Upload
thomasina-rogers
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
Hétpecsét Információvédelem menedzselése XLIII. Szakmai FórumSecurity@SAP
János Kis, SAP Labs Hungary17/11/2010
© SAP AG 2009. All rights reserved. / Page 2
Security Features, Offerings, and Services
SAPSecurity
Software SecurityAssurance and Quality
Internal and External Security Assessments
Security Response Process
Security Product Standard and Validation
Security Functionality
SAP NetWeaver Identity Management
Web Services Security
Single Sign-On
Compliance
Security Services and Information
Best practices and security configuration guides on SDN
Documentation in the SAP Online Help
Security Optimization Service
© SAP AG 2009. All rights reserved. / Page 3
Service- enabledApplications
SAP Business Suite 7 Customer & PartnerApplications
OrderMgmt.
...
Non SAP &Legacy
Service Bus Based IntegrationRepository Based Modeling and Design
TechnologyCapabilities
Master Data Management
Data Management And Integration
Portal & Collaboration Search
Information Composition
Service Composition
SOA Management
Content Management
Business Intelligence
User Interface Composition
Mobile User Interface Technology
Data Management
User Productivity
Business Process ManagementComposition
Integration (Service Oriented Architecture (SOA) Middleware)Bu
siness
Con
tent
Information Management
Business Process Monitoring
Human Interaction Management
Business Process Modeling
Business Rules Management
Security
Ensure integrated and easy to configure SECURITY FRAMEWORK
Enhance security and reduce TCO via standards based SINGLE SIGN-ON & IDENTITY FEDERATION
MANAGE IDENTITIES across processes to lower costs and security risks
Enable a common security concept via STANDARDIZED SECURITY services
Efficient and comprehensive feature set to configure, administrate and run SECURE BUSINESS PROCESSES
SAP NetWeaver provides a comprehensive and efficient security infrastructure for secure and compliant business processes
ABAP Development
Security and Identity ManagementApplication Life-cycle Management
Java Development
Application Foundation
SAP NetWeaver Technology CapabilitiesSecurity and Identity Management
© SAP AG 2009. All rights reserved. / Page 4
Secure Network Topology: On-Premise Solutions
Outer DMZ Inner DMZ
Firewall
End User Backend Networks
Applicationserver farm
R/3
R/3
Applicationserver farm
ERP
ERP
DIR
ApplicationGateways
Pre-scan user request for validity and known exploits
Preprocessing and validation of user input and output
Process business logic or Web service request.
WebAS, Portal or other
Web service
Firewall Firewall
© SAP AG 2009. All rights reserved. / Page 5
Monitoring and Auditing in ABAP- and Java-Based SAP Solutions
Configuration and results of Security Audit Log in ABAP: Transactions SM 18, SM19, SM20
Results of Log Viewer in Java
© SAP AG 2009. All rights reserved. / Page 6
Data Encryption Using Secure Store and Forward (SSF)
Credit card data encrypted in database
Application
Decryption
Authorized administrator
Data is displayed unencrypted
SSF API
PCI-DSS-compliant encryption
Use of SAP Cryptographic Library
Available as of release 4.6 C
© SAP AG 2009. All rights reserved. / Page 7
The SAP Authorization Concept
… how to create users in a system
…who may execute which actions, especially how to:
The SAP authorization concept defines rules on:
… restrict display and change of data depending on user roles. This enhances the security of the system.
