SCI100-SAP Security Overview Presentationdocshare04.docshare.tips/files/4474/44746587.pdf · SAP NetWeaver Identity Management & Security ... Mobile User Interface Technology

1

SCI100

SAP Security Overview Presentation

Gerlinde Zibulski Product Management

SAP NetWeaver Identity Management amp Security

October 2010

copy 2010 SAP AG All rights reserved Page 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a

purchase decision This presentation is not subject to your license agreement or any other

agreement with SAP SAP has no obligation to pursue any course of business outlined in this

presentation or to develop or release any functionality mentioned in this presentation This

presentation and SAPs strategy and possible future developments are subject to change and

may be changed by SAP at any time for any reason without notice This document is provided

without a warranty of any kind either express or implied including but not limited to the implied

warranties of merchantability fitness for a particular purpose or non-infringement SAP

assumes no responsibility for errors or omissions in this document except if such damages

were caused by SAP intentionally or grossly negligent

2


Agenda

1 Introduction

2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance

SAP NetWeaver Security Solutions

SAP NetWeaver Identity Management

SAP BusinessObjects Access Control

3 SAP Security Services and Secure Support Offerings

Security Services

Support Security

4 Secure Software Development Standards and Security Certifications

Secure Programming

Security Certifications for SAP Software

5 Summary


Security for Business Processes

Security Functionality

Provide functionality that allows customers to efficiently control and manage access

to business data and applications

Software Security and Quality Assurance

Deliver highest quality of software that prevents hackers from gaining unauthorized

access to business data and business applications

Information amp Services

Provide up-to-date information services and support to help customers and partners

implement use and manage their SAP systems securely

SAP enables its customers to protect their business processes

through a comprehensive security portfolio

3


Security Features Offerings and Services

SAP

Security

Software Security

Assurance and Quality

Internal and External Security Assessments

Security Response Process

Security Product Standard and Validation

Security

Functionality

SAP NetWeaver Identity

Management

Web Services Security

Single Sign-On

Compliance

Security Services and

Information

Best practices and security

configuration guides on SDN

Documentation in the SAP

Online Help

Security Optimization Service


The SAP Ecosystem Advantage

Strong Security Partner Network

The SAP ecosystem responds to a growing need for a more collaborative business

approach ndash an approach designed specifically to deliver unparalleled customer value

The SAP ecosystem puts customers in the center of a dynamic universe that includes SAP

other customers partners and individuals

For security and identity management SAP collaborates with numerous partners offering

specialized solutions and services to fulfill even the most specific requirements of SAP

customers Software partners include

4


Agenda

1 Introduction

2 SAP Solutions for Security Identity Management and Governance Risk amp

Compliance





Security Services

Support Security


Secure Programming


5 Summary


SAP NetWeaver Technology Capabilities

Service Bus Based IntegrationRepository Based Modeling and Design

Service-enabledApplications

SAP Business Suite 7 Customer amp PartnerApplications

OrderMgmt

Non SAP ampLegacy

TechnologyCapabilities

Heterogeneous Landscapes

ABAP Development

Security and Identity ManagementApplication Life-cycle Management

Java Development

Portal amp Collaboration Search

Content Management

Business Intelligence

Information

Composition

Service Composition

User Interface Composition

Mobile User Interface Technology

Application Foundation

Process Integration for networked applications

Data Management

User Productivity

Business Process Management

Information Management

Composition

Bu

sin

ess C

on

te

nt

Master Data Management

Data Management And Integration

Business Process Monitoring

Human Interaction Management

Business Process Modeling

Business Rules Management

5




OrderMgmt

Non SAP ampLegacy






Information Composition

Service Composition

SOA Management

Content Management




Data Management

User Productivity

Business Process ManagementComposition

Integration (Service Oriented Architecture (SOA) Middleware)

Business C

ontent






Security

Ensure integrated and easy to configure

SECURITY FRAMEWORK

Enhance security and reduce TCO via

standards based SINGLE SIGN-ON amp

IDENTITY FEDERATION

MANAGE IDENTITIES across processes to lower costs and security risks

Enable a common security concept via

STANDARDIZED SECURITY services

Efficient and comprehensive feature set to

configure administrate and run SECURE

BUSINESS PROCESSES

SAP NetWeaver provides a comprehensive and efficient security

infrastructure for secure and compliant business processes

ABAP Development


Java Development



Security and Identity Management


Single Sign-On Within the Enterprise

SAP NetWeaver Portal

SAP applications3rd Party

applications

SAML 11

PKI-based

authentication

(X509 certificates)

SP Nego (Kerberos)

Header variables

SAP Logon Tickets

Identity Federation

SAML 20

JAAS Login Module

Single Sign-On

Options

SS

O

6


Secure User Access Web User Authentication

and Single Sign-On to SAP Applications

1 Requires Portal or AS Java

2 IDP capability available with SAP NetWeaver Identity Management 71

SP capability available with SAP Business Suite 702e SAP NetWeaver CE 72 and AS Java 72 Web applications

SA

P N

etW

eaver

Ap

pli

cati

on

s

Anonymous access Named anonymous users with SAP NetWeaver Portal

Interactive user

authentication SAP user ID password

PKI-based

authentication

X509 client certificatesndash Rule based client authentication 1

ndash Certificate filtering 1

ndash Automated certificate mapping 1

ndash CRL support 1

External

authentication

SPNego 1

ndash user authentication against a Kerberos infrastructure

Header variables 1

SSO via trusted

application system

SSO Logon ticketsndash Principal solution for SSO in SAP landscapes

SAML 11 Browser Artifact 1

ndash Interoperable SSO from trusted non-SAP token issuers

Identity Federation

interoperable SSO

and Single Log-out

SAML 2 2

ndash Identity Provider (IDP) for centralized user authentication and

SAML 2 SSO token issuing authority

ndash Service Provider (SP) for accepting SAML 2 SSO token to grant

user access to Web enabled content

Custom

authentication

JAAS Login Module 1

ndash Standardized extensions to out-of-the-box authentication

mechanisms

Web

Bro

wser


Single Sign-On Strategy

SAP NetWeaver

Portal

SAML 11

PKI-based

authentication

(X509 certificates)

SP Nego (Kerberos)

Header variables

SAP Logon Tickets

Identity Federation

SAML 20

JAAS Login Module

Single Sign-On

Options

SAML 2 Identity

Provider (IDP) amp

Security Token

Service (STS)

NET

SS

O

Non-

SAP

7


Cross-Domain Single Sign-On


SA

ML

Identity

Provider (IDP)

SA

ML

Company A

SAP NetWeaver PortalS

AM

L

Identity

Provider (IDP)

Lo

go

n

Tic

ke

t

Business Partner

SAML


Secure Collaboration Support for Web User

SSO and Identity Federation

Trust

Relationship


applications

SSO

Federation

SSO

Federation


Management

with SAML 2 Identity Provider (IDP) and

Security Token Service (STS)

Standardized SAML 2 SSO and Single Log-out

Shared infrastructure in user interactive and

service applications on the Web

identity management

trust management

Efficient user productivity enablement of secure

cross-business scenarios

Application Service Providers

(SPs)

This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any

reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied

warranties of merchantability fitness for a particular purpose or non-infringement

8


Message-Level and Transport-Level Security

Intermediary

Business Server Business Server

Transport level security is not sufficient

Standardization related to transport level security is in progress

SAML

WS-Security

Point-to-Point

Security

Message Security


Secure Network Topology

On-Premise Solutions

Outer DMZ Inner DMZ

Firewall

End User Backend Networks

Application

server farm

R3

R3

Application

server farm

ERP

ERP

DIR

Application

Gateways

Pre-scan user

request for validity

and known exploits

Preprocessing and

validation of user

input and output

Process business logic or

Web service request

WebAS Portal

or other

Web service

Firewall Firewall

9


Secure Communication and Interaction

On-Demand Solutions

Backend Networks

Company B

R3

R3

Application

server farm

ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm

ERP

ERP

DIR

On-

Demand

On-

Demand

Company A

Identity

Provider

Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML


Monitoring and Auditing in

ABAP- and Java-Based SAP Solutions

Configuration and

results of Security

Audit Log in ABAP

Transactions

SM 18 SM19 SM20

Results of Log

Viewer in Java

10


Monitoring and Auditing

The SAP Audit Information System (AIS)

