Upload
guest5bd7a1
View
5.951
Download
3
Embed Size (px)
DESCRIPTION
SAP Security Assessment framework presentation
Citation preview
SAP Security Assessment SAP R/3 Security Assessment
The first step towards the secure management of your ERP
Set 25, 2006Openware - Insside, Información confidencial2
Through the “SAP Security Assessment” practice, we offer a solution which leads to management awareness, making them viable for the existent security problems in R/3 environments.
Why Openware - Insside
The suggested approach combines processes, policies, practices and technology so as to offer a wide variety at the time of diagnosing and securing your ERP.
In addition, we propose a holistic, incremental and evolutionary perspective that permits scalability to its different components and maturing stages, in order to assure a successful adoption.
We possess a solid and extensive track record.
Set 25, 2006Openware - Insside, Información confidencial
+14 years of experience Projects in Latin America and Europe We have qualified and committed Professionals
International Acknowledgments: • Endeavor Foundation• Avina Foundation• Junior Achievement• Junior Chamber International
Within the TOP50 of Argentinian companies in terms of CSR
Within the TOP10 of Argentinian information security companies
Track record
Set 25, 2006Openware - Insside, Información confidencial
Track record
Set 25, 2006Openware - Insside, Información confidencial
Track record
Assessment and Revision of SAP R/3 Platform
Terra Networks Argentina
T-Manages Argentina Telephonic Group (T-Gestiona Grupo
Telefónica Argentina)
Assessment and Revision of SAP Profiles
T-Manages Spain Telephonic Group (T-Gestiona Grupo
Telefónica España)
AES Chile – Implementación Sarbanes Oxley
Remote Access and SAP Security
Monsanto
Famiq
Penetration Test
DELSUR – El Salvador
Liberty Argentina Insurance Company (Liberty Compañía
de Seguros Argentina)
Rosario’s City Council (Municipalidad de Rosario)
Argentina Movile Telephonic (Telefónica Moviles Argentina)
Audit and Information Security Implementation
Emergia (Telephonic Group)
Sesa Select (Vedior Group)
Telefónica Empresa (Telephonic Group)
Revisión de Seguridad Portal Terra Networks (Telephonic Group)
Adquira Spain Security Audit (Auditoría de Seguridad Adquira España)
Telefónica Comunicaciones Personales (Telephonic Group) Argentina
Municipal Bank of Rosario (Banco Municipal de Rosario)
CEICOM Spain (CEICOM España)
DPS
Best Select Chile
Terminal 6
Minera Lumbrera
Meridiam Bank (Banco Meridiam)
Argentina Federal Police (Policia Federal Argentina)
Vulnerability Assessments
New Bisel Bank (Nuevo Banco Bisel)
Toyota
Globant
Microglobal
NCA
Globalstar – TESACOM
Globant
Neuralsoft
Set 25, 2006Openware - Insside, Información confidencial
Why to secure SAP?
Generally, ERP platforms are designed for international markets which have to be customized. Thus, some functions and parameters are not always consistent with the requirements or particular regulations.
The main users participate only partially in the implementation of the new ERP systems. Therefore, some parameters settings can be skipped because they are unknown for the ordinary users or consultants.
Figures that show its complexity:+28,000 tables and views
240,000 functions and programs
1,000 parameter accesses of security administration
+15,000 vulnerabilities in operating environments
Set 25, 2006Openware - Insside, Información confidencial
What is the importance of security in the ERP world ?
Set 25, 2006Openware - Insside, Información confidencial
Risk areas: Causes
A system which manages all the business information.
In 90% of the revisions that were carried out, there are profile incompatibilities that may cause frauds to the Company.
The possibility of “Authorized Frauds”.
Accesses to mandators with possibilities of service unavailability, through critical transactions.
The financial data not identified in the ERP systems as “productive” can be deleted.
The audit tracks can be activated or deactivated account by account.
Wrongly assigned profiles may generate frauds.
Problems in the architecture design of the environment and infrastructures.