… show users only those actions which are relevant for their roles.This simplifies system usage
© SAP AG 2009. All rights reserved. / Page 8
SAP ABAP Authorization Check
Access type
Area Organization
Authoritycheck
Business
ObjectCheck of a combination of authorization relevant attributesof a business object
Activity, e.g. create, change, display, delete, …
Additional authorization relevant Attributes, e.g. record type, …
Organizational attributes, e.g. company code, personal area, …
© SAP AG 2009. All rights reserved. / Page 9
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security – Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 2.0
Future Work
S/MIME
Supported by SAPStatus: February 2010
Authorization Provisioning
Authentication X.509 CertsKerberosSAML 1.x JAAS
XACML SPML LDAP
XML Sig PKCS#7XML Enc
SSL/TLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 1.1WS-I BSP 1.0
WS-ReliableMessaging
© SAP AG 2009. All rights reserved. / Page 10
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
ToolsSelf-Services
Servicesdelivered by SAP
RecommendationsGuidelines
Security in Early Watch Alert
Security Notes Report
Security Optimization Self-Service
Security in Config Validation
Security Optimization Remote Service
Run SAPE2E Solution Operations
Standard for Security
© SAP AG 2009. All rights reserved. / Page 11
Run SAP Methodology: SAP Security Standard
Assessment & Scoping
OperationalRequirements
Analysis
GovernanceModel for Operations
Scope Definition
Technical Requirements and
Architecture
Project Setup
Operations & Optimization
End User Support
SAP TechnicalOperations
ChangeManagement
Technical InfrastructureManagement
SAP Application Management
Business Process Operations
Design Operations
End User SupportConcept
SAP Technical Operations
Concept
ChangeManagement
Concept
TechnicalInfrastructure
Design
SAP Application Management
Concept
Business Process Operations
Concept
Setup Operations
End User SupportImplementation
SAP Technical Operations
Implementation
ChangeManagement
Implementation
Technical Infrastructure
Implementation
SAP Application Management
Implementation
Business Process Operations
Implementation
Handover into Production
Knowledge Transfer and Certification
Final Testing
Transition into Production
Handover and Sign-Off
© SAP AG 2009. All rights reserved. / Page 12
The 10 secure operation tracks of the Secure Operations Mapcover the following topics:
1. Audit: Ensure and verify the compliance of a company’s IT infrastructure and operation with internal and external guidelines
2. Outsourcing: Ensure secure operation in IT outsourcing scenarios
3. Emergency Concept: Prepare for and react to emergency situations
4. Secure Process and People Collaboration: Maintain security of process and people collaboration by security capabilities of automated business processes or document exchanges
5. User and Authorization Management: Manage IT users, their authorizations and authentication
6. Administration Concept: Securely administer all aspects of solution operations
7. Network, System, Database and Workstation Security: Establish and maintain the security of all infrastructure and base components
8. Secure Application Lifecycle: Securely develop and maintain the code base of standard and custom business applications
9. Secure Configuration: Establish and maintain a secure configuration of standard and custom business applications
10. Secure Support: Resolve software incidents in a secure manner
Run SAP Methodology: Secure Operations
© SAP AG 2009. All rights reserved. / Page 13
The Product Innovation Lifecycle (PIL) is SAP‘s approach to product quality. It consists of process and product standards. The product standards define common requirements for all SAP products.
The PIL Security Standard defines security requirements targeting:
Requirements are Included in planning phase, Implemented during development
phase, and Checked in test phase
Organization Standard Owner Expert Network:
Multiplication and reporting across all development units and SAP labs
Production Unit:Enforces compliance of SAP product development
Vulnerability Prevention
TCO Reduction
Legal Compliance
Key Concept for Secure Programming: PIL Security Standard
© SAP AG 2009. All rights reserved. / Page 14
SAP Investments in Software Security and Quality Assurance
Security is embedded in all stages of the software development lifecycle Software design and architecture is reviewed for conformity to security requirements Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard What we do:
Train developers Provide guidelines on how to fulfill the requirements Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery: Source code and runtime testing by internal and contracted external security specialists Separate validation unit, acting as a “first customer”
Capabilities for reaction to security issues discovered after delivery: Security Response process
– Handles and solves security issues – Provides customers with information, workarounds, solutions and patches
Findings are fed back into secure programming requirements and security assessment planning Active communication policy to customers, security specialists and to the public
SAP invests to achieve the security of all its code
© SAP AG 2009. All rights reserved. / Page 15
State-of-the-Art Software Lifecycle Security
SAP is certified for: ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium Quality management standard ISO9001 Common Criteria certification is currently underway FIPS 140-2 certification is planned
SAP offers: Applications built according to state-of-the-art industry secure programming practices Efficient security response processes Security services that cover the entire software lifecycle (Security Optimization Service) A highly specialized and experienced SAP security consulting team, as well as a security
consultant certification, to offer qualified implementation support
SAP invests in: A large internal research division dedicated to security Joint industry projects for secure programming practices, such as
SAFECODE Secologic
Security is a quality characteristic of SAP solutions.
© SAP AG 2009. All rights reserved. / Page 16
Further Information
SAP Public Web:
SAP Developer Network (SDN) - Security: www.sdn.sap.com/irj/sdn/security
SAP Developer Network (SDN) – Identity Management: http://www.sdn.sap.com/irj/sdn/nw-identitymanagement
SAP Public Web – Security: www.sap.com/security
SAP Public Web – Identity Management: www.sap.com/platform/netweaver/components/IDM/index.epx
SAP Service Marketplace – Security:http://service.sap.com/security
SAP Support Portal – Security Notes:http://service.sap.com/securitynotes