Cloud for Customer (C4C) – Q&A on Email-Security
Dear Customers, partners and colleagues,
as you might know C4C can also be used with email-channels for inbound and outbound communication with your customers & employees in service-related scenarios (e.g. ticket-processing).
How to set up email-channels and run successfully email-related communication is well documented in the online-help of C4C.
In addition to the online-help of C4C you will find below some information to email-related security mechanisms in C4C and furthermore how it is technically realised.
1. What are the security measures in place for email servers on C4C?
SAP C4C uses TLS encrypted Mail sending. Our Mail server is not reachable from the outside, we have a Mail provider in between that is finally sending the Emails to the Customer.
Who is the Mail provider? Do SAP wholly manage this environment, or is this managed by a 3rd party Supplier?
Email communication is realised via a trusted 3rd party provider.
2. How can we be sure that the emails sent from C4C SMTP servers cannot be compromised?
Emails are being sent TLS encrypted, if the customer supports it. If not, we have to fall back to raw smtp.
We send mails on TLS. If the destination mailbox does not support TLS, we use Smtp
3. How can we be sure that no one without authorization can send emails with customer email domain through C4C Email servers?
The customer has to delegate his domain to our Email provider. Combined with the placed DKIM, only our Provider will be able to use his domain.
If we did support DKIM we would presumably need to provide the Mail Provider with customers private DKIM key. What controls exist within the provider to ensure that the key is properly managed.
If the Mail provider supports multiple sources, or is a multi-tenanted/shared mail relay service, how will the mail provider ensure that mail domain was not used by unauthorised sources, who use their service?
The security-key is attached by the SAP Application and then verified by the Mail Provider. No third party ever see’s the key.
SAP has controls and procedures in place on key management. SAP follows recommendations provided by NIST whenever technically feasible. For symmetric, the key is at least 128 bits. For asymmetric, it is at least 2048 bits. Keys are created and distributed using a secure channel. In addition, segregation of duties is required in master key creation if key split of the master key and key parts are not done by different person. Public keys must be stored in a central register while private keys may only be made accessible to the specific user. SAP has procedures in place to ensure key storage follows confidentiality and integrity principles. Keys are revoked when it reaches the end of the lifetime. Keys are also required to be revoked with no delays if the key has been compromised or contains incorrect data.
4. Who from SAP Hosting has access to these SMTP servers? What can they do with their access?
Only the Network Team has access. All we can do is monitor the size of the mail queue and the device themselves. Only the L3 Administrators can see the Email content in case they would need to. All of these employees have NDA contracts signed which forbid them to take any information they learn/see in their work to the outside world.
Who in the 3rd party mail provider has access to the email environment and what access do they have to our users emails?
They have no access to the Mail Bodies. They only have the Mail header within their logs so they can act in case of issues or support cases. SAP has policy in place for logging and monitoring. Logging activities include user administration, changing user permissions, logon attempts and failed logon attempts. Log information includes activities, time and location. They are logged for diagnosis and security purposes. This is documented in SOC2 report.