In Cloud, We Trust A Research PerspectiveDr Jean-Christophe PazzagliaDirector SAP RESEARCH SOPHIA ANTIPOLISSECURITY & TRUST

Sophia-Antipolis, September 2011

SAP RESEARCH

Is it only About Cloud ?

Customer Needs are Driving Market TrendsOn Premise, On Demand and Cloud Co-Existence

• Hybrid business solutions and networks are becoming the norm

• Companies will choose services • for different purposes• from both public and private clouds• integrated with on-premise solutions

• Openness and ecosystem strength will be key success factors for providers

• Orchestration of hybrid solution landscapes will become key

• Collaboration is central aspect of cloud applications

• Significant TCO reduction through migration of existing ERP installations to the cloud

Public Cloud

PrivateCloud

PartnerCloud

Local / OnPremise

© 2011 SAP AG. All rights reserved. 3

Is Security Different ?

© 2011 SAP AG. All rights reserved. 5

Security : the Last Barrier for Cloud Adoption ?

Major concern for deployment of business critical data on the cloud

Security (but also Dependability, Resilience, …) is intrinsically difficult to evaluate

Functional testing :

what you test is what you get !

Security testing :

what you test is what you get …

… what you hope …

… what you believe about your attacker …

… and something else will happen !

Are Geeks Enough to Secure your Cloud ?

© 2011 SAP AG. All rights reserved. 7

The Cloud Stack

Different Delivery, Offer and Consumption Models

New Ways to Sell & Buy

New Ways to Sell & Buy

Co-innovation & Ecosystem

Co-innovation & Ecosystem

ResellersSolution PartnersService partners

SAP Store at the core of an e-channel for SAPConsistent E2E experience

Cloud Ops. & InfrastructureCloud Ops. & Infrastructure

On Demand Solutions

On Demand Solutions

• SAP Business ByDesignas OD suite

• LOB Solutions• Analytics; Collaboration

In-memory ready cloudBest service at Lowest CostGlobal – 7x24

© 2011 SAP AG. All rights reserved. 9

Our Strategy for SuccessFour Key Areas of Innovation and Investment

© 2011 SAP AG. All rights reserved. 10

Solution Partner

Customer

SAP Store

Community

ApplicationPlatform (PaaS)

Solutions and Serv ices (SaaS)

Add-ons

Bill ing & Collection

Consume Remote Services

Integrate Remote Services

Publish

Cloud Computing Infrastructure

On Demand Lifecycle Management & Operations

External Web Services

Core

Edge

BuildCertify & Publish Use

Sell & Deploy

| Sales OnDemand

Find & Subscribe

Core Solutions

Pay & Usage

A Platform for Partners to Build and Sell Cloud Add-onsCovering development through sales and customer support

© 2011 SAP AG. All rights reserved. 11

Open questions

Should we trust blindly the hardware provider / sofware vendor / solution provider / add-ons developer / etc ?

Where are my data and which legal system apply ?

Are my data protected (on-line version – backup) ?

Are the data only used for the original intent?

Are the management processes documented and implemented ?

How often is patched the system ?

What is the latency for security fixes ?

Establishing trust:Compliance to Certification Standards is a must have

© 2011 SAP AG. All rights reserved. 13

Cloud Operations & InfrastructureContinuous Investment into SAP Cloud

Highest Compliance StandardsISO 27001, SAS 70 Type II, ISAE 3402 certificate

SAP Data Centers SAP data center location in GermanyUS data center to open in Q2 2011APA in preparation

Scalability and In-Memory ReadyScalable operations through full Multi-tenancy enablementLatest blade technology with 144 GB – 2 TB Main memoryIn-memory database will further improve performance and reduce cost

Integration with Service BackboneContinuous, proactive monitoringSAP support network

ISO 27001certif ication

SAS 70 Type II certif ication

Energy eff iciency certif icate

“Premium Standard Data Center"

A journey to our SAP Research S&T related projectsMechanisms to build Trust in the cloud context and adapting your strategy to the trust level

SAP RESEARCH

Assuring Trust: Real time auditing

Maintaining Trust: Establish a Security Policy Chain

Service Provider LandscapeComposition of in-house and outsourced subservices on all architecture layersMultitude of security requirements stemming from different sourcesShared and continuously changing environment

ChallengesSelect efficient and cost-beneficial security controlsMeet new requirementsMaintain security and compliance at operations timeImprove transparency for all stakeholders

Today’s tools and processes hamper compliance, security andprofitability

Project ObjectiveImprove security and complianceLower security management costs

Building the Policy ChainFrom abstract, declarative security requirements down totechnical, imperative configuration settings

Use-cases of the Policy ChainElicitation and analysis of security requirementsMatching and comparison of 3rd party suppliersComparison, selection, and implementation of security enforcement mechanismsPolicy-driven system management by the deployment of generated security configurationsCompliance assessment, through complete, repeatable, and automated system validation

Copyright 2011 by PoSecCoPoSecCo project (project no. 257129) is co-funded by the European Unionunder the ICT theme of the 7th Framework Programme for R&D (FP7).

Programmatic Way to Establish Trust“Can a Program believe ?”

© 2011 SAP AG. All rights reserved. 20

Trusted Environment: Distribute your Data Together with their Policy

© 2011 SAP AG. All rights reserved. 22

Sticky Policy: Distribute Your Data Together with Their Policy

Business web relies on transmission of (personal) data across services, players, geographiesRisks:

Original conditions of collection (e.g., purpose) may get lostCompliance with regional privacy regulationsUsers or data collectors lose control

Sticky Policy: attaching data handling conditions to the dataPolicy follows the data from collection (B2C) and all along the chain (B2B)

Partial trust:How to Evaluate the Risk to Share Data ?

© 2011 SAP AG. All rights reserved. 24

Data Disclosure Risk Evaluation

Problem StatementHow to transform original data records so that no sensitive personal data are disclosed, whereas preserving the maximum amount of relevant information (anonymity vs.utility trade off), data integrity and consistency.

MechanismsTransform the original dataset to preserve privacy: data perturbation, scrabbling, generalization, suppression Risk Assessment: Score resulting data set & inference risk

ScenariosSoftware Testing, Providing Data to Researchers, Outsourced processes

recordshabledistinguis

ofSs s

distrunif

SssRH

Ss

sRH

ICM

k

E

#

..

)|(

)|(

,

112

121

“No trust, let’s Party ”Privacy Preserving Computing

© 2011 SAP AG. All rights reserved. 26

Privacy-Preserving Computing

Collaboration without TrustCollaborative business applications often require the need to trust partners with sensitive data. Privacy-Preserving Computing enables collaboration while preserving the privacy of one’s data.

ScenariosGlobal Benchmarking ServiceSecureSCM Supply Chain PlanningSecure Cloud Computing

Conclusion

© 2011 SAP AG. All rights reserved. 28

Conclusion

OnPremise, Private and Public cloud will coexist to support IT solution for businesses (at least for the next decade(s?))

Professional cloud providers deliver High Quality IT security

New security concerns exist but may be overhyped

Different data sharing strategies depending on processes and Trust between actors

Proper Trust Management is key to reduce the exposure of business data

Standards should support a way to convey information about Certification, Data handling policy, Reputation, Trust within the cloud (but not limited to).

Thank You!Dr Jean-Christophe Pazzaglia Security & Trust Engineering ManagerDirector SAP Research Sophia-Antipolis

SAP Labs France805, Avenue du Docteur Maurice DonatBP 1216 - 06254 Mougins Cedex, France

Jean-christophe.Pazzaglia@sap.com

© 2011 SAP AG. All rights reserved. 30

No part of this publication may be reproduced or transmitted in any form or f or any purpose without the express permission of SAP AG. The inf ormation contained herein may be changed without prior notice.

Some sof tware products marketed by SAP AG and its distributors contain proprietary sof tware components of other software v endors.

Microsof t, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsof t Corporation. IBM, DB2, DB2 Univ ersal Database, System i, System i5, System p, System p5, Sy stem x, System z, Sy stem z10, Sy stem z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServ er, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Serv er, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, Sy stem Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sy splex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netf inity, Tiv oli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torv alds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle and Jav a are registered trademarks of Oracle and/or its affiliates.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

© 2011 SAP AG. All rights reserved.

SAP, R/3, SAP NetWeav er, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respectiv e logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Cry stal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and serv ices mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company .

Sy base and Adaptiv e Server, iAnywhere, Sybase 365, SQL Any where, and other Sy base products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company .

All other product and serv ice names mentioned are the trademarks of their respectiv e companies. Data contained in this document serves informational purposes only . National product specifications may vary.

The inf ormation in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or f or any purpose without the express prior written permission of SAP AG.