communication channel security....4 2.3 Network resource security....4 3 Data storage security....6 3.1 Data access restrictions....6 3.2 Physical data center security...7 4 Application security.... 8 5 User authentication and authorization.... 9 6 Browser compatibility....10 7 Security logging and tracing.... 11 2 2014 SAP SE or an SAP affiliate company. All rights reserved. Table of Contents

1 About this document The SAP Supplier InfoNet provides an overview of the security-relevant information that applies to SAP Supplier InfoNet. A separate guide with instructions for users of the application, the SAP Supplier InfoNet User Guide, is available within the application and on the SAP Help Portal at http://help.sap.com/supp-inet. The SAP Supplier InfoNet includes the following sections: Network and communication security This section provides an overview of the security mechanisms that protect SAP Supplier InfoNet server and storage resources at the network level. Data storage security This section provides an overview of the database system that stores SAP Supplier InfoNet data and the security mechanisms that apply. Application security This section provides an overview of the security mechanisms that protect data in the SAP Supplier InfoNet application. User authentication and authorization This section describes the user types in SAP Supplier InfoNet, and the authorization concept that applies to the application. Browser compatibility This section specifies the types and versions of web browsers that SAP Supplier InfoNet is tested on. Security logging and tracing This section provides an overview of the type of data that is logged by SAP Supplier InfoNet for security purposes. About this document 2014 SAP SE or an SAP affiliate company. All rights reserved. 3

2 Network and communication security 2.1 Network security For SAP Supplier InfoNet, various security mechanisms at the network level block unauthorized traffic and ensure smooth operations and a high level of privacy and security. The first levels of protection are the perimeter firewalls and edge routers. These network devices and the corresponding network topology are designed to isolate the SAP Supplier InfoNet server and storage resources from both the incoming internet channel and from the other resources within the SAP data center that are unrelated to SAP Supplier InfoNet. This isolation is carried out at the lowest network packet level to ensure complete isolation from all unrelated and unauthorized network traffic. Load balancers and NAT devices control which incoming messages are routed to which resources. This provides an extra layer of protection against incoming traffic. The NAT device also hides all internal machine addresses, so they cannot be mapped from outside the network. In addition to the production system that customers interact with, an exact replica exists as a staging system. The staging system is where the SAP team does the final testing of any updates before promoting the updates to the production system according to a defined procedure. The staging system is also separated from the production system at the domain level. 2.2 Communication channel security SAP Supplier InfoNet uses a 128-bit Secure Socket Layer connection to encrypt all network communication. If users attempt to connect to the application on a non-secure channel, they are redirected to a secure channel (seen as https:// in the browser address bar) that is used for both incoming and outgoing traffic. Sniffing attacks on network packets between the user's machine and the web servers on the Internet are prevented in this way, because the contents of those packets are fully encrypted and thus meaningless to a malicious user. Additionally, all customer data is received over a 128-bit encrypted file transfer channel. Before being uploaded into the main SAP Supplier InfoNet database, this data is isolated and stored on a secure storage device that only privileged personnel can access. SAP Supplier InfoNet can use email notifications to alert users to news or changes in supplier KPI scores. However, these emails do not contain any identifiable information, such as company names or performance data. They show only a short message and a link to the application, so users need to authenticate themselves before gaining access to the alert details. 2.3 Network resource security The network and storage resources for SAP Supplier InfoNet are subject to a robust system of security and monitoring mechanisms. 4 2014 SAP SE or an SAP affiliate company. All rights reserved. Network and communication security

The operating system software on all resources is audited to ensure that it is configured for optimal security, and a process is in place to apply all vendor security software patches shortly after their release. These machines are all configured with strong password authentication that only a small number of individuals have access to, so even if non-authorized connections made their way into the core server network, they would not be able to gain access to any of the server resources themselves. Malicious attacks are prevented in several ways. Industry-standard anti-virus software runs on all computing resources at all times, constantly monitoring all files and disks for suspicious content. Anti-virus definitions are kept up-to-date. An Intrusion Prevention and Detection System (IPDS) continually scans all network and machine activity for vulnerabilities and security incidents. Both the anti-virus software and the IPDS are monitored at all times by support staff. Remediation procedures exist in case any incidents are detected. Multiple internet connections are available to prevent distributed denial-of-service (DDoS) attacks. Specific software resources such as database servers and web servers have a variety of 24x7 monitors in place to ensure that they are responding at all times to incoming requests and that any issues are immediately alerted to support staff. Only privileged staff have access to the server resources, and this access is divided across these individuals' accounts according to a Separation of Duties (SoD) methodology to prevent any one person from having broad access to the server resources. All access and transactions to any of the server resources are logged for auditing and monitoring purposes. Network and communication security 2014 SAP SE or an SAP affiliate company. All rights reserved. 5

