Ariba Cloud Services

Ariba Cloud Services
Data Privacy and Data Protection
November 14
Ariba Cloud Infrastructure
Ariba Cloud Services: Data Protection and Privacy

Companies are experiencing a renaissance period with the juggernaut of a global
and networked economy. But they can no longer be competitive on their own.
Inventories have been leaned out, costly infrastructure reduced, processes
outsourced, and supply chains stretched around the globe. Now every business is
more dependent upon its external partners, and it is critical that they share
information and processes to align and coordinate their business decisions.
Businesses have also started using Cloud-based SaaS applications as another
powerful tool in the arsenal to squeeze out additional efficiencies and financial
gains. There is an increasing need for data security, and especially protection of
personal data to preserve the privacy rights and prevent misuse of identity.
Numerous regulatory programs are being put in place to address these concerns,
and executives are asking Cloud application providers to protect and safeguard
their data.
As a global leader of collaborative business commerce solutions, Ariba offers
solutions that balance these two pressures. Ariba offers new and exciting ways for
customers to take advantage of the value proposition of cloud computing, and
takes appropriate measures regarding the type of information we handle to meet
requirements for data security and protection in all of the service offerings
globally.
This paper focuses on the sensitive data and information that Ariba, as a data
processor, handles for its customers by providing consistent technical and
organizational protections globally, across the Ariba Cloud Services listed below:
Average
organizational
cost of data
breach is
$5.85 million
in the US, and
$4.74 million
in Germany1.
Ariba Spend Visibility solution

Ariba Sourcing (including Supplier Performance Management) solution
Ariba Contract Management solution
Ariba Procure-to-Pay solution
Ariba Procurement Content solution
Ariba Procure-to-Order solution
Ariba Services Procurement solution
Ariba Invoice and Ariba Pay solutions
Ariba Discovery service
Ariba Network
This paper explores the multifaceted approach Ariba takes to address the major
data security related concerns with Cloud providers, namely data protection and
personal data privacy.
Ponemon Institute 2014 - Cost of Data Breach Study, May 2014
Copyright 2014 Ariba, Inc. All rights reserved.
Data Protection
Ariba Cloud and Network services are designed to provide extremely secure
solutions for our customers. The protection of customer data entrusted to Ariba is
achieved by applying a comprehensive multi layered security approach, which
encompasses secure facilities, data storage, retrieval, and presentation.
Physical Site
Businesses need speed, security, and high availability. Ariba deploys its Cloud
solutions in highly secure and controlled SAP-operated data centers, and partners
with world-class colocation hosting data centers in North America, Europe, and
around the world. Each facility deploys a comprehensive array of security
technology, techniques, and procedures to control, monitor, and record access to
the facility, including customer cage areas. All areas of the data center are
monitored, activities recorded using CCTV, and all access points are controlled. Highsensitivity areas require authentication by means of biometric scans. All of the data
centers are certified on a regular basis for security process and procedures.
Network and Communication

A carrier-class network infrastructure is the backbone for conducting business in a
secure environment. Ariba uses its experience and knowledge to set up the
infrastructure and channels to provide systematic protection without sacrificing
performance or high availability.
Internet Channel Security

Ariba uses HTTP over Secure Socket Layer (HTTPS) for the communication channel
security between Ariba applications, Ariba Network, and customer systems. The
Secure Socket Layer (SSL) protocol is the industry standard method for protecting
communications on IP networks, such as the Internet. SSL provides data encryption,
server authentication, message integrity, and optional client authentication for
TCP/IP connections.
Transport Layer Security (TLS) protocol is a standard closely related to SSL, and
now supersedes SSL. As the protocol demands, web clients submit a list of cipher
suites supported, during the initial handshake with the web server. Servers choose
one suite from the list to negotiate a secure communication channel. Ariba web
servers are configured to prefer AES as the negotiated cipher.
Session IP Range Validation

In order to guard against session hijacking, Ariba provides for an IP range check. If
during a single user session, the requesting IP address changes significantly, the
session is terminated and the user is required to re-login.
Intrusion Detection System

