Upload
phunganh
View
221
Download
2
Embed Size (px)
Citation preview
1
SCI100
SAP Security Overview Presentation
Gerlinde Zibulski Product Management
SAP NetWeaver Identity Management amp Security
October 2010
copy 2010 SAP AG All rights reserved Page 2
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision This presentation is not subject to your license agreement or any other
agreement with SAP SAP has no obligation to pursue any course of business outlined in this
presentation or to develop or release any functionality mentioned in this presentation This
presentation and SAPs strategy and possible future developments are subject to change and
may be changed by SAP at any time for any reason without notice This document is provided
without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement SAP
assumes no responsibility for errors or omissions in this document except if such damages
were caused by SAP intentionally or grossly negligent
2
copy 2010 SAP AG All rights reserved Page 3
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 4
Security for Business Processes
Security Functionality
Provide functionality that allows customers to efficiently control and manage access
to business data and applications
Software Security and Quality Assurance
Deliver highest quality of software that prevents hackers from gaining unauthorized
access to business data and business applications
Information amp Services
Provide up-to-date information services and support to help customers and partners
implement use and manage their SAP systems securely
SAP enables its customers to protect their business processes
through a comprehensive security portfolio
3
copy 2010 SAP AG All rights reserved Page 5
Security Features Offerings and Services
SAP
Security
Software Security
Assurance and Quality
Internal and External Security Assessments
Security Response Process
Security Product Standard and Validation
Security
Functionality
SAP NetWeaver Identity
Management
Web Services Security
Single Sign-On
Compliance
Security Services and
Information
Best practices and security
configuration guides on SDN
Documentation in the SAP
Online Help
Security Optimization Service
copy 2010 SAP AG All rights reserved Page 6
The SAP Ecosystem Advantage
Strong Security Partner Network
The SAP ecosystem responds to a growing need for a more collaborative business
approach ndash an approach designed specifically to deliver unparalleled customer value
The SAP ecosystem puts customers in the center of a dynamic universe that includes SAP
other customers partners and individuals
For security and identity management SAP collaborates with numerous partners offering
specialized solutions and services to fulfill even the most specific requirements of SAP
customers Software partners include
4
copy 2010 SAP AG All rights reserved Page 7
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 8
SAP NetWeaver Technology Capabilities
Service Bus Based IntegrationRepository Based Modeling and Design
Service-enabledApplications
SAP Business Suite 7 Customer amp PartnerApplications
OrderMgmt
Non SAP ampLegacy
TechnologyCapabilities
Heterogeneous Landscapes
ABAP Development
Security and Identity ManagementApplication Life-cycle Management
Java Development
Portal amp Collaboration Search
Content Management
Business Intelligence
Information
Composition
Service Composition
User Interface Composition
Mobile User Interface Technology
Application Foundation
Process Integration for networked applications
Data Management
User Productivity
Business Process Management
Information Management
Composition
Bu
sin
ess C
on
te
nt
Master Data Management
Data Management And Integration
Business Process Monitoring
Human Interaction Management
Business Process Modeling
Business Rules Management
5
copy 2010 SAP AG All rights reserved Page 9
Service-enabledApplications
SAP Business Suite 7 Customer amp PartnerApplications
OrderMgmt