Audit planning

Work program

- System audit

- Business audit

Exp

ort

in

terf

ace

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items

Non-SAP Environment SAP Environment

Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip


Monitoring and Auditing The SAP Audit

Information System (AIS)

The Audit Information

System facilitates smoother

and better quality audits

It consists of a number of

single roles and is a

- Collection

- Structure and

- Default setup

of SAP standard programs

The AIS is the Toolbox

of the auditor

in SAP environment

11


SAP Security Monitor Logging Solution

Functional Overview

The SAP Security Monitor Logging Solution

provides logging of all data a user views in an

SAP application

Captured data includes

All inputoutput fields

Field labels titles headings

Tables trees lists

etc

Implicitly also database access operations are

logged

Search and retrieval

Storing and updating

Logging is fully transparent to the user The

application behavior and performance is not

affected For an end-user a solution appears

identical whether logging is enabled or not



Architecture Overview

SAP UI RepositorySAP Backend System

Dynpro Processor

Control Framework

Request

Response

Database layer

Legend Logging functionality

Observed

data traffic

Temporary Log

(Asynchronous)

Call of

log service

Log Storage

Straightforward high-performance solution tailored to SAP applications

Server-side logging - log entry is written with each client-server roundtrip

Log records are written to provided log service

Modification

Development

12


Data Encryption Using

Secure Store and Forward (SSF)

Credit card data

encrypted in

database

Application

Decryption

Authorized

administrator

Data is

displayed

unencrypted

SSF

API

PCI-DSS-compliant encryption

Use of SAP Cryptographic Library

Available as of release 46 C


The SAP Authorization Concept

hellip how to

create

users in a

systemhellipwho may

execute which

actions

especially

how to

The SAP authorization concept

defines rules on

hellip restrict

display and

change of data

depending

on user roles

This enhances

the security of

the system

hellip show

users only those

actions which are

relevant for their

roles

This simplifies

system usage

13




Sammelrolle

RolleRole

Composite role

Felder

Werte

Authorization object

Berechtigung

Profil

Fields

Values

Authorization

Profile

User

Rolle

Data Model

Felder

Werte


Berechtigungsdaten

Assignment

Generation

Authorization data

Fields

Values

RoleSammelprofil

Sammel-

profil

Profil

Composite

Profile

Profile

Composite profile

14


P_ORGIN

S_USER_AGR

S_USER_GRP

hellip

PA30

PFCG

RSUSR002

hellip

Menu Transactions

Web links reports

Etc

UserABAP

Role

Authorization

Data

Authorizations

ABAP Roles

1n 1n


Functional Roles - Menu

Functional Roles

are related to

jobs

Menu containing

transactions

15


Functional Roles - Authorizations

All required authorizations for

transactions and other organization-

independent authorization objects are

maintained


SAP ABAP Authorization Check

Access type

Area Organization

Authority

check

Business

ObjectCheck of a combination of

authorization relevant attributes

of a business object

Activity eg create change

display delete hellip

Additional authorization relevant Attributes

eg record type hellip

Organizational attributes eg

company code personal area

hellip

16


HR Org Management ndash Org Structure in HR

O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users


HR Org Management ndash Role Assignment

O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17


HR-Org Driven User Administration

Pros amp Cons

Disadvantages

More complex user mass upload

procedure (pre-go live)

Additional ALE distribution model to

be monitored

Less flexible in terms of individual

assignments of roles to users

No transition period in terms of role

assignments after transfers

Advantages

Org view available for role

assignments

Automated role assignment for all

employee actions such as hire

transfer etc

Role accumulation avoided

Close integration of user

administration processes into HR

Clear separation of user and role

assignment administration


Authorization Enhancements

With Business Add-Ins (BAdIs)

Business Add-Ins (BAdIs) are the basis

for authorization enhancements in

SAP R3 applications You can access

the BAdI Builder with transaction SE18

If specific authorization check

requirements cannot be met by either the

standard system or by a customer-specific

authorization object you can replace the

authorization checks by using Business

Add-Ins (BAdI)

Example

The BAdI for the master data authorization

check is called HRPAD00AUTH_CHECK

It replaces the standard authorization check

for HR Master Data infotypes

18


Planned enhanced authorization checks

Enhancement SAP Note

Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663

Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062

User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961

User Management Possibility to switch to old passwords for system and communication users 1410831

System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111

Start authorization checks New authorization check for Web Dynpro ABAP applications1413011

1413012

Additional authorization check for tables tbd

To search for SAP Notes please go to

the SAP Service Marketplace

httpswebsmp108sap-agdenotes


Federation

Metadata

Transport Security

Document Security

Message Security

SAP Security ndash Building on Industry Standards

WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy

WS-SecureConversation

SAML 20

Future Work

SMIME

Supported by SAPStatus February 2010

Authorization Provisioning

Authentication X509 CertsKerberosSAML 1x JAAS

XACML SPML LDAP

XML Sig PKCS7XML Enc

SSLTLS GSS

OpenID

OAuth

PCI DSS

Interoperability WS-I BSP 11WS-I BSP 10

WS-ReliableMessaging

19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary


Global Trends and Impact

Increasing Need for Compliance

Changing Consumption Models (SaaS)

Need for Operational Efficiency

Consumption model

Platforms services software and

security as a service offerings

Changing business environment

connecting on premise with on-

demand applications securely

Identities are on the move

Business and infrastructure

applications get accessed via

mobile devices

Compliance

Increasing regulatory compliance

requirements coupled with lack of

visibility into existing controls

Complex environment and lack of

governance framework result in

audit challenges

Costly labor intensive processes

not aligned with business priorities

Lack of timely access or self-service

capabilities result in productivity loss

and reduced user satisfaction

Operational efficiency

Maintenance of multiple sources of

identity data

Manual user provisioning by help

desk delays onoff-boarding and

change in positions

Labor-intensive approval systems

Users dependent on help desk

response times

Single sign-on in heterogeneous

cross-company environments

20


Overview of SAP Road Map


TODAY PLANNED INNOVATIONS FUTURE DIRECTION

Enhanced SAP Integration

Enterprise Readiness

SAP BW Reporting

Context based Role Management

CUA Replacement recommended

Federation and Web SSO



Today

TODAY

SAP NetWeaver Identity Management ndash Compliant User

Management across SAP and Non SAP Systems

central management of identities

throughout system landscape

Rule driven workflow and approval

process

Extensive audit trail logging and

reporting capabilities

Governance through centralized

auditable identity data

Compliance through the integration

with analytics applications (SAP

Business Warehouse and SAP

Business Objects)

Compliant and integrated identity

management solution mitigates

segregation-of-duties risks

21


Identity Management Architecture

Identity Center Database

Identity store

Configuration

Processing logic

Workflow User Interface

Main interface for users and managers

Monitoring User Interface

Monitoring and audit interface for administrators

Management Console

Visual development and configuration UI

Runtime Engine and Dispatcher

Processing and provisioning logic

including connectors

Event Agent

Monitors connected systems

and initiates synchronization

Virtual Directory Server

Virtualization layer

SAP NetWeaver

Identity Management 71

Identity Center

Workflow and Monitoring UI

(AS Java)

ManagementConsole

DispatcherRuntime Engine

Event AgentService

Detect changesRead write

SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22


Minimal Time-to-Compliance

Quick effective and comprehensive

access risk identification

Elimination of existing access and

authorization risks is key

Continuous Access Management

Improve productivity of end users

Reduce cost of role maintenance

Avoid business obstructions with

faster emergency response

Ease compliance and avoid

authorization risk

Effective Management Oversight

Capabilities for management

oversight

Capabilities for internal audit

IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation

Compliant user provisioning

Au

dit

Ove

rsig

ht

Identity management

Periodic access review and audit

Con

tro

l

En

vir

on

me

nt Cross-enterprise library of best practice

segregation of duties rules

Regulations Rules Corporate Policies

Best Practices

Super user privilege

management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks

Business risk controls and

mitigation

Heterogeneous connectivity

SAP Business Suite integration

Powerful business role mapping

Password management

Compliant identity management for

the entire system landscape

SAP NetWeaver

Identity Management

SAP BusinessObjects Access Control (GRC)