Ariba uses network and host-based intrusion detection. This technology provides
logging and alert capabilities to assist in the detection of malicious acts and misuse.
Firewalls
Cisco Secure Firewall is a dedicated firewall appliance that delivers strong security
and performance and creates almost no network performance impact. The product
enforces secure access between an internal network and Internet, extranet, or
intranet links.
Specifically, Firewall servers are used in each level of data communication within
Ariba:
Between the Internet and web servers
Between the web servers and the application servers
Between the application servers and the database servers
These Firewall servers allow Ariba Operations to rigorously protect the Ariba Cloud
from unauthorized access, providing full firewall security protection. For more
information, please visit Cisco's website at http://www.cisco.com in their Cisco
Secure product section.
Application
Malicious
cyber activity
costs an
estimated
$300 billion to
$1 trillion
globally.2
Application security governs end-user access to the online services and information
on Ariba. Ariba uses unique user IDs and passwords as the primary means of user
authentication and access control.
Passwords are case-sensitive and encrypted in motion and at rest. Required
password policies can be implemented as part of the project depending on the
package.
Center for Strategic and International Studies The economic impact of cybercrime and cyber espionage, July 2013
Ariba SafeGuard User Authentication and Authorization

Ariba uses a proprietary application to transparently verify the identity of Ariba
corporate users at the firewall and permit or deny access from the corporate network
to any TCP/IP-based application in production.
Corporate Authentication with SSO

The preferred mode of authenticating users is integrating with a customers
corporate authentication system, providing Single Sign-On (SSO) for users. This
allows Aribas customers to maintain control over the central user data repository
with automated user provisioning and monitoring. This option requires the customer
to implement a central Identity Management System, and then enable an Identity
Provider to be able to turn on Single Sign On (SSO) using the SAML 2.0 protocol. This
approach allows an effective user-centric approach of providing SSO while using a
corporate authentication provider. The benefit of this arrangement is that customers
do not need to store user passwords in Ariba Cloud Services.
A customers logical access management standard can be enforced by using this
method. For more details, see the white paper titled Remote Authentication for
Ariba Cloud Services.
Cookies
Ariba utilizes cookies to maintain user sessions after a user logs in. The cookies used
by Ariba Cloud Services are secure session cookies, and depending on the
authentication functionality of the implementation, the cookies used may be
mandatory for the application to function properly. The encrypted session cookie
lasts only for the duration of the interaction with Ariba applications. HTTPS cookies
are based on industry standards and provide a secure method of session
management.
Ariba only utilizes cookies for the extent of providing the service and never uses
cookies for marketing purposes. For more information on how Ariba uses cookies,
please see the Ariba Data Policy and Ariba Privacy Statement on trust.ariba.com.
Session Timeout
Ariba provides a 30-minute session timeout for idle user sessions. Ariba also
provides an alert feature where the user is notified of a pending timeout and given an
opportunity to cancel the timeout. If the user does not cancel the timeout, then their
work is saved and they are logged out of the system.
Web Services
Ariba provides wide support for web services to facilitate the integration of Ariba
Cloud Services and Network with systems in use by our customers in their
landscape. Integration points are available for Aribas customers to synchronize
master data or integrate transactional data (such as purchase orders, order
confirmations, invoices, etc.).
Ariba supports highly secure authentication mechanisms for its web services. HTTPS
and WS- Security protocol are utilized to ensure privacy and integrity of all web
service calls. WS-Security is the premier mechanism, and the protocol provides the
means to secure the web services above and beyond transport level protocols such
as HTTPS. The WS-Security standard provides rich functionality such as message
encryption, message signing, and management of public keys, to name a few.
Database
Ariba databases are configured on multiple instances deployed on high-availability
clusters of servers using Veritas Cluster Server. The database servers use industry
standard vendors for fault-tolerant disk storage. Ariba has deployed enterprise-grade
storage technology from HP (3PAR Inserv and EMC Symmetrix) to ensure high
availability, excellent performance, and fault tolerance. The storage systems provide
performance, connectivity, and functionality for consolidation and application
storage management. Information stored in the database is behind three layers of
firewall protection and intrusion detection system monitoring traffic for anomalous
behavior. The database servers are hardened and accessible only to specifically
verified and designated operations personnel.
Certifications
Ariba audits and certifications include the following:
SSAE16 SOC1 (formerly SAS 70), SOC2 and SOC3
PCI (Payment Card Industry) - DSS (Data Security Standard)
Safe Harbor (US Dept. of Commerce in consultation with the European
Commission)
Since 2001, Ariba has maintained rigorous re-certification every six months focusing
on four areas: availability, confidentiality, processing integrity, and security under
WebTrust (now SSAE 16). Further information about Ariba WebTrust certification
can be found at: https://cert.webtrust.org/ViewSeal?id=781. In addition, the Equinix
infrastructure is covered by SSAE16 SOC1 (formerly SAS 70) certification.
Encryption
The use of strong encryption techniques is the most optimal solution for protecting
sensitive information and enforcing personal data privacy. Financial, healthcare,
pharmaceutical, and public sector organizations must comply with industry
compliance standards, such as HIPAA, Gramm-Leach-Bliley Act (GLBA), SOX, the EU
Data Protection Act, etc.
Aribas approach is to provide an end-to-end encryption paradigm to achieve
security and regulatory compliance. This comprehensive approach means that data
is encrypted from the moment it is posted from the users machine to the database
or backup storage at the Cloud provider.
Encryption of Data in Motion