Set 25, 2006Openware - Insside, Información confidencial
Risk areas: Consequences
Access to confidential information. Access to Productive Databases. Connection of equipment which does not comply with security policies. Operation errors which cause service unavailability due to the excessive permissions of the administrator users. No detection of Security events in a timely manner. No preventive or mitigation actions due to the lack of a device of events correlation. Abuse in profile assignation which increases the probability of frauds. No strategy for the management of users and passwords to access the application, Operating System, and Databases. Incoherence between the values assigned in the transactions and the activity values in those transactions.
Set 25, 2006Openware - Insside, Información confidencial
What do we propose?
Carry out an integral diagnosis of SAP R/3 security (SSA) that shows the risk to which the organization is exposed, as regards:
• Possibility of Fraud
• Application availability and business continuity
• Confidentiality of business information
• Integrity of the Information in the application, operating environments and Interface systems
• Level of incompatible functions assigned to users
Set 25, 2006Openware - Insside, Información confidencial
SSA- Security Model
We take into consideration 3 basic principles:
Base the security strategies on business risks and technical risks jointly.
Attain an effective security environment which involves and combines strategy and policies, implementation and administration, event monitoring and technological architecture.
Apply integral processes of risk administration to the components, business processes, and connected computing science technology, as well.
Set 25, 2006Openware - Insside, Información confidencial12
SSA Process
Vulnerability &
RiskAnalysis
1 Vulnerability Analysis Risk Analysis Recommendations
Analysis of the Actual
Context
0 Analysis of
actual context:- Organization- Technology- Security- Processes- People
SSA: Stage 1 Security Deployment: Stage 2
Awareness
3 42 Security Hardening Identity
Management Event Management Patch Management Other…
Security Hardening
&Mgmt
Monitoringfor
compliance
Validation of objectives already set
Compliance
Developmentof the
normative frame
Analyze users’ profiles
Define functions Segregate functions Standardize
processes Definition de
accesses Normative Frame
Organizational Capacity
Technical Complexity
Business Benefits (Critical Success Factors)
SOX ISO17799/270001 COBIT
Set 25, 2006Openware - Insside, Información confidencial13
Client
•Sponsor User•Project Coordinator•SAP/networks administrators•Representatives of the user sector/HR
Openware
•Senior Strategist•Architect •Security Consultant (CISA)
SSA: Regular participants
Set 25, 2006Openware - Insside, Información confidencial14
SSA- In depth
Analysis of actual context
• Define the scope of the project
• Contextual assessment
0
1
• Users’ control. • Authorization system. • Profile Incompatibility / Possibility of Frauds.• Network infrastructure. • Operating system security. • Protection of database accesses. • Control of the transportation system. • External communications security. • Security mechanisms in document exchanges. • Internet security.• Migration to upper versions.
Methodology
and
tools
• As a whole, the suggested methodology adapts itself to the standard control objectives COBIT / COSO / ISO.
• Utilization of tools which belong to the applications, for instance AIS (Audit Information Systems), which are part of the SAP R/3 SYSTEM and tools developed by INSSIDE and Openware.
Vulnerability
and
risk analysis
Set 25, 2006Openware - Insside, Información confidencial
SSA- Submissions Report on detected vulnerabilities, main risks which generate those
weaknesses and recommendations to solve them
Users’ Control Authentication in SAP.
Password Policies.
SAP standard users’ passwords.
External authentication methods.
Monitoring through the Security Audit Log.
Control of changes in the users’ registers.
Licenses Administration.
Authorizations System BASIS Administration (Mandators’ structure).
Powerful Profile Management
Access to Transactions and critical Authorization Objects
Notes updating.
Strategies for the application of Hotpackages.
Performance and response times.
Transportation System Work environment.
Program passage among environments.
TMS (Transportation Managing System).
Set 25, 2006Openware - Insside, Información confidencial
SSA- Submissions Report on detected vulnerabilities, main risks which generate those
weaknesses and recommendations to solve them
Internet Security ITS (Internet Transaction Server).