3 Data storage security The data about users, suppliers, and customers in SAP Supplier InfoNet is very sensitive, and securing it is a high priority. This data is stored in database systems at SAP hosting centers that are secured by both machine-level and database-level access control. Because all data is stored and managed by the database software, no plain text data is accessible at all on the server machines. Log files are sometimes written to disk but these log files do not contain identifiable information about users or companies in SAP Supplier InfoNet. When customers submit private data to SAP Supplier InfoNet, their data is isolated and stored on a secure storage device that only privileged personnel have access to before being uploaded into the main SAP Supplier InfoNet database. Measures are also in place to ensure that no data is lost. Data is regularly backed up from the server resources onto separate secure network devices that cannot be accessed from the outside Internet channel. 3.1 Data access restrictions Rigorous data access restrictions apply to private data about suppliers in the SAP Supplier InfoNet application. Anonymized performance data The database that holds customer data for SAP Supplier InfoNet has a hybrid multitenant design. In traditional multitenant systems, all data is private to each customer. Likewise, each SAP Supplier InfoNet customer's raw data that is, supplier lists and associated performance records is private and cannot be seen by other users. Some of the most valuable use cases in SAP Supplier InfoNet, however, involve comparing a customer's own data to the data of other customers. To allow this comparison, customers' raw data is aggregated to derive anonymized data that is shared in a controlled manner. Users can see how a given supplier performs for a pool of customers, but cannot view the raw data submitted by individual customers about that supplier. At least three other companies must provide data about a specific supplier before any pooled performance data is shared with SAP Supplier InfoNet users. This requirement protects the anonymity of these companies. Access control for upstream suppliers The Network tab in the SAP Supplier InfoNet application allows customers to view their supply chain across several tiers. Initially, users can see only direct suppliers of their company. As these direct suppliers onboard their suppliers, the network view expands to show tier-2 suppliers, and so on. By default, the upstream suppliers appear anonymously, and the only information that is available is the number of recent events for each upstream supplier. Since the direct supplier owns the information about the upstream suppliers, any decision to expose this information belongs to the direct supplier. 6 2014 SAP SE or an SAP affiliate company. All rights reserved. Data storage security

SAP Supplier InfoNet provides a robust access control framework that enables users to request access to data about their upstream suppliers. The direct supplier can choose to grant or deny these access requests. If the direct supplier grants the request, the user can see information about the upstream suppliers, and can in turn request information about their suppliers. 3.2 Physical data center security SAP Supplier InfoNet is hosted in two physical data centers: one in North America and one in Germany. Having a data center in both North America and EMEA allows SAP Supplier InfoNet to accommodate customers who have policies that require their data to be stored exclusively in one of these regions. Several measures ensure that these data centers are highly secure and reliable. Access restrictions The data centers are restricted to specialized and authorized personnel. Biometric door lock systems ensure that only these authorized individuals can enter. Each person entering the data center must authenticate themselves individually, so it is impossible to simply follow another individual through a door. Entries and exits are logged for audit purposes. Monitoring A full surveillance camera system with hundreds of cameras monitors all areas of the premises. The data centers also have motion detection alarm systems. In addition to the specialized staff monitoring the computing systems, on-site security staff monitor the premises at all times. Emergency safeguards The following safeguards are in place to protect the integrity of systems from environmental hazards: Tens of thousands of sensors to monitor the environment for any deviations from safe thresholds. Redundant air cooling systems. Fire and flood protection with a redundant Inergen fire extinguishing system. Hundreds of uninterruptible power supplies, and a large redundant power system that can power the data center for several days without a disruption of service. Data storage security 2014 SAP SE or an SAP affiliate company. All rights reserved. 7