Cryptography was intended to protect data in motion i.e. when data is travelling
over the network communication channel from the users machine to the web server.
Industry standard strong encryption algorithms provide various layers to protect
data in motion.
Web Connection: Internet channel security is part of the hardened network
infrastructure with a minimum 128-bit encryption
Email Notifications All emails sent encrypted with at least 128 bits over TLS
Web Services All web service calls secured using at the minimum 128 bit
SSL/TLS encryption
Encryption of Data at Rest
Use of strong
encryption
techniques is
the most
optimal
solution for
protecting
sensitive
information
and enforcing
personal data
privacy
Encryption of data at rest is a separate and critical component where data stored on
physical media such as databases, data warehouses, and disk-based storage is
protected. Aribas approach is multi-faceted, 360-degree encryption across all of the
devices where a customers data is stored.
Data in Databases and Data warehouses: Sensitive data is encrypted using
256-bit AES, including fields identified as personal data. Ariba is also rolling
out full encryption for all customer data.
Data on Backup, Storage and DR/Secondary Servers: Data on various
servers is encrypted.
Data on Device: Encrypt all data stored locally on individual desktop and
laptop systems, tablets, or smartphones for offline usage.
Data Isolation and Segregation

Companies expect and demand that their data be isolated and segregated to avoid
any co-mingling of data with other customers, and also to avoid any malicious access
to their data. Aribas data model keeps each customers data strictly separate.
Customer data is isolated by realms. A distinct realm is used to identify each
individual customer and store their data. Realms are sealed off from each other and
it is not possible for a given realm to access data from another realm.
Data isolation is further strengthened with customer-specific encryption keys, which
provides best-of-breed protection of customer data from internal or external threats.
Keys are stored in a limited-access key vault that is restricted to a customers realm.
Key Vault
Keys remain in a protected key vault at all times, and a healthy gap is maintained
between the threat vectors that have direct access to the data and the threat vectors
that have direct access to the keys. The key vault solution also passes the Federal
Information Processing Standards (FIPS) 140-2 Level 3 certification testing.
Importantly, the key vault sustains clear segregation and separation of customer
keys and certificates.
Key Management
Keys are deemed to be interoperable, integrated, and unified. Key management also
involves a comprehensive a lifecycle which details the various states that a key
moves through during its life. The lifecycle specifies when a key can no longer be
used for encryption, and when a key can no longer be used for decryption. Key
rotation is an integral key management strategy, and keys are expired or revoked
after a reasonable time period.
Personal Data Protection

Ariba provides transparency to customers and users regarding data processing in the
Ariba Cloud Services in the Ariba Data Policy and Privacy Statement, accessible to
the public and readily available to users from the footer of the Ariba Cloud Services.
(see http://www.ariba.com/legal/data-policy, and Aribas Privacy Statement can be
obtained directly at this url: http://www.ariba.com/legal/ariba-privacy-statement)
Ariba maintains a common approach to data classified as personal for users
throughout its application suite. Hence, regardless of which application is used by a
customer, the personal data, as entrusted with Ariba, is consistently protected,
monitored, and audited.
Ariba approaches the definition of personal data consistent with the EU Directives
definition of personal data, in all of the Ariba products. The EU Directives definition is
referenced because it is the leading proponent of personal data privacy and
protection globally. Ariba specifically defines personal data broadly as the following in
the Ariba Privacy Statement:
"Personal Information" is a person's name and information associated with his
or her personal identity as opposed to information associated with a
business.
"Sensitive Personal Information" means government identification numbers

or financial account numbers associated with individual persons (e.g. U.S.
Social Security numbers, driver's license numbers, or personal credit card or
banking account numbers), and medical records or health care claim
information associated with individuals, including claims for payment or
reimbursement for any type of medical care for an individual.
Ariba prohibits use of the Ariba Cloud Services for processing of Sensitive Personal
Data.
Personal Data in Ariba Cloud Services

