IDM

Short Presentation TitleSpeaker’s Name/Department (delete if not needed)Month 00, 2011

SAP Security & Identity ManagementIbrahim Sigirci / IT Transformation Services - SecurityMay 18, 2011

© 2011 SAP AG. All rights reserved. 2

Agenda

Challenges

Solution

SAP NW IdM

SAP BO GRC AC

SAP NW SSO

Summary


Challenges

User ManagementEstablish comprehensive, workflow-based user administrationExchange data quickly and securely across applicationsKeep data consistent across applicationsMap functional segregation to user accountsComply with audit requirementsEnsure regulatory compliance


Challenges

Compliance ManagementMap functional segregation to user accountsComply with audit requirementsEnsure regulatory complianceImplement enterprise control systemManage authorizations and data accessManage emergancy user accessImplement compliant role management


Challenges

Access ManagementSecure User Entry ManagementPasswordbased Access to different SystemsInformation and data need to be protected to stay competitive and innovativeCross company networked applications needs higher attention to secure critical informationMobile workers need remote access to the company IT infrastructure to increase efficiencyReduction of total cost of ownership Companies are confronted by cyber attacks worldwide The investment in IT security is increasing since yearsCompliance demands increasing by legal authorities


Agenda

Challenges

Solution

SAP NW IdM

SAP BO GRC AC

SAP NW SSO

Summary


Solution

Access Control

How do I manage business an IT controls and satisfy complex audit and compliance requirements?

How do I reduce costs of managing users and data across a complex systems landscape?

Segregation of dutiesCompliant provisioningAudit management

Centralized user provisioningAuthorized accessAlleviate helpdesk burden

Identity Management Information Lifecycle Management

How do I ensure secure and efficient management of legacy data and systems?

Securely archive business dataRetention managementEfficient access to archived data and e-discoveryLegal and compliance needs

Sustainable Compliance

How do I proactively detect, mitigate and prevent access and authorization risk across the enterprise?

Embedded complianceUnified platformBest practices

Improve security and reduce operations costs

Ensure audit and compliance management

Manage access and authorization risk proactively

Ensure secure management of business data


Solution

Enterprise User ManagementSAP NetWeaver Identity Management

Central User Management EnvoirementEstablished consistent software-based processesEliminated paper-based user registrationImproved data qualityMinimized data entry errorsReduced administrative effortEliminated data redundanciesImproved service levels for usersFacilitated approval procedures


Solution

Enterprise Risk & Control ManagementSAP BO Governance, Risk & Compliance

Prevent unauthorized access Get real-time risk analysis and remediation for SAP and non-SAP software environments Minimize the time and cost of access risk management Embed access risk analysis in user provisioning and role maintenance processes Achieve real-time visibility into access risk Get comprehensive capabilities for analysis, alerts, and reporting Centralize emergency access management with integrated monitoring and reporting Leverage integration for automated testing of segregation of duties (SoD) controls to provide visibility into mitigating control effectiveness


Solution

Access & Entry Management

Single sign-on (SSO)SSO is a session or user based authentication process that permits a user to access information of different resources or systems without the need to provide separate credentials. SSO is based on a standardized security token.

Enterprise single sign-on (E-SSO)A generic solution to logon automatically with user and password. Is used for applications which do not support open standards and tokens for SSO.

Data encryption (related to IT)Data encryption is an automated and technical process to convert data with an algorithm. The intention is to protect information by encryption.


Agenda

Challenges

Solution

SAP NW IdM

SAP BO GRC AC

SAP NW SSO

Summary


SAP NetWeaver Identity Management


othersActiveDirectory

SAP ERP

E-MailSystem

SAPPortal

Detect changesRead / write

SA

P

GR

CW

eb services

…

Identity Virtualization

PasswordManagement

DataSynchronization

Provisioning, Workflow and Approvals

Ensure that the right users have the right access to the right systems at the right timesCentrally manage user roles across all systems and applicationsEnable efficient, secure and compliant execution of business processesEnforce authorization controls against central policyLower administrative costs with powerful data synchronization and automated provisioning across systems

Roles and Entitlements

Reporting and Auditing



Line Manager

HR ensures that employee data for Kim is entered in SAP HCM system (e.g. hire date, title, position)

Pre-hire phase

Extract personnel data (event-driven)

1

3 4

First day at work

Based on the position in SAP HCM, the business role“Marketing Professional”is being assigned automatically

Kim’s manager approves the assignment

HR Operations

Business Partner createdUser created“Marketing Professional”

User created“Employee”

User createdAccess to SAP ESSAccess to SAP CRM

2

Kim Perkins joins the company as a marketing professional. From the first day with her new company, she is able to log on to all relevant systems, including

access to the employee self-services, and access to SAP CRM to track the marketing activities she is responsible for.



SAP NetWeaver Idetntity Management


After two years as a marketing professional, Kim Perkins is promoted to take over personnel and budget responsibility for her marketing team.On the first day in her new role, she has access to the manager self-services. In her new

position, she is responsible for budget approvals for all marketing campaigns - this requires immediate access to SAP ERP to view the marketing costs.

