Digital Sales Platform - Cloud Security Guide.
Digital Sales Platform - Cloud Security Guide
In Mind Cloud is committed to achieving and maintaining the trust of its customers. Integral to this mission is providing robust security and privacy program that carefully considers data protection matters across our products, services, and procedures as defined in our MSA and MSPA https://www.inmindcloud.com/legal/ .
The manufacturing industry is now several years into the cloud computing paradigm shift. However, many businesses are still uncomfortable with the idea of running applications in the cloud. Cloud computing benefits are hard to deny. Beyond cost savings, no upfront investment, and reduced administration effort, cloud computing also offers businesses agility and always-current functionality.
Today, businesses require access to applications from anywhere, at any time. Allowing 24/7 access to on-premise software via the internet could expose internal infrastructure to potential security threats. This scenario makes a strong case for secure cloud applications with tightly controlled intranet gateways – following modern cloud-based security mechanisms beyond traditional physical access control to business applications.
To address security concerns, In Mind Cloud has made it our mission to provide services with outstanding security. Today, cloud systems are often more secure than on-premise installations. It uses constantly updated encryption technology, secure data centers, 24/7 monitoring at scale, and secure software architecture and development practices. In Mind Cloud also works with SAP as a hosting partner, leveraging SAP’s best-in-class German security principles.
This document covers the In Mind Cloud security assurance when you choose In Mind Cloud as your preferred software vendor. It touches on all security-related topics, starting from secure access to best practices that prevent potential security risks in your network, database, or physical data. In Mind Cloud offers secure applications that prevent non-authorized access on every level to ensure the highest security levels for your business.
One of the biggest security concerns is internal security breaches. It can happen either through weak security procedures – such as using weak passwords or not disabling system access after an employee leaves, social engineering, or criminal information leakage. To address this concern, In Mind Cloud provides secure and centralized authentication with secure password policies and/or multi-factor authentication as well as granular authorization – to ensure access is possible only on a need-to-know basis.
Digital Sales Platform has multiple security mechanisms built-in—including state-of-the-art authentication. However, the recommended authentication mechanism is to use a centralized authentication infrastructure. In the following, we describe the built-in “Internal Authentication” and centralized authentication procedures.
Digital Sales Platform has a built-in authentication module that uses always up-to-date secure open-source technology. Many business application vendors use this technology, and it has a vibrant community that ensures quick updates if any vulnerabilities are detected. The authentication framework provides a secure architecture and usage from code to memory and comes with the latest encryption methods.
The Digital Sales Platform internal authentication uses SHA 256 for password encryption. Clear text passwords are never stored. Admins are also not able to set or reset passwords. The initial password generation uses a randomized algorithm, and users are required to change their initial password at first log in using secure principles. Re-use of previous passwords is not allowed.
Single-Sign-On & Centralized Authentication
In Mind Cloud recommends the use of a centralized authentication backend. It can help support centralized employee on and off-boarding procedures and system-defined workflows to grant system access. Digital Sales Platform supports the widely adopted SAML 2.0 authentication standard. Examples for SAML 2.0 compliant Identity Management systems are Microsoft Azure AD, Microsoft ADFS, Okta, or SAP Cloud Identity.
Different vendors support different security features. Examples are; settings for password complexity required password change schedules, or various two-factor authentication methods. With SAP’s authentication backend mediation framework, customers can have full centralized access control for Digital Sales Platform. Through this method, neither SAP nor In Mind Cloud will have access to any password or its hash. Access is entirely security token-based.
Figure 1: Single-Sign-On using SAML 2.0
Access logs are kept at the Digital Sales Platform application level and SAP Cloud Platform Level. While application-level access logs allow easy monitoring of application access, SAP Cloud access logs are kept at the HTTP level. This method ensures that every HTTP access—regardless of whether it is anonymous or authenticated—is kept for at least 6 months. HTTP access logs provide details such as User ID, IP Address, and accessed URL, including parameters.