Ariba uses the term business contact information to mean information associated
with contacting a person at their place of employment, including a persons name,
title, business phone number, business mailing address, and business email address.
Ariba Cloud Services offer back end processing for business-to-business
transactions and therefore the personal information processed, with very few
exceptions, is business contact information about individuals acting in their role as
company representatives. Aribas goal is to maximize efficiency, and provide value to
customers by ensuring smooth transactions of commerce. Ariba Cloud Services are
not consumer-facing applications, and they do not process personal information
about consumer activity. Ariba takes steps to respect industry standard marketing
practices such as providing options for individuals to opt-in and/or opt-out of

marketing communications sent to their business email addresses.
Data items, classified as personal and private, that can be associated with users in
the Ariba services are listed below, but users are not expected to provide all of the
information to use the Ariba Services.
Email Address
Employee Number
Employee Name
Business Phone
Business Fax
Alternate Email Addresses
Business Postal Address
Credit Card Number
Card Holder Name
Customers are able to define additional fields within many of the Ariba Cloud Services
with no restriction on how such fields are used. However, Ariba does not expect
these custom fields to be used for storing any Personal or Sensitive Personal
Information, as discussed above. By prohibiting use of our services to store medical
information or the type of personal information that may facilitate identity theft, Ariba
is helping to minimize risks for our customers with regard to personal data handling
and costly breach notification laws.
Deletion of Personal Data

All personal data associated with users, as identified in the previous section, can be
permanently deleted from the Ariba Cloud Services. While the process for permanent
deletion of personal data is straightforward, there are safeguards and controls
incorporated in the deletion process.
The deletion functionality requires the customer to submit a request by opening a
Service Request (SR) ticket for the deletion of personal data. The deletion is made
only for users who are set as inactive.
Audit Logging for Personal Data Modifications

The Ariba Cloud Services approach is to maintain audit logs for any modification of
personal data associated with users. The audit logs are comprehensive and capture
key artifacts when any personal piece of data is modified.
In situations where customers request the Audit reports, the customer is required to
open an SR ticket for processing.
10
Ariba Network
The Ariba Network provides global commerce capability for Aribas customers. Ariba
Cloud applications run in regional data centers, where data is stored, and
communicate over the Ariba Network, which is deployed in a data center in North
America and adheres to the highest standards to ensure data security and integrity.
The data flow between regional data centers and the Ariba Network is carried over
secure encrypted connection. To learn more about this and the overall infrastructure
and security aspects, please refer to the latest Ariba Cloud Services Technical
Infrastructure White Paper at https://connect.ariba.com/ACgo2/1,,139285,00.html
for detailed information.
The Ariba Network does not allow modification of personal data that flows through
the Ariba Network in the exchange of documents among trading partners. This
means that the users personal data information being maintained in any regional
data center is administered at the source and only sent out of the regional data center
in connection with exchange of documents using the Ariba Network and purposes set
forth in the Ariba Data Policy and Privacy Statement.
11
Conclusion
Ariba is committed to the protection of personal data and sensitive information and
to complying with the data protection laws around the world relevant to the Ariba
Cloud Services. As new regulations are ratified, Ariba evaluates the requirements
and works to evolve its data privacy and protection practices to stay in full
compliance. There may be cases where a new law emerges which Ariba is unable to
immediately comply with in its current role or with existing functionality. In such rare
instances, Ariba will be transparent with customers about the circumstance and
work with customers to consider alternatives.
Ariba respects the rights of users and works diligently with customers, in a shared
responsibility, to protect and maintain user personal data privacy. In keeping with
Aribas experience and reputation as a Cloud application provider, we consider data
privacy and security with utmost importance, and will continue to do so through all
future enhancements and service offerings.
About Ariba, an SAP Company

Ariba is the worlds business commerce network. Ariba combines industry-leading
cloud-based applications with the world's largest web-based trading community to
help companies discover and collaborate with a global network of partners. Using
the Ariba Network, businesses of all sizes can connect to their trading partners
anywhere, at any time from any application or device to buy, sell and manage their
cash more efficiently and effectively than ever before. Companies around the world
use the Ariba Network to simplify inter-enterprise commerce and enhance the
results that they deliver. Join them at: www.ariba.com
About SAP
As market leader in enterprise application software, SAP (NYSE: SAP) helps
companies of all sizes and industries run better. From back office to boardroom,
warehouse to storefront, desktop to mobile device SAP empowers people and
organizations to work together more efficiently and use business insight more
effectively to stay ahead of the competition. SAP applications and services enable
more than 258,000 customers to operate profitably, adapt continuously, and grow
sustainably. For more information, visit www.sap.com.
12

Ariba Cloud Services - Data Privacy and Data Protection Whitepaper

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Ariba Cloud Services - Data Privacy and Data Protection Whitepaper

Încărcat de

Drepturi de autor:

Formate disponibile

Data Privacy and Data Protection

Data Privacy and Data Protection