Control over firewalls, services, ports, directories and critical files protection.
Utilization of generic users
Network Infrastructure SAP and general networks servicies (Routers, Firewalls, SAPRouter).
SNC use (Secure Network Communication).
Communications through public networks (Internet, Modem).
SAPNet connection (OSS).
Operating System Security User configuration policies and logs.
Monitoring.
Permissions over the directories and SAP main files.
Protection of Database Access SQLServer / Oracle configuration.
Verify if the standard SAP users’ passwords were modified.
SAPDBA protection.
Existent controls over the critical tables of the system.
Set 25, 2006Openware - Insside, Información confidencial
Vulnerability assessment & management platformVulnerability assessment & management platform
SSA- Own tools
Attaka assess more than 15,000 security vulnerabilities in SAP environments
It includes the following modules:
Discovery:
•Consolidation of assets and assessment (internal and external)
Reporting:
•Interactive and historical reports and dashboard with key indicators
Remediation:
•It includes documentation processes and workflow
Support:
•Online access 7x24 based on ITIL, to specialiazed PS
(*) It is the only security tool in Spanish America under authorization process by cve.mitre.org
Set 25, 2006Openware - Insside, Información confidencial
S I A (Sap Insside Audit) S I A (Sap Insside Audit)
SSA- Own tools
R/3 Security audit system
It includes the following modules:
Profile:
•Consolidates, analyzes and processes the relation between profiles and transactions
User Integrity:
•Validates the integrity and relation between R/3 users, DB users and operating system users
•Checks the configuration quality of the system from the access security’s perspective
Password Hardening:
•Verifies the security level of the passwords assigned in the R/3 environment
•Checks the protection level of standard users that is provided by the system (SAP*, DDIC, etc.) for each mandator.
Set 25, 2006Openware - Insside, Información confidencial20
SSA Process
Vulnerability &
RiskAnalysis
1 Vulnerability Analysis Risk Analysis Recommendations
Analysis of the Actual
Context
0 Analysis of
actual context:- Organization- Technology- Security- Processes- People
SSA: Stage 1 Security Deployment: Stage 2
Awareness
3 42 Security Hardening Identity
Management Event Management Patch Management Other…
Security Hardening
&Mgmt
Monitoringfor
compliance
Validation of objectives already set
Compliance
Developmentof the
normative frame
Analyze users’ profiles
Define functions Segregate functions Standardize
processes Definition de
accesses Normative Frame
Organizational Capacity
Technical Complexity
Business Benefits (Critical Success Factors)
SOX ISO17799/270001 COBIT
Set 25, 2006Openware - Insside, Información confidencial
SSA makes it viable..
Awareness of the management and final users in terms of security.
Development of a normative frame of security and control, and standardize the processes to follow for the management and administration of users, profiles, and access authorizations that assure the protection of the Organization’s information.
•SAP Compliance
•SOX Compliance
•ISO17799/27001 Compliance
Component hardening actions and management of assets and resources
Monitorig the regularization level (compliance) of the observations presented in the first stage.
Set 25, 2006Openware - Insside, Información confidencial
Stage 2 (potential)
Security must be focused on as a strategic aspect of the company, which should include:
Products, tools and Products, tools and automationautomation
Profiles and roles Profiles and roles properly assigned properly assigned
Knowledge, functions Knowledge, functions and responsibilities and responsibilities
ModulesModules
PeoplePeopleTechnologyTechnology
Set 25, 2006Openware - Insside, Información confidencial23
Stage 2 (potential)
Development
of the normative frame
• SAP Compliance• SOX Compliance• ISO17799/27001 Compliance
2
3
Monitoring
for
compliance
• Monitoring the regularization level of the observations presented in the first stage and compliance
4
Security
Hardening &
Management
• Security Hardening• Identity Management• Event Management• Patch Management• Other
Set 25, 2006Openware - Insside, Información confidencial24
Thank you!
SSASSASAP Security Assessment
http://www.openware.biz/index_en.shtml