Non SAP ampLegacy
Service Bus Based IntegrationRepository Based Modeling and Design
TechnologyCapabilities
Master Data Management
Data Management And Integration
Portal amp Collaboration Search
Information Composition
Service Composition
SOA Management
Content Management
Business Intelligence
User Interface Composition
Mobile User Interface Technology
Data Management
User Productivity
Business Process ManagementComposition
Integration (Service Oriented Architecture (SOA) Middleware)
Business C
ontent
Information Management
Business Process Monitoring
Human Interaction Management
Business Process Modeling
Business Rules Management
Security
Ensure integrated and easy to configure
SECURITY FRAMEWORK
Enhance security and reduce TCO via
standards based SINGLE SIGN-ON amp
IDENTITY FEDERATION
MANAGE IDENTITIES across processes to lower costs and security risks
Enable a common security concept via
STANDARDIZED SECURITY services
Efficient and comprehensive feature set to
configure administrate and run SECURE
BUSINESS PROCESSES
SAP NetWeaver provides a comprehensive and efficient security
infrastructure for secure and compliant business processes
ABAP Development
Security and Identity ManagementApplication Life-cycle Management
Java Development
Application Foundation
SAP NetWeaver Technology Capabilities
Security and Identity Management
copy 2010 SAP AG All rights reserved Page 10
Single Sign-On Within the Enterprise
SAP NetWeaver Portal
SAP applications3rd Party
applications
SAML 11
PKI-based
authentication
(X509 certificates)
SP Nego (Kerberos)
Header variables
SAP Logon Tickets
Identity Federation
SAML 20
JAAS Login Module
Single Sign-On
Options
SS
O
6
copy 2010 SAP AG All rights reserved Page 11
Secure User Access Web User Authentication
and Single Sign-On to SAP Applications
1 Requires Portal or AS Java
2 IDP capability available with SAP NetWeaver Identity Management 71
SP capability available with SAP Business Suite 702e SAP NetWeaver CE 72 and AS Java 72 Web applications
SA
P N
etW
eaver
Ap
pli
cati
on
s
Anonymous access Named anonymous users with SAP NetWeaver Portal
Interactive user
authentication SAP user ID password
PKI-based
authentication
X509 client certificatesndash Rule based client authentication 1
ndash Certificate filtering 1
ndash Automated certificate mapping 1
ndash CRL support 1
External
authentication
SPNego 1
ndash user authentication against a Kerberos infrastructure
Header variables 1
SSO via trusted
application system
SSO Logon ticketsndash Principal solution for SSO in SAP landscapes
SAML 11 Browser Artifact 1
ndash Interoperable SSO from trusted non-SAP token issuers
Identity Federation
interoperable SSO
and Single Log-out
SAML 2 2
ndash Identity Provider (IDP) for centralized user authentication and
SAML 2 SSO token issuing authority
ndash Service Provider (SP) for accepting SAML 2 SSO token to grant
user access to Web enabled content
Custom
authentication
JAAS Login Module 1
ndash Standardized extensions to out-of-the-box authentication
mechanisms
Web
Bro
wser
copy 2010 SAP AG All rights reserved Page 12
Single Sign-On Strategy
SAP NetWeaver
Portal
SAML 11
PKI-based
authentication
(X509 certificates)
SP Nego (Kerberos)
Header variables
SAP Logon Tickets
Identity Federation
SAML 20
JAAS Login Module
Single Sign-On
Options
SAML 2 Identity
Provider (IDP) amp
Security Token
Service (STS)
NET
SS
O
Non-
SAP
7
copy 2010 SAP AG All rights reserved Page 13
Cross-Domain Single Sign-On
SAP NetWeaver Portal
SA
ML
Identity
Provider (IDP)
SA
ML
Company A
SAP NetWeaver PortalS
AM
L
Identity
Provider (IDP)
Lo
go
n
Tic
ke
t
Business Partner
SAML
copy 2010 SAP AG All rights reserved Page 14
Secure Collaboration Support for Web User
SSO and Identity Federation
Trust
Relationship
SAP applications3rd Party
applications
SSO
Federation
SSO
Federation
SAP NetWeaver Identity
Management
with SAML 2 Identity Provider (IDP) and
Security Token Service (STS)