SAP BusinessObjects

Access Control (GRC)

SAP BusinessObjects Access Control (GRC) amp

SAP NetWeaver IDM ndash Integration Scenario


23


Compliant Identity Management

Process Flow

SAP NetWeaver Identity ManagementSAP BusinessObjects Access

Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24


SAP Security Services Overview

Best Practices

SupportCustomer

EngagementService Delivery

Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines

Security in Early Watch

Alert

Security Notes Report

Security Optimization

Self-Service

Security in Config Validation


Remote Service

Run SAP

E2E Solution Operations

Standard for Security


Security in the EarlyWatch Alert (EWA)

Security in the EarlyWatch Alert

The EarlyWatch Alert Report includes selected information on critical security

observations

ndash Security-related SAP Notes

ndash Users with Critical Authorizations

ndash Default Passwords of Standard Users

More detailed and additional information can be found with the help of the security

self-services

SAP EarlyWatch Alert is an important part of making sure that your core business

processes work It is a tool that monitors the essential administrative areas of

SAP components and keeps you up to date on their performance and stability

SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical

httpservicesapcomewa

ldquo

25


SAP Security Optimization Service

Value Proposition

The SAP Security Optimization Service is designed to verify and improve the

security of customerslsquo SAP systems by identifying potential security issues and

giving recommendations on how to improve the security of the system

Keeping the security and availability of SAP solutions at a high level is a tremendous

value to customerslsquo businesses - a value delivered by the SAP Security Optimization

Service Analysis is the key to this value which is necessary to

Decrease the risk of a system intrusion

Ensure the confidentiality of business data

Ensure the authenticity of users

Substantially reduce the risk of costly downtime due to wrong user interaction

More information is available in the SAP Service Market Place

httpwwwservicesapcomsos



Overview

SAP Security Optimization


Remote ServiceSAP Security Optimization

Self Service

The SAP Solution Manager offers the

possibility to execute the SAP Security

Optimization Service locally

Fully automated checks

in ABAP systems

No additional cost for

this service

Broad range of security

checks extending the

self-service checks

Performed by experienced

service engineers

Part of CQC service

offering


Onsite Service

Individual range of

security checks eg for

the SAP Enterprise

Portal

Performed by specialists

Additional cost for this

service

26


Run SAP Methodology SAP Security Standard

Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off


The 10 secure operation tracks of the Secure Operations Map

cover the following topics

1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure

and operation with internal and external guidelines

2 Outsourcing Ensure secure operation in IT outsourcing scenarios

3 Emergency Concept Prepare for and react to emergency situations

4 Secure Process and People Collaboration Maintain security of

process and people collaboration by security capabilities of

automated business processes or document exchanges

5 User and Authorization Management Manage IT users their authorizations and authentication

6 Administration Concept Securely administer all aspects of solution operations

7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base

components

8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications

9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications

10 Secure Support Resolve software incidents in a secure manner

Run SAP Methodology Secure Operations

27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary


Security of the SAP Remote Support

Infrastructure

The remote support infrastructure is established for nearly all SAP customers

with valid support agreements

The key to success of the remote-support infrastructure is a strong focus on

security based on two major safeguards

Every customer has full control of the established connections and opens the

connection upon request

Every remote connection to a customer system is logged

In addition various encryption mechanisms are available including

Software encryption with secure network communications (SNC)

Hardware encryption with virtual private network (VPN)

SAP has set up a remote support infrastructure that enables efficient support

processes and effective customer problem resolution

28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary


The Product Innovation Lifecycle (PIL) is SAPs approach to product quality

It consists of process and product standards The product standards define common

requirements for all SAP products

The PIL Security Standard defines security requirements targeting

Requirements are

Included in planning phase

Implemented during development

phase and

Checked in test phase

Organization

Standard Owner

Expert Network

Multiplication and reporting across all development

units and SAP labs

Production Unit

Enforces compliance of SAP product development

Vulnerability

Prevention

TCO

Reduction

Legal

Compliance

Key Concept for Secure Programming

PIL Security Standard

29


SAP Investments in Software Security

and Quality Assurance

Security is embedded in all stages of the software development lifecycle

Software design and architecture is reviewed for conformity to security requirements

Development fulfills secure programming requirements through the Product Innovation

Lifecycle (PIL) Security Standard

What we do

Train developers

Provide guidelines on how to fulfill the requirements

Provide test cases and test services on how to check source code and software behavior

Security of the software is checked before delivery

Source code and runtime testing by internal and contracted external security specialists

Separate validation unit acting as a ―first customer

Capabilities for reaction to security issues discovered after delivery

Security Response process

ndash Handles and solves security issues

ndash Provides customers with information workarounds solutions and patches

Findings are fed back into secure programming requirements and security assessment planning

Active communication policy to customers security specialists and to the public

SAP invests to achieve the security of all its code


Digital Signatures for SAP Software Delivery

Digital Signing Instance

Certificates

Private KeysFirewallSigning Services (Hardware Token)

SMPAssembly

Trust Center

Non-ABAP SP ABAP SP Release

Authenticity and Integrity of SAP Software

Digital signatures for SAP software packages planned for end of 2010

Validation of signatures planned for mid-2011

Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012

30


State-of-the-Art Software Lifecycle Security

SAP is certified for

ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium

Quality management standard ISO9001

Common Criteria certification is currently underway

FIPS 140-2 certification is planned

SAP offers

Applications built according to state-of-the-art industry secure programming practices

Efficient security response processes

Security services that cover the entire software lifecycle (Security Optimization Service)

A highly specialized and experienced SAP security consulting team as well as a security

consultant certification to offer qualified implementation support

SAP invests in

A large internal research division dedicated to security

Joint industry projects for secure programming practices such as

SAFECODE

Secologic

Security is a quality characteristic of SAP solutions


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31


SAP is certified according to the ITSEC standard for information technology security

ITSEC evaluates security within software products and systems

SAP is certified according to the ISO 9001 standard for quality management systems


Current Certifications

ITSEC (Information Technology Security Evaluation Criteria )

E2 Medium

ISO 9001


SAP is currently undergoing a security certification according to the Common Criteria (CC) for

Information Technology Security evaluation assurance level 4 CC is an international standard (ISO

15408) for computer security certification

Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))

Mutual recognition arrangement (CCRA)

Each party thereto recognizes evaluations against the CC standard done by other parties

Currently 26 countries recognize the CC

Certification target is SAP NetWeaver Application Server Java 702

Certification body is the German Federal Office for Information Security (BSI)

An overview of products currently in certification at BSI is available here

FIPS 140-2 is a US government computer security standard that specifies requirements for

cryptography modules

SAP is planning a certification of its cryptographic library in cooperation with its partner Secude

Additional security certifications are planned


Certifications Planned and Underway

Federal Information Processing Standardization 140-2 (FIPS)

Common Criteria for Information Technology Security (CC)

32


Common Criteria Certification

Certification Target

Approach in three phases

SAP NetWeaver Application Server Java 702

SAP NetWeaver Application Server ABAP 702

SAP NetWeaver Application Server ABAP amp Java 702 combined certificate

Security Functionalities

Audit

Users and authorizations

Identification and authentication

Security management (administration of security functionality)

Assurance Class

EAL4+

Why Application Server and not business application

The application server is the underlying infrastructure providing the basic security functionality and

frameworks The business application on top ―inherits the security qualities

Why 702

Main release for next Business Suite



Project Plan Phases High-Level

0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel

ABAPABAP Prep amp Implementation

EAL4 certificate

Phase 4

Java amp Kernel

ABAP

Certificate for double stack EAL4

33


2009 2010

A S O N D J F M A M J J A S O N D J

Common Criteria Certification Project Phase 1

SAP NW AS Java 702 Plan and Status

ASE Security Target

ADV_FSP4

AGD_OPE1

ALC Lifecycle support (inc site visit)

ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1

Dev Site Audits (WDFRot)

Ralsquoanana

Sofia

Bangalore

Moscow

ATE_COV2 _DPT2 _FUN1

ATE_IND2 AVA_VAN3

ETRtoday

Legend Duration Milestone

CERTIFICATE


2010

J F M A M J J A S O N D J F M A M J


SAP NW AS ABAP 702 Plan and Status

ABAP Prep and Implementation

ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


The Security Consultant Certification test

Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security

Proves that the candidate has an advanced understanding of this topic and is able to apply

these skills in consulting projects providing implementation guidance

Booking code P_ADM_SEC_70

SAP courses for certification preparation

Course ADM200 Administration AS Java

Course ADM940 Authorization Concept AS ABAP

Course ADM950 Secure SAP System Management

Course ADM960 Security in SAP System Environment

Course TZNWIM SAP NetWeaver Identity Management

Software components covered

SAP NetWeavertrade 70

SAP Security Consultant Certification

SAP Certified Technology Professional ndash Security with SAP NetWeaver 70


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away

SAP NetWeaver TODAY is the favored technology platform for

SAP customers integrating heterogeneous landscapes

Significant investments into security for networked solutions identity

management and integrated security management offering will allow

customers to implement secure business processes

Planned support for SAML 20 for Identity Federation will provide

international standards support and heterogeneity mandatory for

composite business applications and networked solutions

SAP will lead the industry in helping our customers to

thrive in today`s business networks





Further Information

SAP Public Web

SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity

SAP Developer Network (SDN) ndash Identity Management

httpwwwsdnsapcomirjsdnnw-identitymanagement

SAP Public Web ndash Security wwwsapcomsecurity

SAP Public Web ndash Identity Management

wwwsapcomplatformnetweavercomponentsIDMindexepx

36


Further Information

Related WorkshopsLectures at SAP TechEd 2010


Further Information


37


Further Information


ContactFeedback

Please complete your session evaluation

Be courteous mdash deposit your trash

and do not take the handouts for the following session

38


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors

Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation

IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation

Linux is the registered trademark of Linus Torvalds in the US and other countries

Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries

Oracle is a registered trademark of Oracle Corporation

UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group

Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc

HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology

Java is a registered trademark of Sun Microsystems Inc

JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape

SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries

Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries

All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary

The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice

SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement

SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence

The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages

copy 2010 SAP AG All Rights Reserved

2


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary


Security for Business Processes

Security Functionality

Provide functionality that allows customers to efficiently control and manage access

to business data and applications

Software Security and Quality Assurance

Deliver highest quality of software that prevents hackers from gaining unauthorized

access to business data and business applications

Information amp Services

Provide up-to-date information services and support to help customers and partners

implement use and manage their SAP systems securely

SAP enables its customers to protect their business processes

through a comprehensive security portfolio

3



SAP

Security

Software Security





Security

Functionality


Management


Single Sign-On

Compliance


Information




Online Help












4


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






OrderMgmt

Non SAP ampLegacy



ABAP Development


Java Development


Content Management


Information

Composition

Service Composition





Data Management

User Productivity



Composition

Bu

sin

ess C

on

te

nt







5




OrderMgmt

Non SAP ampLegacy







Service Composition

SOA Management

Content Management




Data Management

User Productivity



Business C

ontent






Security


SECURITY FRAMEWORK



IDENTITY FEDERATION






BUSINESS PROCESSES



ABAP Development


Java Development








applications

SAML 11

PKI-based

authentication

(X509 certificates)

SP Nego (Kerberos)

Header variables

SAP Logon Tickets

Identity Federation

SAML 20

JAAS Login Module

Single Sign-On

Options

SS

O

6







SA

P N

etW

eaver

Ap

pli

cati

on

s


Interactive user


PKI-based

authentication




ndash CRL support 1

External

authentication

SPNego 1


Header variables 1

SSO via trusted

application system




Identity Federation

interoperable SSO

and Single Log-out

SAML 2 2





Custom

authentication

JAAS Login Module 1


mechanisms

Web

Bro

wser



SAP NetWeaver

Portal

SAML 11

PKI-based

authentication

(X509 certificates)

SP Nego (Kerberos)

Header variables

SAP Logon Tickets

Identity Federation

SAML 20

JAAS Login Module

Single Sign-On

Options

SAML 2 Identity

Provider (IDP) amp

Security Token

Service (STS)

NET

SS

O

Non-

SAP

7




SA

ML

Identity

Provider (IDP)

SA

ML

Company A


AM

L

Identity

Provider (IDP)

Lo

go

n

Tic

ke

t

Business Partner

SAML




Trust

Relationship


applications

SSO

Federation

SSO

Federation


Management






identity management

trust management




(SPs)




8



Intermediary




SAML

WS-Security

Point-to-Point

Security

Message Security




Outer DMZ Inner DMZ

Firewall


Application

server farm

R3

R3

Application

server farm

ERP

ERP

DIR

Application

Gateways

Pre-scan user


and known exploits

Preprocessing and

validation of user

input and output


Web service request

WebAS Portal

or other

Web service

Firewall Firewall

9



On-Demand Solutions

Backend Networks

Company B

R3

R3

Application

server farm

ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm

ERP

ERP

DIR

On-

Demand

On-

Demand

Company A

Identity

Provider

Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML




Configuration and

results of Security

Audit Log in ABAP

Transactions

SM 18 SM19 SM20

Results of Log

Viewer in Java

10




Audit planning

Work program

- System audit

- Business audit

Exp

ort

in

terf

ace

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip









- Collection

- Structure and

- Default setup



of the auditor

in SAP environment

11



Functional Overview



SAP application




Tables trees lists

etc


logged











Dynpro Processor

Control Framework

Request

Response

Database layer


Observed

data traffic

Temporary Log

(Asynchronous)

Call of

log service

Log Storage




Modification

Development

12




Credit card data

encrypted in

database

Application

Decryption

Authorized

administrator

Data is

displayed

unencrypted

SSF

API






hellip how to

create

users in a

systemhellipwho may

execute which

actions

especially

how to


defines rules on

hellip restrict

display and

change of data

depending

on user roles

This enhances

the security of

the system

hellip show

users only those

actions which are

relevant for their

roles

This simplifies

system usage

13




Sammelrolle

RolleRole

Composite role

Felder

Werte


Berechtigung

Profil

Fields

Values

Authorization

Profile

User

Rolle

Data Model

Felder

Werte


Berechtigungsdaten

Assignment

Generation

Authorization data

Fields

Values

RoleSammelprofil

Sammel-

profil

Profil

Composite

Profile

Profile

Composite profile

14


P_ORGIN

S_USER_AGR

S_USER_GRP

hellip

PA30

PFCG

RSUSR002

hellip

Menu Transactions

Web links reports

Etc

UserABAP

Role

Authorization

Data

Authorizations

ABAP Roles

1n 1n



Functional Roles

are related to

jobs

Menu containing

transactions

15






maintained



Access type

Area Organization

Authority

check

Business










hellip

16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























3



SAP

Security

Software Security





Security

Functionality


Management


Single Sign-On

Compliance


Information




Online Help












4


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






OrderMgmt

Non SAP ampLegacy



ABAP Development


Java Development


Content Management


Information

Composition

Service Composition





Data Management

User Productivity



Composition

Bu

sin

ess C

on

te

nt







5




OrderMgmt

Non SAP ampLegacy







Service Composition

SOA Management

Content Management




Data Management

User Productivity



Business C

ontent






Security


SECURITY FRAMEWORK



IDENTITY FEDERATION






BUSINESS PROCESSES



ABAP Development


Java Development








applications

SAML 11

PKI-based

authentication

(X509 certificates)

SP Nego (Kerberos)