Providing access to data and functions only when required is a security principle that significantly reduces external and internal threats. At the application level, Digital Sales Platform offers a highly sophisticated authorization rule framework that allows granular control. It regulates access to specific data objects and is enforced from the application to the memory and database level. Digital Sales Platform also provides granular control to ensure secure data operations such as rules and processes for versioning, deletion, and modification. It includes a detailed audit trail on timestamp, operation, object, and data before and after modification
User and Role Management
Digital Sales Platform offers applications for different user types and groups. The most significant usage difference is between internal users (CRM) and external users (Commerce). User management for Commerce and CRM is entirely separated to ensure the highest level of isolation. To protect sessions from each other, a CRM tenant is physically separated from the Commerce tenant, while still connected to the same backend data through APIs. Within one Virtual Machine, the memory context between two users is always separated using the latest open-source session management libraries.
Object-Type-Criteria based Data Access
Read access to select segments of data (usually transactional data) can be controlled in detail. Rules can be set-up by role or organization boundaries and enforced on all layers, up to the database level. Examples of rules can relate to organizational hierarchy, role-based, or status-based. However, a customer is free to create rules using conditions or combinations of conditions that regulate access to a specific type of object using criteria that is statically connected with a role or dynamically resolved using the user profile.
CRUD Permissions based Operation Access
On top of Object-Type-Criteria based data access, users can define detailed restrictions on which role can operate which CRUD operation under which conditions – based on criteria relating to an object’s properties. The mechanism works similarly to object-based access rights. It defines object-types and criteria, extending this by a type of operation that is only allowed within a specific security context.
Digital Sales Platform supports two types of audit trails beyond the above-mentioned access logs. It offers a unique object-based modification log, and audited change date of any data point stored within its database. A round-robin based audit trail also allows for the monitoring of each data point modification. Information monitored can be; the user that changed a data point; when the change was made; the value before and after the change. With this feature, no modification will remain undetected.
Security is something that starts deep within the application source code. In Mind Cloud follows industry best-practices on software development and quality assurance to prevent any intrusion from external or internal attackers via technical vulnerabilities. This approach starts by using open-source software, which is continuously evaluated by the community, and In Mind Cloud’s peers in enterprise software that run dependency and static code scans to detect potential vulnerabilities and comply with secure architecture principles.
Secure Libraries and Architecture
Security starts at the foundation of software. Systems built with security in mind consist of libraries used to fulfill generic needs, such as authentication, generic software features, and software architecture. Securing those fundamentals is vital to prevent any security loopholes.
Framework Security Controls
There has been a lot of debate by security practitioners about the impact of open-source approaches on security. One of the key discussion points is that open-source exposes a software’s source code to examination by both attackers and defenders. Generations of computer users have grown up experiencing the security issues of closed-source software like MS Windows 95, 98, and ME. These systems failed to maintain memory space separation—a dangerous oversight in the design. In Mind Cloud strongly believes that security should not be based on the implementation's secrets, but by the implementation itself. The success of Linux and Unix in enterprise computing showcases this security principle well.
In Mind Cloud is a supporter of open-source libraries’ ability to provide best-in-class functionality paired with the highest security. In Mind Cloud publishes the list of libraries we use online, including the version in use and a link to the original source code. In Mind Cloud uses enterprise-grade and proven open-source software to build the essential and critical security components listed below:
- Encryption and Hashing
- HTTP Access control
- Rest & XML Processing
- Input Validation
- Memory & Bean Handling
- Database Access
- User Interface
- Logging and Audit Trail
Dependency Security Scans
In Mind Cloud uses the latest technology in dependency management. All used libraries and their versions, including their dependent libraries are open to public. This transparency can help track down known vulnerabilities, using one of the biggest source code management platforms. These dependency security scans are based on a number of sources—including the National Vulnerability Database (a service of the United States National Institute of Standards and Technology), maintainer security advisories from open-source maintainers, community data sources, and WhiteSource.
Digital Sales Platform is built using Java's security model—one of its key architectural features that makes it an appropriate technology for networked environments. The frameworks mentioned above provide the scaffold to build secure architectures and ensure segregation and control on all levels. Therefore, they have decades of best-practices from enterprise companies worldwide built-in. Also, In Mind Cloud follows—for every design architecture decision—principles that have been evaluated by highly experienced enterprise architects:
- Least Privilege Design Principle: Digital Sales Platform follows a minimalistic approach when granting user access rights to specific information and tools.
- Economy of Mechanism Design Principle: This principle requires that all systems be designed as simple and as small as possible. Design and implementation errors result in unauthorized access to resources that may be unnoticed during regular use.
- Complete Mediation Design Principle: Through this principle, Digital Sales Platform validates every access request to any resource for authorization.
- Open Design Principle: This concept mandates that the security of a system and its algorithms should not be dependent on the secrecy of its design or implementation.
- Separation Privilege Design Principle: This principle requires that all approved resource access attempts be granted based on more than a single condition. For example, a user should be validated based on; active status and has access to the specific resource.
- Least Common Mechanism Design Principle: This design principle declares that mechanisms used to access resources should not be shared.
- Defense in Depth Design Principle: This concept states that layering resource access authorization verification in a system reduces the chances of a successful attack.
In Mind Cloud’s source code is developed by applying industry best practices and tools to ensure secure operations. Next to static code scanning for bugs and vulnerabilities, we apply a four-eye principle via mandatory code reviews as well as applying a defense programming approach to improve software and source code, in terms of:
- General quality – reducing the number of software bugsand problems.
- Comprehensible source code– the source code should be readable and easily understood, making it easy to maintain, while ensuring transparent side effects.
- Predictability – Making the software behave in a predictable manner despite unexpected inputs or user actions.
Static Code Analysis
Static code analysis is a method of examining source code and is standard practice at In Mind Cloud. It is done by analyzing a set of code against coding rules, common bug sources, vulnerabilities, and coding standards across the industry. This type of analysis addresses weaknesses in the source code that might lead to vulnerabilities. Examples of common vulnerabilities that can be detected are memory leaks, injections of any kind, cross-site scripting, validation of certificates, proper release of resources, risky cryptographic algorithm, or security misconfigurations. Further static code analysis is done to identify security hotspots that need special attention during code reviews.
It is common knowledge that more secure software can be produced and developed cost-effectively when potential issues are identified early in its development lifecycle. Code review is one of the most effective techniques for achieving this. Code reviews help identify security flaws in an application’s features and design, along with exact root causes. In Mind Cloud follows a stringent process of code reviews that are automated via its development tools. No developer can check-in any code without code review. Examples of security-related topics covered during a code review are as follows:
- Input, Data, and Process Validation
- Ensure best coding practices
- Ensure secure authentication, session management, and authorization
- Ensure secure error handling
- Confirm appropriate level of logging and audit instrumentation
- Audit of security configuration
- Verification that the change has been tested and automated tests fulfill functional requirements
Continuous Test & Integration
Continuous integration is the practice of merging all development versions of a codebase several times a day. This practice provides a high level of automated enforcement for security attributes and for other functional and non-functional attributes—ultimately leading to more secure, robust software systems. Every check-in and every merge into the main code line undergoes static code analysis, unit, and integration testing in a fully automated fashion to quickly identify security anti-patterns. These checks identify security vulnerabilities through control flow and data flow analysis, pattern analysis and other techniques. This approach helps In Mind Cloud to ensure that our code fulfills functional and security requirements at any point in time.
Quality Assurance is part of In Mind Cloud’s Program and Release Management, and is spread across the entire organization. Every release undergoes a stringent quality assurance process to verify that the software meets quality criteria. Quality assurance activities take place in each phase of development. In Mind Cloud uses application technology and techniques to achieve high-quality specifications and designs. Engineers and technicians determine issues and problems with related software quality through such testing activities. Standards and process deviations are identified and addressed throughout these development and release procedures.
Secure Operations relates to the management of productive Digital Sales Platform tenants. In Mind Cloud ensures professional end-to-end operations in every aspect and provides a high level of security to prevent any vulnerability, be it technical or human in nature.
Availability & Upgrade Cycle
In Mind Cloud promises 99.5% availability, including 4 releases per year. In addition, there are 2 upgrade cycles per month and up to 4 SAP Cloud Platform Maintenance windows per year.
In Mind Cloud is committed to providing the highest level of support. Our organization maintains security incident management policies and procedures. Customers impacted by any incident will be notified without undue delay. Depending on the severity of an incident report, In Mind Cloud promises a response on critical incident reports within a maximum of 8 hours. Depending on the subscribed support level, support service hours are 8x5 or 24x7.
Application Access by Support
In Mind Cloud runs critical business processes for its customers. In Mind Cloud support employees are highly trained application and subject-matter experts. They can only access productive customer tenants on a need basis.
In Mind Cloud has implemented procedures designed to ensure that support staff can only access productive tenants as instructed by the customer via support tickets or while performing critical preventive operations in collaboration with the customer.
In addition, all In Mind Cloud employees are bound by Non-Disclosure Agreements to ensure customer privacy, data protection, and data security obligations that provide a level of protection appropriate to their processing activities.
Access to productive tenants by In Mind Cloud personnel follows the same authentication mechanisms described above. It may leverage a customer’s single-sign-on infrastructure, following the customer’s security guidelines. System credentials for In Mind Cloud support staff are stored in a secure system, which is fully encrypted.
Only essential personnel have access to clear text passwords. The system in place allows the usage of passwords by In Mind Cloud staff without exposing the password itself. Access to those passwords is granted on a need-to-know basis and centrally managed. Each access is logged, while data access, and changes are traced in an auditable format.
Secure Network Communication
One of the most critical security aspects of a cloud application is data encryption during transit. Every data point transferred between the cloud application and the user interface or other backend systems is encrypted with best-in-class encryption technology.
Web-traffic encryption is critical to protect the data communication between the user and the cloud backend. In Mind Cloud builds on the built-in encryption mechanisms found on the SAP Cloud Platform. Furthermore, the infrastructure is secured to prevent any attacks.
The SAP Cloud Platform is configured to use secure communication in accordance with the protection requirement of the transmitted information. Suitable measures for securing the exchange of information are used. SAP relies on encryption technology that uses HTTPS to prevent unauthorized parties from intercepting network traffic.
The encryption is based on the Transport Layer Security (TLS) protocol. The required encryption software is a standard component of up-to-date client operating systems and Web browsers. Detailed aspects of the SAP Cloud Platform communication and network security include the following:
- All publicly exposed entry points are protected by a firewall and/or an intrusion prevention mechanism.
- Every exposed TCP port has protocol filters to avoid unwanted protocol traffic from entering or exiting.
- Only port 443 with SSL is exposed from the outside to prevent leakage of information. SSL sessions terminate at the true endpoint and not at the intermediate servers.
- All load balancers are on port 80 or 443. Load balancers secure communication with the application server at runtime.
- Firewall rules prevent any non-public URLs or interfaces from being sniffed or phished from the internet.
- All critical flows use TLS to prevent in-flight data from being introspected as man-in-the-middle attacks.
- All symmetric keys have at least 256-bit strength, while asymmetric keys are at least 1024-bit strength. All keys are safely handled according to SAP policies.
- Keystore passwords are not stored in unprotected places (if they need to be stored).
Outbound Communication with External Systems
Digital Sales Platform requires communication with external systems. Such external systems might be an ERP backend system, third-party CRMs, or other data stores. Securing communication to those systems is critical as some of them may reside inside a customer’s intranet or third-party cloud infrastructure. To prevent any attack surfaces, In Mind Cloud leverages SAP’s Cloud Connector technology, which is provided free to SAP customers.
From a functionality point of view, SAP’s Cloud Connector operates like a reverse proxy. However, the communication mechanism is entirely different and does not require a publicly accessible port. The Cloud Connector software is installed within the intranet. It creates an encrypted HTTPS and Websocket based communication channel into SAP’s cloud infrastructure, adding an additional encryption layer to the communication protocol itself.
Supported protocols for which the Cloud Connection serves as a ‘secure envelope’ are HTTPS, OData, Webservice or sRFC (for SAP ERP backends). The endpoints within the intranet that Digital Sales Platform can connect to are defined centrally in the Cloud Connector software. Communication between the cloud and intranet can be centrally administrated and monitored. With this, SAP Cloud Connector allows customers to use existing on-premise assets without exposing the entire internal landscape.
The Cloud Connector technology adds additional authentication layers as part of this tunnel infrastructure. First, an extra authentication layer is used to establish the connection using an SAP S-User owned by the customer. Authentication against the backend can be achieved via the forwarding of an authentication token or by using a technical user – depending on the service used.
Figure 2: Cloud Connector technology for Clout to On-Premise Communication
In summary, the use of SAP Cloud Connector, together with Digital Sales Platform lets you propagate the identity of cloud users to on-premise systems in a secure way. Easy installation and configuration, means that the Cloud Connector comes with low TCO and can be tailored to fit secure cloud scenarios. SAP provides standard support for the Cloud Connector.
Inbound API Communication & Authentication
Open APIs are a cornerstone of In Mind Cloud’s framework for extensibility. From a communication protocol point of view, HTTPS, OData and REST are used for secure communication and encryption during transit. For Authentication Digital Sales Platform leverages the widely used OAuth standard for secure system-to-system authentication.
Network Intrusion Prevention
The network for SAP Cloud Platform employs several intrusion prevention and detection technologies. The multilayered, partitioned, proprietary network architecture permits only authorized access to the data centers that support your SAP Cloud solution. It has features that include:
- A Web dispatcher farm that hides the network topology from the outside world
- Multiple Internet connections to minimize impact from distributed denial-of-service (DDoS) attacks
- An advanced intrusion detection system that continuously monitors solution traffic for possible attacks
- Multiple firewalls that divide the network into protected segments and shield the internal network from unauthorized Internet traffic
- Third-party audits performed throughout the year to support early detection of any newly introduced security issues
The communication channels that require mutual authentication are secured by using standard Transport Layer Security (TLS) protocols. The communication channels for monitoring and maintaining instances of SAP Cloud Platform in the SAP data center network are encrypted and authenticated. SAP front-end components do not share existing authentication sessions on the SAP Cloud Platform. For example, within a Web browser or with another front-end component. Dedicated authentication is always required to build a confidential communication channel, secured via the Secure Sockets Layer (SSL) protocol.
Regularly updated anti-virus software checks the uploaded files for viruses and other types of malicious software. All Internet-facing systems (for example, firewalls, load balancers, gateways, and Web application servers) are scanned on a weekly basis. In addition, manual verification and penetration testing is performed to validate risk and priority. Biannual assessment and penetration tests are performed by independent security researchers to verify the security posture of the external and Internet-facing cloud infrastructure. Findings from the penetration testing are followed up according to criticality.
Logical & Physical Security
In Mind Cloud uses Logical and Physical Security—both of which are at the lowest layer of security. They represent the highest security standards and start from the logical separation of customer tenants, and end at using highly secure data centers.
On the application layer, Digital Sales Platform supports the complete isolation of customer data. Each customer’s system resides in a dedicated SAP Cloud Platform tenant. Digital Sales Platform operates in a multitenant architecture on the database layer. This approach means that each customer’s data is stored in a dedicated database schema, preventing any cross-system data access. The architecture provides an effective logical data separation for different customers. Every application is deployed with its own unique URL and is specific to each customer. Additional data segregation is ensured by providing separate environments for different functions, especially for testing and production.