Day of change

User updatedAccess to SAP ESSAccess to SAP MSSAccess to SAP CRM

User created“Marketing Controller”

HR ensures that all necessary employee data for Kim isavailable (e.g. position and entry date)

Extract personnel data (event-based)

1

3 SAP NetWeaver Identity Management recognizes the line manager information for Kim and automatically assigns the business role“Marketing Manager”

HR Operations

2




HR ensures that all termination relevant data for Kim is available (e.g. last day with the company)

Extract personnel data (event-driven)

1

3 SAP NetWeaver Identity Management recognizes the last day information for Kim and automatically un-assigns all access rights and disables her accounts

HR Operations

2

Day after termination date

After eight years, Kim Perkins leaves the company. On her last day, she finishes her tasks in the systems she used to work on.The day after her official assignment with the company ends, she is no longer able to access

these systems.


Agenda

Challenges

Solution

SAP NW IdM

SAP BO GRC AC

SAP NW SSO

Summary


SAP BO GRC Access ControlA

naly

ze a

nd

Rem

edia

te

Analyze and remediate risk

Doc

umen

t and

A

udit

Continuous Monitoring

Mod

el a

nd

Con

trol

Superuser privilege management

SoD Rules & RegulationsCorporate PoliciesBest Practices

Embed cross-platform

Embed cross-functionFIN SCM SRM MFG HR

Collaborate across functions

Embe

d an

d Ex

ecut

e

Provide proofStreamline audits

Proactively protect information and prevent fraud

Optimize operations and minimize cost of compliance and audits

Obtain visibility and documentation

Control access and authorizations across your company


SAP BO GRC Access Control

Controlled access, authorization across companyComprehensive, best-practice, cross application SoD rulesOut of the box rules integrate with major software vendor and legacy systemsControlled super-user access

Efficient compliance managementCentralized SoD controls management for IT, business users, auditorsAutomated audit trails, documentationAutomated rule building and analysis; what-if simulations

Ensure oversight and predictabilityCompany-wide oversight into SoD violations & critical transaction accessTransaction monitoring Automated audit trails for business users and auditorsEnhanced control and audit tracking for super-user activity

Proactively protect information, prevent fraud

Obtain visibility and documentation

Optimize operations, minimize cost of compliance, audits

Key Features Business Impact



Enterprise Role Management

Superuser Privilege Management

Management Oversight Internal Audit

Stay in Control

Stay Clean

Compliant User Provisioning

Risk Analysisand Remediation

Get Clean



SAP NetWeaver

Composite Business ProcessProcess contextProcess context

SAP Business Suite3rd

party apps

Process step 1 Process step 2 Process step 3

SAP BusinessObjects

. . .


Agenda

Challenges

Solution

SAP NW IdM

SAP BO GRC AC

SAP NW SSO

Summary


SAP NetWeaver Single Sign On

SAP GUI for Windows standard communication encryption(planned to be shipped within SAP NetWeaver license)

Identity provider (IdP) and security token service (STS) for web based and web service based access via SAML

Strong encryption, Kerberos and X.509 authentication and SSO to SAP GUI for Windows, strong authentication (secure ID cards, smart cards),

SSO web client, re-authentication and digital signatures

Enterprise single sign-on (E-SSO) to legacy systems requiring user ID and password authentication

Standard encryption for SAP GUI for Windows

Support of open SAML standard for

Web single sign-on

Single sign-on with certificates and support of additional authentication methods

Enterprise single-sign on (E-SSO) for legacy system not

supporting open standards



SAP Business

Suite

MicrosoftActive

Directory

user authenticatedvia Microsoft

Active Directory

start SAP GUI

request security token

authenticate via security token

secure communication

1

23

4

Authentication through security tokens

Low implementation effort

Strong integration between SAP GUI, Windows client and Windows Active Directory

Strong encryption

SAP

Enablement

Enablement



SAP Business

Suite

user authenticatedvia Microsoft

Active Directory

start SAP GUI

request security token

authenticate via security token

secure communication

1

23

4

Authentication via smart card and existing PKI (Microsoft CA)

PKCS#11 also supported

Low implementation effort

Strong encryption

2 factor authentication

Microsoft Certificate

Store

SAP

Enablement

Enablement



SAP Business

Suite

Login Server

start SAP GUI

call

authenticate via certificatesecure

communication

Authentication Server

(AD, LDAP, RSA ...)

automatic creation of certificate

user will be promptedfor credentials

Certificate can be used for SAP GUI and Web applications

No PKI required but an integration is supported

Strong encryption

validate

create

1

2

3

4

5

SAP

Enablement

Enablement

Enablement SSO and communication encryption


Agenda

Challenges

Solution

SAP NW IdM

SAP BO GRC AC

SAP NW SSO

Summary


Summary

ComplianceGovernance

SAP Business Object Access Control

Identity Management


Authentication and Single Sign-On

SAP NetWeaver Single Sign-On

SAP offers a complete suite of compliance, governance, identity and single sign-on solutions

Compliant Access & Identity Management


Summary

Satisfies the requirements of the CFO to ensure that IT business application controls are compliant

Provide the reduced TCO and increased security required by the CIO

Compliant Identity Management

Provides compliant Identity Management across SAP and heterogeneous landscape in one integrated solution

Standards based integration creates tightly aligned, loosely coupled solution from complementary components

Gives a consistent view on current and historic access rights, approvals and policy violations

SAP NetWeaverIdentityManagementCIO

SAP GRCAccess ControlCFO

Thank You!

Ibrahim SigirciSenior Security & GRC ConsultantIT Transformation Services GER+49 1515 43 46 388


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.Oracle and Java are registered trademarks of Oracle and/or its affiliates.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

© 2011 SAP AG. All rights reserved.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

Documents

IDM