Header variables

SAP Logon Tickets

Identity Federation

SAML 20

JAAS Login Module

Single Sign-On

Options

SS

O

6







SA

P N

etW

eaver

Ap

pli

cati

on

s


Interactive user


PKI-based

authentication




ndash CRL support 1

External

authentication

SPNego 1


Header variables 1

SSO via trusted

application system




Identity Federation

interoperable SSO

and Single Log-out

SAML 2 2





Custom

authentication

JAAS Login Module 1


mechanisms

Web

Bro

wser



SAP NetWeaver

Portal

SAML 11

PKI-based

authentication

(X509 certificates)

SP Nego (Kerberos)

Header variables

SAP Logon Tickets

Identity Federation

SAML 20

JAAS Login Module

Single Sign-On

Options

SAML 2 Identity

Provider (IDP) amp

Security Token

Service (STS)

NET

SS

O

Non-

SAP

7




SA

ML

Identity

Provider (IDP)

SA

ML

Company A


AM

L

Identity

Provider (IDP)

Lo

go

n

Tic

ke

t

Business Partner

SAML




Trust

Relationship


applications

SSO

Federation

SSO

Federation


Management






identity management

trust management




(SPs)




8



Intermediary




SAML

WS-Security

Point-to-Point

Security

Message Security




Outer DMZ Inner DMZ

Firewall


Application

server farm

R3

R3

Application

server farm

ERP

ERP

DIR

Application

Gateways

Pre-scan user


and known exploits

Preprocessing and

validation of user

input and output


Web service request

WebAS Portal

or other

Web service

Firewall Firewall

9



On-Demand Solutions

Backend Networks

Company B

R3

R3

Application

server farm

ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm

ERP

ERP

DIR

On-

Demand

On-

Demand

Company A

Identity

Provider

Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML




Configuration and

results of Security

Audit Log in ABAP

Transactions

SM 18 SM19 SM20

Results of Log

Viewer in Java

10




Audit planning

Work program

- System audit

- Business audit

Exp

ort

in

terf

ace

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip









- Collection

- Structure and

- Default setup



of the auditor

in SAP environment

11



Functional Overview



SAP application




Tables trees lists

etc


logged











Dynpro Processor

Control Framework

Request

Response

Database layer


Observed

data traffic

Temporary Log

(Asynchronous)

Call of

log service

Log Storage




Modification

Development

12




Credit card data

encrypted in

database

Application

Decryption

Authorized

administrator

Data is

displayed

unencrypted

SSF

API






hellip how to

create

users in a

systemhellipwho may

execute which

actions

especially

how to


defines rules on

hellip restrict

display and

change of data

depending

on user roles

This enhances

the security of

the system

hellip show

users only those

actions which are

relevant for their

roles

This simplifies

system usage

13




Sammelrolle

RolleRole

Composite role

Felder

Werte


Berechtigung

Profil

Fields

Values

Authorization

Profile

User

Rolle

Data Model

Felder

Werte


Berechtigungsdaten

Assignment

Generation

Authorization data

Fields

Values

RoleSammelprofil

Sammel-

profil

Profil

Composite

Profile

Profile

Composite profile

14


P_ORGIN

S_USER_AGR

S_USER_GRP

hellip

PA30

PFCG

RSUSR002

hellip

Menu Transactions

Web links reports

Etc

UserABAP

Role

Authorization

Data

Authorizations

ABAP Roles

1n 1n



Functional Roles

are related to

jobs

Menu containing

transactions

15






maintained



Access type

Area Organization

Authority

check

Business










hellip

16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























4


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






OrderMgmt

Non SAP ampLegacy



ABAP Development


Java Development


Content Management


Information

Composition

Service Composition





Data Management

User Productivity



Composition

Bu

sin

ess C

on

te

nt







5




OrderMgmt

Non SAP ampLegacy







Service Composition

SOA Management

Content Management




Data Management

User Productivity



Business C

ontent






Security


SECURITY FRAMEWORK



IDENTITY FEDERATION






BUSINESS PROCESSES



ABAP Development


Java Development








applications

SAML 11

PKI-based

authentication

(X509 certificates)

SP Nego (Kerberos)

Header variables

SAP Logon Tickets

Identity Federation

SAML 20

JAAS Login Module

Single Sign-On

Options

SS

O

6







SA

P N

etW

eaver

Ap

pli

cati

on

s


Interactive user


PKI-based

authentication




ndash CRL support 1

External

authentication

SPNego 1


Header variables 1

SSO via trusted

application system




Identity Federation

interoperable SSO

and Single Log-out

SAML 2 2





Custom

authentication

JAAS Login Module 1


mechanisms

Web

Bro

wser



SAP NetWeaver

Portal

SAML 11

PKI-based

authentication

(X509 certificates)

SP Nego (Kerberos)

Header variables

SAP Logon Tickets

Identity Federation

SAML 20

JAAS Login Module

Single Sign-On

Options

SAML 2 Identity

Provider (IDP) amp

Security Token

Service (STS)

NET

SS

O

Non-

SAP

7




SA

ML

Identity

Provider (IDP)

SA

ML

Company A


AM

L

Identity

Provider (IDP)

Lo

go

n

Tic

ke

t

Business Partner

SAML




Trust

Relationship


applications

SSO

Federation

SSO

Federation


Management






identity management

trust management




(SPs)




8



Intermediary




SAML

WS-Security

Point-to-Point

Security

Message Security




Outer DMZ Inner DMZ

Firewall


Application

server farm

R3

R3

Application

server farm

ERP

ERP

DIR

Application

Gateways

Pre-scan user


and known exploits

Preprocessing and

validation of user

input and output


Web service request

WebAS Portal

or other

Web service

Firewall Firewall

9



On-Demand Solutions

Backend Networks

Company B

R3

R3

Application

server farm

ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm

ERP

ERP

DIR

On-

Demand

On-

Demand

Company A

Identity

Provider

Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML




Configuration and

results of Security

Audit Log in ABAP

Transactions

SM 18 SM19 SM20

Results of Log

Viewer in Java

10




Audit planning

Work program

- System audit

- Business audit

Exp

ort

in

terf

ace

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip









- Collection

- Structure and

- Default setup



of the auditor

in SAP environment

11



Functional Overview



SAP application




Tables trees lists

etc


logged











Dynpro Processor

Control Framework

Request

Response

Database layer


Observed

data traffic

Temporary Log

(Asynchronous)

Call of

log service

Log Storage




Modification

Development

12




Credit card data

encrypted in

database

Application

Decryption

Authorized

administrator

Data is

displayed

unencrypted

SSF

API






hellip how to

create

users in a

systemhellipwho may

execute which

actions

especially

how to


defines rules on

hellip restrict

display and

change of data

depending

on user roles

This enhances

the security of

the system

hellip show

users only those

actions which are

relevant for their

roles

This simplifies

system usage

13




Sammelrolle

RolleRole

Composite role

Felder

Werte


Berechtigung

Profil

Fields

Values

Authorization

Profile

User

Rolle

Data Model

Felder

Werte


Berechtigungsdaten

Assignment

Generation

Authorization data

Fields

Values

RoleSammelprofil

Sammel-

profil

Profil

Composite

Profile

Profile

Composite profile

14


P_ORGIN

S_USER_AGR

S_USER_GRP

hellip

PA30

PFCG

RSUSR002

hellip

Menu Transactions

Web links reports

Etc

UserABAP

Role

Authorization

Data

Authorizations

ABAP Roles

1n 1n



Functional Roles

are related to

jobs

Menu containing

transactions

15






maintained



Access type

Area Organization

Authority

check

Business










hellip

16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























5




OrderMgmt

Non SAP ampLegacy







Service Composition

SOA Management

Content Management




Data Management

User Productivity



Business C

ontent






Security


SECURITY FRAMEWORK



IDENTITY FEDERATION






BUSINESS PROCESSES



ABAP Development


Java Development








applications

SAML 11

PKI-based

authentication

(X509 certificates)

SP Nego (Kerberos)