Standardized SAML 2 SSO and Single Log-out
Shared infrastructure in user interactive and
service applications on the Web
identity management
trust management
Efficient user productivity enablement of secure
cross-business scenarios
Application Service Providers
(SPs)
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
8
copy 2010 SAP AG All rights reserved Page 15
Message-Level and Transport-Level Security
Intermediary
Business Server Business Server
Transport level security is not sufficient
Standardization related to transport level security is in progress
SAML
WS-Security
Point-to-Point
Security
Message Security
copy 2010 SAP AG All rights reserved Page 16
Secure Network Topology
On-Premise Solutions
Outer DMZ Inner DMZ
Firewall
End User Backend Networks
Application
server farm
R3
R3
Application
server farm
ERP
ERP
DIR
Application
Gateways
Pre-scan user
request for validity
and known exploits
Preprocessing and
validation of user
input and output
Process business logic or
Web service request
WebAS Portal
or other
Web service
Firewall Firewall
9
copy 2010 SAP AG All rights reserved Page 17
Secure Communication and Interaction
On-Demand Solutions
Backend Networks
Company B
R3
R3
Application
server farm
ERP
ERP
DIR
Backend Networks
Company A
R3
R3
Application
server farm
ERP
ERP
DIR
On-
Demand
On-
Demand
Company A
Identity
Provider
Company B
Identity
Provider
On-
Demand
SAML SAML
SAML SAML
SAP
Logon
Tickets
SAP
Logon
Tickets
SAML
copy 2010 SAP AG All rights reserved Page 18
Monitoring and Auditing in
ABAP- and Java-Based SAP Solutions
Configuration and
results of Security
Audit Log in ABAP
Transactions
SM 18 SM19 SM20
Results of Log
Viewer in Java
10
copy 2010 SAP AG All rights reserved Page 19
Monitoring and Auditing
The SAP Audit Information System (AIS)
Audit planning
Work program
- System audit
- Business audit
Exp
ort
in
terf
ace
Online controls on
the SAP database
System information
Reconciliation
BS PampL
Account balances
Documents
Data export
Account balances
Line items
Non-SAP Environment SAP Environment
Work
paper
prep
Report
Analysis software
( ACL IDEA hellip )
Reporting software
Line items
Balances
Accounts
Customers
Vendors
Assets
Material
Orders
Invoices
hellip
copy 2010 SAP AG All rights reserved Page 20
Monitoring and Auditing The SAP Audit
Information System (AIS)
The Audit Information
System facilitates smoother
and better quality audits
It consists of a number of
single roles and is a
- Collection
- Structure and
- Default setup
of SAP standard programs
The AIS is the Toolbox
of the auditor
in SAP environment
11
copy 2010 SAP AG All rights reserved Page 21
SAP Security Monitor Logging Solution
Functional Overview
The SAP Security Monitor Logging Solution
provides logging of all data a user views in an
SAP application
Captured data includes
All inputoutput fields
Field labels titles headings
Tables trees lists
etc
Implicitly also database access operations are
logged
Search and retrieval
Storing and updating
Logging is fully transparent to the user The
application behavior and performance is not
affected For an end-user a solution appears
identical whether logging is enabled or not
copy 2010 SAP AG All rights reserved Page 22
SAP Security Monitor Logging Solution
Architecture Overview
SAP UI RepositorySAP Backend System
Dynpro Processor
Control Framework
Request
Response
Database layer
Legend Logging functionality
Observed
data traffic
Temporary Log
(Asynchronous)
Call of
log service
Log Storage
Straightforward high-performance solution tailored to SAP applications
Server-side logging - log entry is written with each client-server roundtrip
Log records are written to provided log service
Modification
Development
12
copy 2010 SAP AG All rights reserved Page 23
Data Encryption Using
Secure Store and Forward (SSF)
Credit card data
encrypted in
database
Application
Decryption
Authorized
administrator
Data is
displayed
unencrypted
SSF
API
