View
13
Download
0
Category
Tags:
Preview:
DESCRIPTION
sap idm
Citation preview
Short Presentation TitleSpeaker’s Name/Department (delete if not needed)Month 00, 2011
SAP Security & Identity ManagementIbrahim Sigirci / IT Transformation Services - SecurityMay 18, 2011
© 2011 SAP AG. All rights reserved. 2
Agenda
Challenges
Solution
SAP NW IdM
SAP BO GRC AC
SAP NW SSO
Summary
© 2011 SAP AG. All rights reserved. 3
Challenges
User ManagementEstablish comprehensive, workflow-based user administrationExchange data quickly and securely across applicationsKeep data consistent across applicationsMap functional segregation to user accountsComply with audit requirementsEnsure regulatory compliance
© 2011 SAP AG. All rights reserved. 4
Challenges
Compliance ManagementMap functional segregation to user accountsComply with audit requirementsEnsure regulatory complianceImplement enterprise control systemManage authorizations and data accessManage emergancy user accessImplement compliant role management
© 2011 SAP AG. All rights reserved. 5
Challenges
Access ManagementSecure User Entry ManagementPasswordbased Access to different SystemsInformation and data need to be protected to stay competitive and innovativeCross company networked applications needs higher attention to secure critical informationMobile workers need remote access to the company IT infrastructure to increase efficiencyReduction of total cost of ownership Companies are confronted by cyber attacks worldwide The investment in IT security is increasing since yearsCompliance demands increasing by legal authorities
© 2011 SAP AG. All rights reserved. 6
Agenda
Challenges
Solution
SAP NW IdM
SAP BO GRC AC
SAP NW SSO
Summary
© 2011 SAP AG. All rights reserved. 7
Solution
Access Control
How do I manage business an IT controls and satisfy complex audit and compliance requirements?
How do I reduce costs of managing users and data across a complex systems landscape?
Segregation of dutiesCompliant provisioningAudit management
Centralized user provisioningAuthorized accessAlleviate helpdesk burden
Identity Management Information Lifecycle Management
How do I ensure secure and efficient management of legacy data and systems?
Securely archive business dataRetention managementEfficient access to archived data and e-discoveryLegal and compliance needs
Sustainable Compliance
How do I proactively detect, mitigate and prevent access and authorization risk across the enterprise?
Embedded complianceUnified platformBest practices
Improve security and reduce operations costs
Ensure audit and compliance management
Manage access and authorization risk proactively
Ensure secure management of business data
© 2011 SAP AG. All rights reserved. 8
Solution
Enterprise User ManagementSAP NetWeaver Identity Management
Central User Management EnvoirementEstablished consistent software-based processesEliminated paper-based user registrationImproved data qualityMinimized data entry errorsReduced administrative effortEliminated data redundanciesImproved service levels for usersFacilitated approval procedures
© 2011 SAP AG. All rights reserved. 9
Solution
Enterprise Risk & Control ManagementSAP BO Governance, Risk & Compliance
Prevent unauthorized access Get real-time risk analysis and remediation for SAP and non-SAP software environments Minimize the time and cost of access risk management Embed access risk analysis in user provisioning and role maintenance processes Achieve real-time visibility into access risk Get comprehensive capabilities for analysis, alerts, and reporting Centralize emergency access management with integrated monitoring and reporting Leverage integration for automated testing of segregation of duties (SoD) controls to provide visibility into mitigating control effectiveness
© 2011 SAP AG. All rights reserved. 10
Solution
Access & Entry Management
Single sign-on (SSO)SSO is a session or user based authentication process that permits a user to access information of different resources or systems without the need to provide separate credentials. SSO is based on a standardized security token.
Enterprise single sign-on (E-SSO)A generic solution to logon automatically with user and password. Is used for applications which do not support open standards and tokens for SSO.
Data encryption (related to IT)Data encryption is an automated and technical process to convert data with an algorithm. The intention is to protect information by encryption.