Header variables

SAP Logon Tickets

Identity Federation

SAML 20

JAAS Login Module

Single Sign-On

Options

SS

O

6







SA

P N

etW

eaver

Ap

pli

cati

on

s


Interactive user


PKI-based

authentication




ndash CRL support 1

External

authentication

SPNego 1


Header variables 1

SSO via trusted

application system




Identity Federation

interoperable SSO

and Single Log-out

SAML 2 2





Custom

authentication

JAAS Login Module 1


mechanisms

Web

Bro

wser



SAP NetWeaver

Portal

SAML 11

PKI-based

authentication

(X509 certificates)

SP Nego (Kerberos)

Header variables

SAP Logon Tickets

Identity Federation

SAML 20

JAAS Login Module

Single Sign-On

Options

SAML 2 Identity

Provider (IDP) amp

Security Token

Service (STS)

NET

SS

O

Non-

SAP

7




SA

ML

Identity

Provider (IDP)

SA

ML

Company A


AM

L

Identity

Provider (IDP)

Lo

go

n

Tic

ke

t

Business Partner

SAML




Trust

Relationship


applications

SSO

Federation

SSO

Federation


Management






identity management

trust management




(SPs)




8



Intermediary




SAML

WS-Security

Point-to-Point

Security

Message Security




Outer DMZ Inner DMZ

Firewall


Application

server farm

R3

R3

Application

server farm

ERP

ERP

DIR

Application

Gateways

Pre-scan user


and known exploits

Preprocessing and

validation of user

input and output


Web service request

WebAS Portal

or other

Web service

Firewall Firewall

9



On-Demand Solutions

Backend Networks

Company B

R3

R3

Application

server farm

ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm

ERP

ERP

DIR

On-

Demand

On-

Demand

Company A

Identity

Provider

Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML




Configuration and

results of Security

Audit Log in ABAP

Transactions

SM 18 SM19 SM20

Results of Log

Viewer in Java

10




Audit planning

Work program

- System audit

- Business audit

Exp

ort

in

terf

ace

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip









- Collection

- Structure and

- Default setup



of the auditor

in SAP environment

11



Functional Overview



SAP application




Tables trees lists

etc


logged











Dynpro Processor

Control Framework

Request

Response

Database layer


Observed

data traffic

Temporary Log

(Asynchronous)

Call of

log service

Log Storage




Modification

Development

12




Credit card data

encrypted in

database

Application

Decryption

Authorized

administrator

Data is

displayed

unencrypted

SSF

API






hellip how to

create

users in a

systemhellipwho may

execute which

actions

especially

how to


defines rules on

hellip restrict

display and

change of data

depending

on user roles

This enhances

the security of

the system

hellip show

users only those

actions which are

relevant for their

roles

This simplifies

system usage

13




Sammelrolle

RolleRole

Composite role

Felder

Werte


Berechtigung

Profil

Fields

Values

Authorization

Profile

User

Rolle

Data Model

Felder

Werte


Berechtigungsdaten

Assignment

Generation

Authorization data

Fields

Values

RoleSammelprofil

Sammel-

profil

Profil

Composite

Profile

Profile

Composite profile

14


P_ORGIN

S_USER_AGR

S_USER_GRP

hellip

PA30

PFCG

RSUSR002

hellip

Menu Transactions

Web links reports

Etc

UserABAP

Role

Authorization

Data

Authorizations

ABAP Roles

1n 1n



Functional Roles

are related to

jobs

Menu containing

transactions

15






maintained



Access type

Area Organization

Authority

check

Business










hellip

16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























6







SA

P N

etW

eaver

Ap

pli

cati

on

s


Interactive user


PKI-based

authentication




ndash CRL support 1

External

authentication

SPNego 1


Header variables 1

SSO via trusted

application system




Identity Federation

interoperable SSO

and Single Log-out

SAML 2 2





Custom

authentication

JAAS Login Module 1


mechanisms

Web

Bro

wser



SAP NetWeaver

Portal

SAML 11

PKI-based

authentication

(X509 certificates)

SP Nego (Kerberos)

Header variables

SAP Logon Tickets

Identity Federation

SAML 20

JAAS Login Module

Single Sign-On

Options

SAML 2 Identity

Provider (IDP) amp

Security Token

Service (STS)

NET

SS

O

Non-

SAP

7




SA

ML

Identity

Provider (IDP)

SA

ML

Company A


AM

L

Identity

Provider (IDP)

Lo

go

n

Tic

ke

t

Business Partner

SAML




Trust

Relationship


applications

SSO

Federation

SSO

Federation


Management






identity management

trust management




(SPs)




8



Intermediary




SAML

WS-Security

Point-to-Point

Security

Message Security




Outer DMZ Inner DMZ

Firewall


Application

server farm

R3

R3

Application

server farm

ERP

ERP

DIR

Application

Gateways

Pre-scan user


and known exploits

Preprocessing and

validation of user

input and output


Web service request

WebAS Portal

or other

Web service

Firewall Firewall

9



On-Demand Solutions

Backend Networks

Company B

R3

R3

Application

server farm

ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm

ERP

ERP

DIR

On-

Demand

On-

Demand

Company A

Identity

Provider

Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML




Configuration and

results of Security

Audit Log in ABAP

Transactions

SM 18 SM19 SM20

Results of Log

Viewer in Java

10




Audit planning

Work program

- System audit

- Business audit

Exp

ort

in

terf

ace

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip









- Collection

- Structure and

- Default setup



of the auditor

in SAP environment

11



Functional Overview



SAP application




Tables trees lists

etc


logged











Dynpro Processor

Control Framework

Request

Response

Database layer


Observed

data traffic

Temporary Log

(Asynchronous)

Call of

log service

Log Storage




Modification

Development

12




Credit card data

encrypted in

database

Application

Decryption

Authorized

administrator

Data is

displayed

unencrypted

SSF

API






hellip how to

create

users in a

systemhellipwho may

execute which

actions

especially

how to


defines rules on

hellip restrict

display and

change of data

depending

on user roles

This enhances

the security of

the system

hellip show

users only those

actions which are

relevant for their

roles

This simplifies

system usage

13




Sammelrolle

RolleRole

Composite role

Felder

Werte


Berechtigung

Profil

Fields

Values

Authorization

Profile

User

Rolle

Data Model

Felder

Werte


Berechtigungsdaten

Assignment

Generation

Authorization data

Fields

Values

RoleSammelprofil

Sammel-

profil

Profil

Composite

Profile

Profile

Composite profile

14


P_ORGIN

S_USER_AGR

S_USER_GRP

hellip

PA30

PFCG

RSUSR002

hellip

Menu Transactions

Web links reports

Etc

UserABAP

Role

Authorization

Data

Authorizations

ABAP Roles

1n 1n



Functional Roles

are related to

jobs

Menu containing

transactions

15






maintained



Access type

Area Organization

Authority

check

Business










hellip

16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























7




SA

ML

Identity

Provider (IDP)

SA

ML

Company A


AM

L

Identity

Provider (IDP)

Lo

go

n

Tic

ke

t

Business Partner

SAML




Trust

Relationship


applications

SSO

Federation

SSO

Federation


Management






identity management

trust management




(SPs)




8



Intermediary




SAML

WS-Security

Point-to-Point

Security

Message Security




Outer DMZ Inner DMZ

Firewall


Application

server farm

R3

R3

Application

server farm

ERP

ERP

DIR

Application

Gateways

Pre-scan user


and known exploits

Preprocessing and

validation of user

input and output


Web service request

WebAS Portal

or other

Web service

Firewall Firewall

9



On-Demand Solutions

Backend Networks

Company B

R3

R3

Application

server farm

ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm

ERP

ERP

DIR

On-

Demand

On-

Demand

Company A

Identity

Provider

Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML




Configuration and

results of Security

Audit Log in ABAP

Transactions

SM 18 SM19 SM20

Results of Log

Viewer in Java

10




Audit planning

Work program

- System audit

- Business audit

Exp

ort

in

terf

ace

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip









- Collection

- Structure and

- Default setup



of the auditor

in SAP environment

11



Functional Overview



SAP application




Tables trees lists

etc


logged











Dynpro Processor

Control Framework

Request

Response

Database layer


Observed

data traffic

Temporary Log

(Asynchronous)