4 Application security In addition to the physical and network-level security mechanisms, there are measures in place to protect the SAP Supplier InfoNet web application itself. SAP has a set of rigorous standards that apply to all products that are released to the market. In particular, the set of standards for security is lengthy, covering programming practices and security requirements. SAP Supplier InfoNet has complied with and gained approval for these standards to provide an extra level of confidence. An automated code scan is also performed on all code that goes into the production system. Between these two practices, vulnerabilities such as Cross-Site Scripting, Cross-Site Request Forgery, and Path Traversal are detected and fixed before release. Users access SAP Supplier InfoNet through a standard web browser, so no software needs to be installed on the user's machine. Communication between users' machines and the web servers on the Internet take place on a 128-bit Secure Socket Layer connection. 8 2014 SAP SE or an SAP affiliate company. All rights reserved. Application security

5 User authentication and authorization Authentication is the process of verifying the identity of a user who attempts to access the system, and authorization is the process of verifying that the user has been granted sufficient rights to perform the requested action upon the specified object. This section describes the authentication and authorization processes to show how system security works within SAP Supplier InfoNet. Authentication There are no default user accounts, and users cannot register themselves. All user accounts are created manually, upon request, by an SAP Supplier InfoNet site administrator. Site administrators are SAP employees. When a user account is created, the user receives an email with the URL of a secure page where he or she activates the account, accepts the SAP Privacy Policy, and establishes a secure initial password. Passwords are required to be strong, including mixed case and numbers. SAP Supplier InfoNet does not store passwords in plain text form. Instead, passwords are stored securely in the database as a salted, 256-bit SHA hashed value. Even if a malicious user gains access to this list of users and passwords, this encryption prevents the malicious user from determining valid credentials and logging onto the system. When a user logs onto SAP Supplier InfoNet, a session is created and its ID is stored in a browser session cookie. This cookie is marked as secure, so the session ID is always sent to the server over an encrypted connection. The corresponding session on the server is maintained until the user logs out or remains idle for several minutes. Authorization There are two user roles: User Security Administrator The user role is for an ordinary user of SAP Supplier InfoNet. This role allows users to view and benchmark performance data, configure their own personal thresholds for alerts and have their own personalized alerts, and to explore supplier networks. The security administrator role has all of the permissions of the user role. In addition, security administrators determine which of their customers receive information about their organization's suppliers. Note If you would like to upgrade or downgrade the role of users at your company, you must contact an SAP Supplier InfoNet site administrator. User authentication and authorization 2014 SAP SE or an SAP affiliate company. All rights reserved. 9

6 Browser compatibility SAP Supplier InfoNet is tested with the following web browsers: Microsoft Internet Explorer, versions 8 through 10. Safari, versions 5 through 7.0.5 on a Mac operating system. Mozilla Firefox, versions 17 through 29. 10 2014 SAP SE or an SAP affiliate company. All rights reserved. Browser compatibility

7 Security logging and tracing Auditing lets SAP personnel keep a record of significant events that happened on SAP Supplier InfoNet servers and services. At the application level, all activity related to user maintenance is logged, including the following: user creation successful login attempts unsuccessful login attempts password changes At the network level, all access to server resources and transactions on those resources are logged for security purposes. Security logging and tracing 2014 SAP SE or an SAP affiliate company. All rights reserved. 11

Important Disclaimers on Legal Aspects This document is for informational purposes only. Its content is subject to change without notice, and SAP does not warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. Coding Samples Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence. Accessibility The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP specifically disclaims any liability with respect to this document and no contractual obligations or commitments are formed either directly or indirectly by this document. Gender-Neutral Language As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible. Internet Hyperlinks The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. Regarding link classification, see: http:// help.sap.com/disclaimer. 12 2014 SAP SE or an SAP affiliate company. All rights reserved. Important Disclaimers on Legal Aspects

Important Disclaimers on Legal Aspects 2014 SAP SE or an SAP affiliate company. All rights reserved. 13

www.sap.com/contactsap 2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see http://www.sap.com/corporate-en/legal/copyright/ index.epx for additional trademark information and notices.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback