Guidelines, tools, and training help maintain security throughout the architecture, design, implementation, and delivery of a product.
SAP Cloud Trust Center
Security
Focus on your business and customer relationships, while knowing that your data is safe and reliable. With a proactive, predictive approach, SAP helps ensure compliance and data security in the cloud and within an on-premise data center.
Previous
Next
Secure products
Secure operations
Product security response processes and experts ensure smooth data center operations 24x7 with continuous testing and monitoring.
Secure company
SAP employees and partners follow security standards, and we strengthen the human resource firewall through mandatory security trainings.
Security offerings
Security products, professional services, and education help users implement, build, and operate a first-class security environment.
Data center security
Continuous technology and infrastructure testing helps ensure that the data center is running smoothly around the clock.
Security in the digital economy
Previous
Next
Everything is connected – therefore, security is everything
With the fast evolving digitalization of business processes and the relationships between people, information, and assets, security is a main concern that needs to be addressed. SAP delivers a 360 degree approach to covering all security aspects from secure products to secure operations.
Processor-based vulnerabilities
At the beginning of 2018, with Spectre (and Meltdown), a new class of vulnerabilities was published. In the following months, new variants have been discovered and published under the same pseudonym. Ongoing research and publication of new vulnerabilities and attacks suggest that the topic will continue to be relevant in the future. The common denominator of these vulnerabilities is that they are mostly caused by the architectural (hardware) design of the CPU that affects nearly every computer chip manufactured in the last 20 years. These vulnerabilities could, if exploited, allow attackers to gain access to data previously considered protected. Possible attacks are called side-channel attacks, in which the execution speed (timing) of certain operations could allow the removal of memory contents that are normally not accessible. From a security perspective, the concerns include the breaking of boundaries within virtualized environments.
How is SAP affected?
SAP thoroughly investigates the impact of these vulnerabilities and is closely aligning with corresponding vendors, providers, and the Open Source community. SAP works on investigating if, where, and how our platforms, databases, applications, and cloud operations are affected.
SAP is taking a proactive approach and is fixing potential flaws derived from hardware side-channel attacks without undue delay. You can find more information on our patching progress for our Cloud environments here (registration required). As a consumer of affected software and hardware, we largely depend on the availability of patches provided by respective vendors, providers, or the Open Source community. The schedule of applying appropriate patches is, to a large extent, determined by their availability.
Recommendation to customers
SAP recommends that all customers carefully monitor and follow the advice on implementing security patches provided by hardware and operating system providers as soon as they become available. SAP will apply fixes to its cloud infrastructure without undue delay. SAP Global Security is constantly monitoring the situation.
Vulnerability variants
Each variant was given its own CVE number (updated November 6, 2018):
- PortSmash CVE-2018-5407
- L1 Terminal Fault (CVE-2018-3646, CVE-2018-3620 and CVE-2018-3615)
- Variant 4–Spectre NG (CVE-2018-3639)
- Variant 3a–Spectre NG (CVE-2018-3640)
- Variant 3–Meltdown (CVE-2017-5754)
- Variant 2–Spectre (CVE-2017-5715)
- Variant 1–Spectre (CVE-2017-5753)
Each of these vulnerability variants may be exploited to read confidential data such as CPU or kernel memory. The level of criticality and potential for exploitation differs between each of the variants.
Further vendor information about before mentioned security vulnerabilities, resources and responses:
Please note that SAP is not liable for any content on these external sites.
Hear from our security experts
Previous
Next
Cloud security at SAP
Discover how SAP addresses one of the critical requirements companies demand when moving to the cloud – the underlying security and trust architecture of the services and products.
Cloud security for the digital economy
Learn about our security strategy for protecting the confidentiality, integrity, and availability of our customers' information, and how we meet the highest security standards to deliver cloud services in a secured environment.
The future of enterprise software security
Hear Dr. Craig Brown, author of “Untapped Potential,” and Justin Somaini, chief security officer of SAP, discuss how the challenges of enterprise software security will continue to evolve, and what your business can do now to be prepared.
Secure products
Application security is extremely important, as hackers try to identify and exploit vulnerabilities. At SAP, security functions and security documentation are covered as key requirements before the delivery of new products and services.
Previous
Next
A secure software development lifecycle
Discover the security phases of product development for on-premise or cloud-based use. Look at our framework for integrating security throughout the lifecycle of standard software products from SAP.
Product security strategy
Protecting data by building safe software is core in our product security strategy. At SAP, prevention, detection, and reaction are the three pillars of this strategy.
Secure source code scanning
Increase the security of your software development efforts. Apply the same automated source code scans that SAP uses to detect and eliminate security flaws at an early stage in the development cycle.
Secure operations
Continuous technology and infrastructure testing and monitoring help identify potential security issues early to ensure smooth data center operations.
Previous
Next
Cloud security and data center strategy
Using SAP S/4HANA in a public cloud environment requires a strong security framework. An important part of this is the secure network architecture, which is demonstrated by certifications proving that proper measures are in place.
Identity lifecycle in hybrid landscapes
The support of common security standards helps to integrate into hybrid, multi cloud landscapes seamlessly. To secure data properly SAP provides reference architecture for identity and access management and strong authentication.
Data classification
Customer data is protected from unauthorized access even by SAP employees with the classification as “confidential”. To access customer systems, such as SAP HANA Enterprise Cloud, a two-factor authentication process is required.
Report a potential security issue to SAP
SAP is committed to identifying and addressing every security issue that affects SAP software and cloud solutions. If you want to report a potential security issue, please visit this page.
Secure company
Every business expects ironclad information security for its on-premise, cloud, and mobile environments. To meet these expectations, we work continuously to strengthen and improve security features in all of our software and service offerings, while protecting our own company and assets.
Previous
Next
Trusted security
Secure your technology environment with attention to people, processes, and technology. Consider data-center best practices for innovating and operating confidently, while building security into critical systems.
Platform security
Protect your data by meeting ever-increasing cybersecurity challenges, securing systems, and adhering to compliance and regulatory needs. Determine how breakthrough technologies are driving major trends.
Secure cloud
Promote data privacy and cybersecurity in the cloud to Run Simple. Learn how SAP Cloud Secure services can help you comply with legislation by increasing transparency into system controls and measures.
Security offerings
SAP offers a wide range of security products and services that supplement end-to-end security in all cloud environments.
Previous
Next
Identity and access management
Ease the adoption of cloud applications with end-to-end identity and access management. Learn how businesses that have cloud-heavy deployments are improving processes and security.
SAP security products
Hear SAP product management experts discuss SAP security products and solutions in on-demand Webinars, hosted by the International Focus Group for SAP Security, Data Protection and Privacy (IFG).
SAP security services
SAP offers a range of support and consulting packages that can be used to speed up, enrich and safeguard implementation activities, such as, deploying, configuring and operating security mechanisms and products.
Get the latest news and trends from experts
Previous
Next
Thomas Saueressig
CIO
SAP
SAP
Six lessons we’ve learned about the GDPR
How far has your organization progressed along the road to GDPR compliance? Thomas Saueressig, CIO of SAP, shares his experiences of SAP’s own journey.
Anand Nayak Rao Kotti
Security Expert
SAP
SAP
What Is GDPR and why should your business care?
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.
Derek Klobucher
Brand Journalist, Content Marketer and Storyteller
SAP
SAP
Will a digital renaissance man save cybersecurity?
The recent cyberattacks we’ve seen have been child’s play according to a government expert. We could soon see how bad it can get and our best defense may be highly capable cyber warriors.