PCI-DSS-compliant encryption
Use of SAP Cryptographic Library
Available as of release 46 C
copy 2010 SAP AG All rights reserved Page 24
The SAP Authorization Concept
hellip how to
create
users in a
systemhellipwho may
execute which
actions
especially
how to
The SAP authorization concept
defines rules on
hellip restrict
display and
change of data
depending
on user roles
This enhances
the security of
the system
hellip show
users only those
actions which are
relevant for their
roles
This simplifies
system usage
13
copy 2010 SAP AG All rights reserved Page 25
The SAP Authorization Concept
copy 2010 SAP AG All rights reserved Page 26
Sammelrolle
RolleRole
Composite role
Felder
Werte
Authorization object
Berechtigung
Profil
Fields
Values
Authorization
Profile
User
Rolle
Data Model
Felder
Werte
Authorization object
Berechtigungsdaten
Assignment
Generation
Authorization data
Fields
Values
RoleSammelprofil
Sammel-
profil
Profil
Composite
Profile
Profile
Composite profile
14
copy 2010 SAP AG All rights reserved Page 27
P_ORGIN
S_USER_AGR
S_USER_GRP
hellip
PA30
PFCG
RSUSR002
hellip
Menu Transactions
Web links reports
Etc
UserABAP
Role
Authorization
Data
Authorizations
ABAP Roles
1n 1n
copy 2010 SAP AG All rights reserved Page 28
Functional Roles - Menu
Functional Roles
are related to
jobs
Menu containing
transactions
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
2
copy 2010 SAP AG All rights reserved Page 3
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 4
Security for Business Processes
Security Functionality
Provide functionality that allows customers to efficiently control and manage access
to business data and applications
Software Security and Quality Assurance
Deliver highest quality of software that prevents hackers from gaining unauthorized
access to business data and business applications
Information amp Services
Provide up-to-date information services and support to help customers and partners
implement use and manage their SAP systems securely
SAP enables its customers to protect their business processes
through a comprehensive security portfolio
3
copy 2010 SAP AG All rights reserved Page 5
Security Features Offerings and Services
SAP
Security
Software Security
Assurance and Quality
Internal and External Security Assessments
Security Response Process
Security Product Standard and Validation
Security
Functionality
SAP NetWeaver Identity
Management
Web Services Security
Single Sign-On
Compliance
Security Services and
Information
Best practices and security
configuration guides on SDN
Documentation in the SAP
Online Help
Security Optimization Service
copy 2010 SAP AG All rights reserved Page 6
The SAP Ecosystem Advantage
Strong Security Partner Network
The SAP ecosystem responds to a growing need for a more collaborative business
approach ndash an approach designed specifically to deliver unparalleled customer value
The SAP ecosystem puts customers in the center of a dynamic universe that includes SAP
other customers partners and individuals
For security and identity management SAP collaborates with numerous partners offering
specialized solutions and services to fulfill even the most specific requirements of SAP
customers Software partners include
4
copy 2010 SAP AG All rights reserved Page 7
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 8
SAP NetWeaver Technology Capabilities
Service Bus Based IntegrationRepository Based Modeling and Design
Service-enabledApplications
SAP Business Suite 7 Customer amp PartnerApplications
OrderMgmt
Non SAP ampLegacy
TechnologyCapabilities
Heterogeneous Landscapes
ABAP Development
Security and Identity ManagementApplication Life-cycle Management
Java Development
Portal amp Collaboration Search
Content Management
Business Intelligence
Information
Composition
Service Composition
User Interface Composition
Mobile User Interface Technology
Application Foundation
Process Integration for networked applications