© 2011 SAP AG. All rights reserved. 11
Agenda
Challenges
Solution
SAP NW IdM
SAP BO GRC AC
SAP NW SSO
Summary
© 2011 SAP AG. All rights reserved. 12
SAP NetWeaver Identity Management
SAP NetWeaver Identity Management
othersActiveDirectory
SAP ERP
E-MailSystem
SAPPortal
Detect changesRead / write
SA
P
GR
CW
eb services
…
Identity Virtualization
PasswordManagement
DataSynchronization
Provisioning, Workflow and Approvals
Ensure that the right users have the right access to the right systems at the right timesCentrally manage user roles across all systems and applicationsEnable efficient, secure and compliant execution of business processesEnforce authorization controls against central policyLower administrative costs with powerful data synchronization and automated provisioning across systems
Roles and Entitlements
Reporting and Auditing
© 2011 SAP AG. All rights reserved. 13
SAP NetWeaver Identity Management
Line Manager
HR ensures that employee data for Kim is entered in SAP HCM system (e.g. hire date, title, position)
Pre-hire phase
Extract personnel data (event-driven)
1
3 4
First day at work
Based on the position in SAP HCM, the business role“Marketing Professional”is being assigned automatically
Kim’s manager approves the assignment
HR Operations
Business Partner createdUser created“Marketing Professional”
User created“Employee”
User createdAccess to SAP ESSAccess to SAP CRM
2
Kim Perkins joins the company as a marketing professional. From the first day with her new company, she is able to log on to all relevant systems, including
access to the employee self-services, and access to SAP CRM to track the marketing activities she is responsible for.
SAP NetWeaver Identity Management
© 2011 SAP AG. All rights reserved. 14
SAP NetWeaver Idetntity Management
SAP NetWeaver Identity Management
After two years as a marketing professional, Kim Perkins is promoted to take over personnel and budget responsibility for her marketing team.On the first day in her new role, she has access to the manager self-services. In her new
position, she is responsible for budget approvals for all marketing campaigns - this requires immediate access to SAP ERP to view the marketing costs.
Day of change
User updatedAccess to SAP ESSAccess to SAP MSSAccess to SAP CRM
User created“Marketing Controller”
HR ensures that all necessary employee data for Kim isavailable (e.g. position and entry date)
Extract personnel data (event-based)
1
3 SAP NetWeaver Identity Management recognizes the line manager information for Kim and automatically assigns the business role“Marketing Manager”
HR Operations
2
© 2011 SAP AG. All rights reserved. 15
SAP NetWeaver Identity Management
SAP NetWeaver Identity Management
HR ensures that all termination relevant data for Kim is available (e.g. last day with the company)
Extract personnel data (event-driven)
1
3 SAP NetWeaver Identity Management recognizes the last day information for Kim and automatically un-assigns all access rights and disables her accounts
HR Operations
2
Day after termination date
After eight years, Kim Perkins leaves the company. On her last day, she finishes her tasks in the systems she used to work on.The day after her official assignment with the company ends, she is no longer able to access
these systems.
© 2011 SAP AG. All rights reserved. 16
Agenda
Challenges
Solution
SAP NW IdM
SAP BO GRC AC
SAP NW SSO
Summary
© 2011 SAP AG. All rights reserved. 17
SAP BO GRC Access ControlA
naly
ze a
nd
Rem
edia
te
Analyze and remediate risk
Doc
umen
t and
A
udit
Continuous Monitoring
Mod
el a
nd
Con
trol
Superuser privilege management
SoD Rules & RegulationsCorporate PoliciesBest Practices
Embed cross-platform
Embed cross-functionFIN SCM SRM MFG HR
Collaborate across functions
Embe
d an
d Ex
ecut
e
Provide proofStreamline audits
Proactively protect information and prevent fraud
Optimize operations and minimize cost of compliance and audits
Obtain visibility and documentation
Control access and authorizations across your company
© 2011 SAP AG. All rights reserved. 18
SAP BO GRC Access Control
Controlled access, authorization across companyComprehensive, best-practice, cross application SoD rulesOut of the box rules integrate with major software vendor and legacy systemsControlled super-user access
Efficient compliance managementCentralized SoD controls management for IT, business users, auditorsAutomated audit trails, documentationAutomated rule building and analysis; what-if simulations
Ensure oversight and predictabilityCompany-wide oversight into SoD violations & critical transaction accessTransaction monitoring Automated audit trails for business users and auditorsEnhanced control and audit tracking for super-user activity
Proactively protect information, prevent fraud
Obtain visibility and documentation
Optimize operations, minimize cost of compliance, audits
Key Features Business Impact
© 2011 SAP AG. All rights reserved. 19
SAP BO GRC Access Control
Enterprise Role Management
Superuser Privilege Management
Management Oversight Internal Audit
Stay in Control
Stay Clean
Compliant User Provisioning
Risk Analysisand Remediation
Get Clean
© 2011 SAP AG. All rights reserved. 20
SAP BO GRC Access Control
SAP NetWeaver
Composite Business ProcessProcess contextProcess context
SAP Business Suite3rd
party apps
Process step 1 Process step 2 Process step 3
SAP BusinessObjects
. . .