Call of

log service

Log Storage




Modification

Development

12




Credit card data

encrypted in

database

Application

Decryption

Authorized

administrator

Data is

displayed

unencrypted

SSF

API






hellip how to

create

users in a

systemhellipwho may

execute which

actions

especially

how to


defines rules on

hellip restrict

display and

change of data

depending

on user roles

This enhances

the security of

the system

hellip show

users only those

actions which are

relevant for their

roles

This simplifies

system usage

13




Sammelrolle

RolleRole

Composite role

Felder

Werte


Berechtigung

Profil

Fields

Values

Authorization

Profile

User

Rolle

Data Model

Felder

Werte


Berechtigungsdaten

Assignment

Generation

Authorization data

Fields

Values

RoleSammelprofil

Sammel-

profil

Profil

Composite

Profile

Profile

Composite profile

14


P_ORGIN

S_USER_AGR

S_USER_GRP

hellip

PA30

PFCG

RSUSR002

hellip

Menu Transactions

Web links reports

Etc

UserABAP

Role

Authorization

Data

Authorizations

ABAP Roles

1n 1n



Functional Roles

are related to

jobs

Menu containing

transactions

15






maintained



Access type

Area Organization

Authority

check

Business










hellip

16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























8



Intermediary




SAML

WS-Security

Point-to-Point

Security

Message Security




Outer DMZ Inner DMZ

Firewall


Application

server farm

R3

R3

Application

server farm

ERP

ERP

DIR

Application

Gateways

Pre-scan user


and known exploits

Preprocessing and

validation of user

input and output


Web service request

WebAS Portal

or other

Web service

Firewall Firewall

9



On-Demand Solutions

Backend Networks

Company B

R3

R3

Application

server farm

ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm

ERP

ERP

DIR

On-

Demand

On-

Demand

Company A

Identity

Provider

Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML




Configuration and

results of Security

Audit Log in ABAP

Transactions

SM 18 SM19 SM20

Results of Log

Viewer in Java

10




Audit planning

Work program

- System audit

- Business audit

Exp

ort

in

terf

ace

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip









- Collection

- Structure and

- Default setup



of the auditor

in SAP environment

11



Functional Overview



SAP application




Tables trees lists

etc


logged











Dynpro Processor

Control Framework

Request

Response

Database layer


Observed

data traffic

Temporary Log

(Asynchronous)

Call of

log service

Log Storage




Modification

Development

12




Credit card data

encrypted in

database

Application

Decryption

Authorized

administrator

Data is

displayed

unencrypted

SSF

API






hellip how to

create

users in a

systemhellipwho may

execute which

actions

especially

how to


defines rules on

hellip restrict

display and

change of data

depending

on user roles

This enhances

the security of

the system

hellip show

users only those

actions which are

relevant for their

roles

This simplifies

system usage

13




Sammelrolle

RolleRole

Composite role

Felder

Werte


Berechtigung

Profil

Fields

Values

Authorization

Profile

User

Rolle

Data Model

Felder

Werte


Berechtigungsdaten

Assignment

Generation

Authorization data

Fields

Values

RoleSammelprofil

Sammel-

profil

Profil

Composite

Profile

Profile

Composite profile

14


P_ORGIN

S_USER_AGR

S_USER_GRP

hellip

PA30

PFCG

RSUSR002

hellip

Menu Transactions

Web links reports

Etc

UserABAP

Role

Authorization

Data

Authorizations

ABAP Roles

1n 1n



Functional Roles

are related to

jobs

Menu containing

transactions

15






maintained



Access type

Area Organization

Authority

check

Business










hellip

16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























9



On-Demand Solutions

Backend Networks

Company B

R3

R3

Application

server farm

ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm

ERP

ERP

DIR

On-

Demand

On-

Demand

Company A

Identity

Provider

Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML




Configuration and

results of Security

Audit Log in ABAP

Transactions

SM 18 SM19 SM20

Results of Log

Viewer in Java

10




Audit planning

Work program

- System audit

- Business audit

Exp

ort

in

terf

ace

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip









- Collection

- Structure and

- Default setup



of the auditor

in SAP environment

11



Functional Overview



SAP application




Tables trees lists

etc


logged











Dynpro Processor

Control Framework

Request

Response

Database layer


Observed

data traffic

Temporary Log

(Asynchronous)

Call of

log service

Log Storage




Modification

Development

12




Credit card data

encrypted in

database

Application

Decryption

Authorized

administrator

Data is

displayed

unencrypted

SSF

API






hellip how to

create

users in a

systemhellipwho may

execute which

actions

especially

how to


defines rules on

hellip restrict

display and

change of data

depending

on user roles

This enhances

the security of

the system

hellip show

users only those

actions which are

relevant for their

roles

This simplifies

system usage

13




Sammelrolle

RolleRole

Composite role

Felder

Werte


Berechtigung

Profil

Fields

Values

Authorization

Profile

User

Rolle

Data Model

Felder

Werte


Berechtigungsdaten

Assignment

Generation

Authorization data

Fields

Values

RoleSammelprofil

Sammel-

profil

Profil

Composite

Profile

Profile

Composite profile

14


P_ORGIN

S_USER_AGR

S_USER_GRP

hellip

PA30

PFCG

RSUSR002

hellip

Menu Transactions

Web links reports

Etc

UserABAP

Role

Authorization

Data

Authorizations

ABAP Roles

1n 1n



Functional Roles

are related to

jobs

Menu containing

transactions

15






maintained



Access type

Area Organization

Authority

check

Business










hellip

16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























10




Audit planning

Work program

- System audit

- Business audit

Exp

ort

in

terf

ace

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip









- Collection

- Structure and

- Default setup



of the auditor

in SAP environment

11



Functional Overview



SAP application




Tables trees lists

etc


logged











Dynpro Processor

Control Framework

Request

Response

Database layer


Observed

data traffic

Temporary Log

(Asynchronous)

Call of

log service

Log Storage




Modification

Development

12




Credit card data

encrypted in

database

Application

Decryption

Authorized

administrator

Data is

displayed

unencrypted

SSF

API






hellip how to

create

users in a

systemhellipwho may

execute which

actions

especially

how to


defines rules on

hellip restrict

display and

change of data

depending

on user roles

This enhances

the security of

the system

hellip show

users only those

actions which are

relevant for their

roles

This simplifies

system usage

13




Sammelrolle

RolleRole

Composite role

Felder

Werte


Berechtigung

Profil

Fields

Values

Authorization

Profile

User

Rolle

Data Model

Felder

Werte


Berechtigungsdaten

Assignment

Generation

Authorization data

Fields

Values

RoleSammelprofil

Sammel-

profil

Profil

Composite

Profile

Profile

Composite profile

14


P_ORGIN

S_USER_AGR

S_USER_GRP

hellip

PA30

PFCG

RSUSR002

hellip

Menu Transactions

Web links reports

Etc

UserABAP

Role

Authorization

Data

Authorizations

ABAP Roles

1n 1n



Functional Roles

are related to

jobs

Menu containing

transactions

15






maintained



Access type

Area Organization

Authority

check

Business










hellip

16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























11



Functional Overview



SAP application




Tables trees lists

etc


logged











Dynpro Processor

Control Framework

Request

Response

Database layer


Observed

data traffic

Temporary Log

(Asynchronous)