Data Management
User Productivity
Business Process Management
Information Management
Composition
Bu
sin
ess C
on
te
nt
Master Data Management
Data Management And Integration
Business Process Monitoring
Human Interaction Management
Business Process Modeling
Business Rules Management
5
copy 2010 SAP AG All rights reserved Page 9
Service-enabledApplications
SAP Business Suite 7 Customer amp PartnerApplications
OrderMgmt
Non SAP ampLegacy
Service Bus Based IntegrationRepository Based Modeling and Design
TechnologyCapabilities
Master Data Management
Data Management And Integration
Portal amp Collaboration Search
Information Composition
Service Composition
SOA Management
Content Management
Business Intelligence
User Interface Composition
Mobile User Interface Technology
Data Management
User Productivity
Business Process ManagementComposition
Integration (Service Oriented Architecture (SOA) Middleware)
Business C
ontent
Information Management
Business Process Monitoring
Human Interaction Management
Business Process Modeling
Business Rules Management
Security
Ensure integrated and easy to configure
SECURITY FRAMEWORK
Enhance security and reduce TCO via
standards based SINGLE SIGN-ON amp
IDENTITY FEDERATION
MANAGE IDENTITIES across processes to lower costs and security risks
Enable a common security concept via
STANDARDIZED SECURITY services
Efficient and comprehensive feature set to
configure administrate and run SECURE
BUSINESS PROCESSES
SAP NetWeaver provides a comprehensive and efficient security
infrastructure for secure and compliant business processes
ABAP Development
Security and Identity ManagementApplication Life-cycle Management
Java Development
Application Foundation
SAP NetWeaver Technology Capabilities
Security and Identity Management
copy 2010 SAP AG All rights reserved Page 10
Single Sign-On Within the Enterprise
SAP NetWeaver Portal
SAP applications3rd Party
applications
SAML 11
PKI-based
authentication
(X509 certificates)
SP Nego (Kerberos)
Header variables
SAP Logon Tickets
Identity Federation
SAML 20
JAAS Login Module
Single Sign-On
Options
SS
O
6
copy 2010 SAP AG All rights reserved Page 11
Secure User Access Web User Authentication
and Single Sign-On to SAP Applications
1 Requires Portal or AS Java
2 IDP capability available with SAP NetWeaver Identity Management 71
SP capability available with SAP Business Suite 702e SAP NetWeaver CE 72 and AS Java 72 Web applications
SA
P N
etW
eaver
Ap
pli
cati
on
s
Anonymous access Named anonymous users with SAP NetWeaver Portal
Interactive user
authentication SAP user ID password
PKI-based
authentication
X509 client certificatesndash Rule based client authentication 1
ndash Certificate filtering 1
ndash Automated certificate mapping 1
ndash CRL support 1
External
authentication
SPNego 1
ndash user authentication against a Kerberos infrastructure
Header variables 1
SSO via trusted
application system
SSO Logon ticketsndash Principal solution for SSO in SAP landscapes
SAML 11 Browser Artifact 1
ndash Interoperable SSO from trusted non-SAP token issuers
Identity Federation
interoperable SSO
and Single Log-out
SAML 2 2
ndash Identity Provider (IDP) for centralized user authentication and
SAML 2 SSO token issuing authority
ndash Service Provider (SP) for accepting SAML 2 SSO token to grant
user access to Web enabled content
Custom
authentication
JAAS Login Module 1
ndash Standardized extensions to out-of-the-box authentication
mechanisms
Web
Bro
wser
copy 2010 SAP AG All rights reserved Page 12
Single Sign-On Strategy
SAP NetWeaver
Portal
SAML 11
PKI-based
authentication
(X509 certificates)
SP Nego (Kerberos)
Header variables
SAP Logon Tickets
Identity Federation
SAML 20
JAAS Login Module
Single Sign-On
Options
SAML 2 Identity
Provider (IDP) amp
Security Token
Service (STS)
NET
SS
O
Non-
SAP
7
copy 2010 SAP AG All rights reserved Page 13
Cross-Domain Single Sign-On
SAP NetWeaver Portal
SA
ML
Identity