© 2011 SAP AG. All rights reserved. 21
Agenda
Challenges
Solution
SAP NW IdM
SAP BO GRC AC
SAP NW SSO
Summary
© 2011 SAP AG. All rights reserved. 22
SAP NetWeaver Single Sign On
SAP GUI for Windows standard communication encryption(planned to be shipped within SAP NetWeaver license)
Identity provider (IdP) and security token service (STS) for web based and web service based access via SAML
Strong encryption, Kerberos and X.509 authentication and SSO to SAP GUI for Windows, strong authentication (secure ID cards, smart cards),
SSO web client, re-authentication and digital signatures
Enterprise single sign-on (E-SSO) to legacy systems requiring user ID and password authentication
Standard encryption for SAP GUI for Windows
Support of open SAML standard for
Web single sign-on
Single sign-on with certificates and support of additional authentication methods
Enterprise single-sign on (E-SSO) for legacy system not
supporting open standards
© 2011 SAP AG. All rights reserved. 23
SAP NetWeaver Single Sign On
SAP Business
Suite
MicrosoftActive
Directory
user authenticatedvia Microsoft
Active Directory
start SAP GUI
request security token
authenticate via security token
secure communication
1
23
4
Authentication through security tokens
Low implementation effort
Strong integration between SAP GUI, Windows client and Windows Active Directory
Strong encryption
SAP
Enablement
Enablement
© 2011 SAP AG. All rights reserved. 24
SAP NetWeaver Single Sign On
SAP Business
Suite
user authenticatedvia Microsoft
Active Directory
start SAP GUI
request security token
authenticate via security token
secure communication
1
23
4
Authentication via smart card and existing PKI (Microsoft CA)
PKCS#11 also supported
Low implementation effort
Strong encryption
2 factor authentication
Microsoft Certificate
Store
SAP
Enablement
Enablement
© 2011 SAP AG. All rights reserved. 25
SAP NetWeaver Single Sign On
SAP Business
Suite
Login Server
start SAP GUI
call
authenticate via certificatesecure
communication
Authentication Server
(AD, LDAP, RSA ...)
automatic creation of certificate
user will be promptedfor credentials
Certificate can be used for SAP GUI and Web applications
No PKI required but an integration is supported
Strong encryption
validate
create
1
2
3
4
5
SAP
Enablement
Enablement
Enablement SSO and communication encryption
© 2011 SAP AG. All rights reserved. 26
Agenda
Challenges
Solution
SAP NW IdM
SAP BO GRC AC
SAP NW SSO
Summary
© 2011 SAP AG. All rights reserved. 27
Summary
ComplianceGovernance
SAP Business Object Access Control
Identity Management
SAP NetWeaver Identity Management
Authentication and Single Sign-On
SAP NetWeaver Single Sign-On
SAP offers a complete suite of compliance, governance, identity and single sign-on solutions
Compliant Access & Identity Management
© 2011 SAP AG. All rights reserved. 28
Summary
Satisfies the requirements of the CFO to ensure that IT business application controls are compliant
Provide the reduced TCO and increased security required by the CIO
Compliant Identity Management
Provides compliant Identity Management across SAP and heterogeneous landscape in one integrated solution
Standards based integration creates tightly aligned, loosely coupled solution from complementary components
Gives a consistent view on current and historic access rights, approvals and policy violations
SAP NetWeaverIdentityManagementCIO
SAP GRCAccess ControlCFO
Thank You!
Ibrahim SigirciSenior Security & GRC ConsultantIT Transformation Services GER+49 1515 43 46 388
© 2011 SAP AG. All rights reserved. 30
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.Oracle and Java are registered trademarks of Oracle and/or its affiliates.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
© 2011 SAP AG. All rights reserved.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
Recommended