Call of

log service

Log Storage




Modification

Development

12




Credit card data

encrypted in

database

Application

Decryption

Authorized

administrator

Data is

displayed

unencrypted

SSF

API






hellip how to

create

users in a

systemhellipwho may

execute which

actions

especially

how to


defines rules on

hellip restrict

display and

change of data

depending

on user roles

This enhances

the security of

the system

hellip show

users only those

actions which are

relevant for their

roles

This simplifies

system usage

13




Sammelrolle

RolleRole

Composite role

Felder

Werte


Berechtigung

Profil

Fields

Values

Authorization

Profile

User

Rolle

Data Model

Felder

Werte


Berechtigungsdaten

Assignment

Generation

Authorization data

Fields

Values

RoleSammelprofil

Sammel-

profil

Profil

Composite

Profile

Profile

Composite profile

14


P_ORGIN

S_USER_AGR

S_USER_GRP

hellip

PA30

PFCG

RSUSR002

hellip

Menu Transactions

Web links reports

Etc

UserABAP

Role

Authorization

Data

Authorizations

ABAP Roles

1n 1n



Functional Roles

are related to

jobs

Menu containing

transactions

15






maintained



Access type

Area Organization

Authority

check

Business










hellip

16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























12




Credit card data

encrypted in

database

Application

Decryption

Authorized

administrator

Data is

displayed

unencrypted

SSF

API






hellip how to

create

users in a

systemhellipwho may

execute which

actions

especially

how to


defines rules on

hellip restrict

display and

change of data

depending

on user roles

This enhances

the security of

the system

hellip show

users only those

actions which are

relevant for their

roles

This simplifies

system usage

13




Sammelrolle

RolleRole

Composite role

Felder

Werte


Berechtigung

Profil

Fields

Values

Authorization

Profile

User

Rolle

Data Model

Felder

Werte


Berechtigungsdaten

Assignment

Generation

Authorization data

Fields

Values

RoleSammelprofil

Sammel-

profil

Profil

Composite

Profile

Profile

Composite profile

14


P_ORGIN

S_USER_AGR

S_USER_GRP

hellip

PA30

PFCG

RSUSR002

hellip

Menu Transactions

Web links reports

Etc

UserABAP

Role

Authorization

Data

Authorizations

ABAP Roles

1n 1n



Functional Roles

are related to

jobs

Menu containing

transactions

15






maintained



Access type

Area Organization

Authority

check

Business










hellip

16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























13




Sammelrolle

RolleRole

Composite role

Felder

Werte


Berechtigung

Profil

Fields

Values

Authorization

Profile

User

Rolle

Data Model

Felder

Werte


Berechtigungsdaten

Assignment

Generation

Authorization data

Fields

Values

RoleSammelprofil

Sammel-

profil

Profil

Composite

Profile

Profile

Composite profile

14


P_ORGIN

S_USER_AGR

S_USER_GRP

hellip

PA30

PFCG

RSUSR002

hellip

Menu Transactions

Web links reports

Etc

UserABAP

Role

Authorization

Data

Authorizations

ABAP Roles

1n 1n



Functional Roles

are related to

jobs

Menu containing

transactions

15






maintained



Access type

Area Organization

Authority

check

Business










hellip

16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























14


P_ORGIN

S_USER_AGR

S_USER_GRP

hellip

PA30

PFCG

RSUSR002

hellip

Menu Transactions

Web links reports

Etc

UserABAP

Role

Authorization

Data

Authorizations

ABAP Roles

1n 1n



Functional Roles

are related to

jobs

Menu containing

transactions

15






maintained



Access type

Area Organization

Authority

check

Business










hellip

16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























15






maintained



Access type

Area Organization

Authority

check

Business










hellip

16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























16



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

1nOrg Units

S

Position

70008502

S

Position

70008501

1n

Positions

P

Employee

Eva Scott

P

Employee

John Smith

1111

Employees

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11Infotype 105

Users



O

Org Unit

Market GER

O

Org Unit

Finance

O

Org Unit

HR

S

Position

70008502

S

Position

70008501

US

SAP User

SMITHJ

US

SAP User

SCOTTE

P

Employee

Eva Scott

P

Employee

John Smith

1n

1n

1111

11 11

Org Units

Positions

Employees

Infotype 105

Users

User SMITHJ

inherits roles

GEN_FIN

and HR_ADM

AG

Role

GEN_FIN

AG

Role

HR_ADM

17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























17



Pros amp Cons

Disadvantages




be monitored





Advantages


assignments



transfer etc


















Add-Ins (BAdI)

Example





18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























18










1413012






Federation

Metadata

Transport Security

Document Security

Message Security


WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy


SAML 20

Future Work

SMIME




XACML SPML LDAP


SSLTLS GSS

OpenID

OAuth

PCI DSS



19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























19


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary






Consumption model









mobile devices

Compliance






audit challenges








identity data



change in positions



response times



20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























20







SAP BW Reporting






Today

TODAY






process








Business Objects)




21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























21




Identity store

Configuration

Processing logic





Management Console





Event Agent





SAP NetWeaver


Identity Center


(AS Java)

ManagementConsole


Event AgentService


SA

P

GR

CW

eb

serv

ices

hellip

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

hellip


Agenda

1 Introduction


Compliance





Security Services

Support Security


Secure Programming


5 Summary

22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























22













authorization risk



oversight


IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latf

orm

Cro

ss-F

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iatio

n Enterprise role

management

Risk analysis and

remediation


Au

dit

Ove

rsig

ht

Identity management


Con

tro

l

En

vir

on

me




Best Practices


management

SAP_ALL


Solution Overview


SAP NetWeaver

Identity Management


Combined

Compliance checks


mitigation




Password management



SAP NetWeaver

Identity Management


SAP BusinessObjects





23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























23



Process Flow


Control (GRC)

Re

qu

est R

ole

Assig

nm

en

t1

Forward request

for risk analysis

3 Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User Manager

8


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























24



Best Practices

SupportCustomer


Tools

Self-Services

Services

delivered by SAP

Recommendations

Guidelines


Alert



Self-Service



Remote Service

Run SAP







observations





self-services






ldquo

25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























25



Value Proposition















Overview




Self Service





in ABAP systems


this service



self-service checks


service engineers

Part of CQC service

offering


Onsite Service

Individual range of


the SAP Enterprise

Portal



service

26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























26



Assessment amp

Scoping

Operational

Requirements

Analysis

Governance

Model for

Operations

Scope Definition

Technical

Requirements and

Architecture

Project Setup

Operations amp

Optimization

End User Support

SAP Technical

Operations

Change

Management

Technical

Infrastructure

Management

SAP Application

Management

Business Process

Operations

Design

Operations

End User Support

Concept

SAP Technical

Operations

Concept

Change

Management

Concept

Technical

Infrastructure

Design

SAP Application

Management

Concept

Business Process

Operations

Concept

Setup

Operations

End User Support

Implementation

SAP Technical

Operations

Implementation

Change

Management

Implementation

Technical

Infrastructure

Implementation

SAP Application

Management

Implementation

Business Process

Operations

Implementation

Handover into

Production

Knowledge Transfer

and Certification

Final Testing

Transition into

Production

Handover and Sign-

Off














components





27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























27


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary



Infrastructure













28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























28


Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary






Requirements are



phase and


Organization

Standard Owner

Expert Network


units and SAP labs

Production Unit


Vulnerability

Prevention

TCO

Reduction

Legal

Compliance



29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























29








What we do

Train developers
















Certificates


SMPAssembly

Trust Center






30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























30








SAP offers






SAP invests in



SAFECODE

Secologic



Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























31








E2 Medium

ISO 9001




















32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























32









Audit




Assurance Class

EAL4+




Why 702





0909 09100310 0511

Phase 1

Phase 2 and 3

Java amp Kernel


EAL4 certificate

Phase 4

Java amp Kernel

ABAP


33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























33


2009 2010




ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


Ralsquoanana

Sofia

Bangalore

Moscow


ATE_IND2 AVA_VAN3

ETRtoday


CERTIFICATE


2010





ASE Security Target

ADV_FSP4

AGD_OPE1


ADV_TDS3

ADV_IMP1

ADV_ARC1

AGD_PRE1


ATE_IND2 AVA_VAN3

ETR

today

2011

CERTIFICATE


34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























34


















Agenda

1 Introduction






Security Services

Support Security


Secure Programming


5 Summary

35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























35


Summary

Key Take-Away















Further Information

SAP Public Web







36


Further Information



Further Information


37


Further Information


ContactFeedback




38























36


Further Information



Further Information


37


Further Information


ContactFeedback




38























37


Further Information


ContactFeedback




38























38





