Provider (IDP)
SA
ML
Company A
SAP NetWeaver PortalS
AM
L
Identity
Provider (IDP)
Lo
go
n
Tic
ke
t
Business Partner
SAML
copy 2010 SAP AG All rights reserved Page 14
Secure Collaboration Support for Web User
SSO and Identity Federation
Trust
Relationship
SAP applications3rd Party
applications
SSO
Federation
SSO
Federation
SAP NetWeaver Identity
Management
with SAML 2 Identity Provider (IDP) and
Security Token Service (STS)
Standardized SAML 2 SSO and Single Log-out
Shared infrastructure in user interactive and
service applications on the Web
identity management
trust management
Efficient user productivity enablement of secure
cross-business scenarios
Application Service Providers
(SPs)
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
8
copy 2010 SAP AG All rights reserved Page 15
Message-Level and Transport-Level Security
Intermediary
Business Server Business Server
Transport level security is not sufficient
Standardization related to transport level security is in progress
SAML
WS-Security
Point-to-Point
Security
Message Security
copy 2010 SAP AG All rights reserved Page 16
Secure Network Topology
On-Premise Solutions
Outer DMZ Inner DMZ
Firewall
End User Backend Networks
Application
server farm
R3
R3
Application
server farm
ERP
ERP
DIR
Application
Gateways
Pre-scan user
request for validity
and known exploits
Preprocessing and
validation of user
input and output
Process business logic or
Web service request
WebAS Portal
or other
Web service
Firewall Firewall
9
copy 2010 SAP AG All rights reserved Page 17
Secure Communication and Interaction
On-Demand Solutions
Backend Networks
Company B
R3
R3
Application
server farm
ERP
ERP
DIR
Backend Networks
Company A
R3
R3
Application
server farm
ERP
ERP
DIR
On-
Demand
On-
Demand
Company A
Identity
Provider
Company B
Identity
Provider
On-
Demand
SAML SAML
SAML SAML
SAP
Logon
Tickets
SAP
Logon
Tickets
SAML
copy 2010 SAP AG All rights reserved Page 18
Monitoring and Auditing in
ABAP- and Java-Based SAP Solutions
Configuration and
results of Security
Audit Log in ABAP
Transactions
SM 18 SM19 SM20
Results of Log
Viewer in Java
10
copy 2010 SAP AG All rights reserved Page 19
Monitoring and Auditing
The SAP Audit Information System (AIS)
Audit planning
Work program
- System audit
- Business audit
Exp
ort
in
terf
ace
Online controls on
the SAP database
System information
Reconciliation
BS PampL
Account balances
Documents
Data export
Account balances
Line items
Non-SAP Environment SAP Environment
Work
paper
prep
Report
Analysis software
( ACL IDEA hellip )
Reporting software
Line items
Balances
Accounts
Customers
Vendors
Assets
Material
Orders
Invoices
hellip
copy 2010 SAP AG All rights reserved Page 20
Monitoring and Auditing The SAP Audit
Information System (AIS)
The Audit Information
System facilitates smoother
and better quality audits
It consists of a number of
single roles and is a
- Collection
- Structure and
- Default setup
of SAP standard programs
The AIS is the Toolbox
of the auditor
in SAP environment
11
copy 2010 SAP AG All rights reserved Page 21
SAP Security Monitor Logging Solution
Functional Overview
The SAP Security Monitor Logging Solution
provides logging of all data a user views in an
SAP application
Captured data includes
All inputoutput fields
Field labels titles headings
Tables trees lists
etc
Implicitly also database access operations are
logged
Search and retrieval
Storing and updating
Logging is fully transparent to the user The
application behavior and performance is not
affected For an end-user a solution appears
identical whether logging is enabled or not
copy 2010 SAP AG All rights reserved Page 22
SAP Security Monitor Logging Solution
Architecture Overview
SAP UI RepositorySAP Backend System
Dynpro Processor
Control Framework
Request
Response
Database layer
Legend Logging functionality
Observed
data traffic
Temporary Log
(Asynchronous)
Call of
log service
Log Storage
Straightforward high-performance solution tailored to SAP applications
Server-side logging - log entry is written with each client-server roundtrip
Log records are written to provided log service
Modification
Development
12
copy 2010 SAP AG All rights reserved Page 23
Data Encryption Using
Secure Store and Forward (SSF)
Credit card data
encrypted in
database
Application
Decryption
Authorized
administrator
Data is
displayed
unencrypted
SSF
API
PCI-DSS-compliant encryption
Use of SAP Cryptographic Library
Available as of release 46 C
copy 2010 SAP AG All rights reserved Page 24
The SAP Authorization Concept
hellip how to
create
users in a
systemhellipwho may
execute which
actions
especially
how to
The SAP authorization concept
defines rules on
hellip restrict
display and
change of data
depending
on user roles
This enhances
the security of
the system
hellip show
users only those
actions which are
relevant for their
roles
This simplifies
system usage
13
copy 2010 SAP AG All rights reserved Page 25
The SAP Authorization Concept
copy 2010 SAP AG All rights reserved Page 26
Sammelrolle
RolleRole
Composite role
Felder
Werte
Authorization object
Berechtigung
Profil
Fields
Values
Authorization
Profile
User
Rolle
Data Model
Felder
Werte
Authorization object
Berechtigungsdaten
Assignment
Generation
Authorization data
Fields
Values
RoleSammelprofil
Sammel-
profil
Profil
Composite
Profile
Profile
Composite profile
14
copy 2010 SAP AG All rights reserved Page 27
P_ORGIN
S_USER_AGR
S_USER_GRP
hellip
PA30
PFCG
RSUSR002
hellip
Menu Transactions
Web links reports
Etc
UserABAP
Role
Authorization
Data
Authorizations
ABAP Roles
1n 1n
copy 2010 SAP AG All rights reserved Page 28
Functional Roles - Menu
Functional Roles
are related to
jobs
Menu containing
transactions
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
3
copy 2010 SAP AG All rights reserved Page 5
Security Features Offerings and Services
SAP
Security
Software Security
Assurance and Quality
Internal and External Security Assessments
Security Response Process
Security Product Standard and Validation
Security
Functionality
SAP NetWeaver Identity
Management
Web Services Security
Single Sign-On
Compliance
Security Services and
Information
Best practices and security
configuration guides on SDN
Documentation in the SAP
Online Help
Security Optimization Service
copy 2010 SAP AG All rights reserved Page 6
The SAP Ecosystem Advantage
Strong Security Partner Network
The SAP ecosystem responds to a growing need for a more collaborative business
approach ndash an approach designed specifically to deliver unparalleled customer value
The SAP ecosystem puts customers in the center of a dynamic universe that includes SAP
other customers partners and individuals
For security and identity management SAP collaborates with numerous partners offering
specialized solutions and services to fulfill even the most specific requirements of SAP
customers Software partners include
4
copy 2010 SAP AG All rights reserved Page 7
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 8
SAP NetWeaver Technology Capabilities
Service Bus Based IntegrationRepository Based Modeling and Design
Service-enabledApplications
SAP Business Suite 7 Customer amp PartnerApplications
OrderMgmt
Non SAP ampLegacy
TechnologyCapabilities
Heterogeneous Landscapes
ABAP Development
Security and Identity ManagementApplication Life-cycle Management
Java Development
Portal amp Collaboration Search
Content Management
Business Intelligence
Information
Composition
Service Composition
User Interface Composition
Mobile User Interface Technology
Application Foundation
Process Integration for networked applications
Data Management
User Productivity
Business Process Management
Information Management
Composition
Bu
sin
ess C
on
te
nt
Master Data Management
Data Management And Integration
Business Process Monitoring
Human Interaction Management
Business Process Modeling
Business Rules Management
5