SAP HANA databases used by Digital Sales Platform are deployed in different SAP Cloud Platform tenants, which adds an additional layer of segregation. Database connection from the Digital Sales Platform application is made within SAP Cloud Platform network using secure tunnel and binding. Each application has its unique schema, supported by key security features provided by the SAP HANA database service:
- Encrypted communication for client-server (external) communication and internal communication
- Configured to accept only encrypted SQL connection attempts
- Data and log volumes, data and log backups are encrypted in the SAP HANA service instances. It is not possible to disable the encryption.
- Certain features of the SAP HANA database are disabled to ensure overall system security. For example, import and export operations on the server.
Secure Data Centers
Digital Sales Platform uses the SAP Cloud Platform (SCP) Platform-as-a-Service to globally deliver German security and data protection standards.
Data Center Locations
The SAP Cloud Platform uses SAP-owned data centers concurrently with private space (collocation facilities) rented from external data center providers (collocation providers), and infrastructure-as-a-service (IaaS) cloud providers from around the world. Digital Sales Platform is running on SAP-owned data centers.
Data Center Security
SAP data centers and the areas surrounding them are monitored by security guards on a 24x7 basis using closed-circuit-television surveillance cameras. SAP data center providers keep a log of the names of people entering the server areas used for SAP Cloud Platform services within the SAP data centers and of the times they entered. A request workflow for access to the SAP data center facilities is implemented and aligned with SAP. Requests are approved by authorized managers. If the access request is not renewed after a specified period, access is terminated automatically after a certain period of time.
Data Center Access
SAP data centers maintain multiple connections to several power companies, making a complete power outage highly unlikely. Even if the local power grid were to fail, the data centers have an uninterruptible power supply for short-term outages and a diesel generator backup power supply for longer-term outages.
Disaster Prevention and Recovery
To prepare for the unknown, SAP has established security information and event management systems for analysis, reporting, and alerting. All critical systems and infrastructure components within SAP Cloud Platform log relevant data stored for a minimum of six months. Data security is ensured through security configuration compliance checks and event monitoring. On top of this, general security monitoring is performed 24x7 for all activities. Once a warning or an alert comes up, it is processed through our ticketing system. Critical events are handled according to the incident management process.
SAP maintains backup data centers to enable the off-site storage of customer backup data. In addition, SAP has a formal system backup process and schedule for SAP Cloud Platform, which includes hardware independent restore and recovery capabilities. All backups are run automatically; a full database backup is done once a day; log backup is triggered at least every 30 minutes. The corresponding data or log backups are replicated to a secondary location every 24 hours.
Backups are kept (complete data and log) on a secondary location for the last 14 days. Backups are always deleted afterward. Appropriate processes and automated tools are in place to validate backup integrity. Backup logs are reviewed daily to detect and correct backup failures. Backups are stored in data center locations on redundant media in the designated region.
Digital Sales Platform is re-certified yearly to comply with SAP’s ‘Built on Cloud Platform’ program. The certification is available upon request and covers the following areas:
- Application test procedures, plan, coverage, and quality assurance
- Used components and architecture
- Security & authentication mechanisms
- General security such as prevention of cross-site scripting
- Performance and Caching
- Support Infrastructure and Operations
- Tenant isolation and API security
- Securing HTML5 Applications
- Secure Programming – such as input validation, encryption, and code reviews
- Backend Connectivity security via SAP Cloud Connector
- Standard APIs used for ERP communication
SAP Cloud Platform is certified according to ISO 27001:2013, SSAE 16-SOC 1/ISAE 3402* Type 2, and SOC 2 Type 2 security standards. SAP regularly prepares the relevant audit reports. At the core of SAP’s service resilience for the SAP Cloud Platform is business continuity management. SAP has implemented business continuity management aligned to ISO 22301 as part of its management framework for business continuity and operational resilience.
Figure 3: Data Center and Infrastructure Certifications