copy 2010 SAP AG All rights reserved Page 9
Service-enabledApplications
SAP Business Suite 7 Customer amp PartnerApplications
OrderMgmt
Non SAP ampLegacy
Service Bus Based IntegrationRepository Based Modeling and Design
TechnologyCapabilities
Master Data Management
Data Management And Integration
Portal amp Collaboration Search
Information Composition
Service Composition
SOA Management
Content Management
Business Intelligence
User Interface Composition
Mobile User Interface Technology
Data Management
User Productivity
Business Process ManagementComposition
Integration (Service Oriented Architecture (SOA) Middleware)
Business C
ontent
Information Management
Business Process Monitoring
Human Interaction Management
Business Process Modeling
Business Rules Management
Security
Ensure integrated and easy to configure
SECURITY FRAMEWORK
Enhance security and reduce TCO via
standards based SINGLE SIGN-ON amp
IDENTITY FEDERATION
MANAGE IDENTITIES across processes to lower costs and security risks
Enable a common security concept via
STANDARDIZED SECURITY services
Efficient and comprehensive feature set to
configure administrate and run SECURE
BUSINESS PROCESSES
SAP NetWeaver provides a comprehensive and efficient security
infrastructure for secure and compliant business processes
ABAP Development
Security and Identity ManagementApplication Life-cycle Management
Java Development
Application Foundation
SAP NetWeaver Technology Capabilities
Security and Identity Management
copy 2010 SAP AG All rights reserved Page 10
Single Sign-On Within the Enterprise
SAP NetWeaver Portal
SAP applications3rd Party
applications
SAML 11
PKI-based
authentication
(X509 certificates)
SP Nego (Kerberos)
Header variables
SAP Logon Tickets
Identity Federation
SAML 20
JAAS Login Module
Single Sign-On
Options
SS
O
6
copy 2010 SAP AG All rights reserved Page 11
Secure User Access Web User Authentication
and Single Sign-On to SAP Applications
1 Requires Portal or AS Java
2 IDP capability available with SAP NetWeaver Identity Management 71
SP capability available with SAP Business Suite 702e SAP NetWeaver CE 72 and AS Java 72 Web applications
SA
P N
etW
eaver
Ap
pli
cati
on
s
Anonymous access Named anonymous users with SAP NetWeaver Portal
Interactive user
authentication SAP user ID password
PKI-based
authentication
X509 client certificatesndash Rule based client authentication 1
ndash Certificate filtering 1
ndash Automated certificate mapping 1
ndash CRL support 1
External
authentication
SPNego 1
ndash user authentication against a Kerberos infrastructure
Header variables 1
SSO via trusted
application system
SSO Logon ticketsndash Principal solution for SSO in SAP landscapes
SAML 11 Browser Artifact 1
ndash Interoperable SSO from trusted non-SAP token issuers
Identity Federation
interoperable SSO
and Single Log-out
SAML 2 2
ndash Identity Provider (IDP) for centralized user authentication and
SAML 2 SSO token issuing authority
ndash Service Provider (SP) for accepting SAML 2 SSO token to grant
user access to Web enabled content
Custom
authentication
JAAS Login Module 1
ndash Standardized extensions to out-of-the-box authentication
mechanisms
Web
Bro
wser
copy 2010 SAP AG All rights reserved Page 12
Single Sign-On Strategy
SAP NetWeaver
Portal
SAML 11
PKI-based
authentication
(X509 certificates)
SP Nego (Kerberos)
Header variables
SAP Logon Tickets
Identity Federation
SAML 20
JAAS Login Module
Single Sign-On
Options
SAML 2 Identity
Provider (IDP) amp
Security Token
Service (STS)
NET
SS
O
Non-
SAP
7
copy 2010 SAP AG All rights reserved Page 13
Cross-Domain Single Sign-On
SAP NetWeaver Portal
SA
ML
Identity
Provider (IDP)
SA
ML
Company A
SAP NetWeaver PortalS
AM
L
Identity
Provider (IDP)
Lo
go
n
Tic
ke
t
Business Partner
SAML
copy 2010 SAP AG All rights reserved Page 14
Secure Collaboration Support for Web User
SSO and Identity Federation
Trust
Relationship
SAP applications3rd Party
applications
SSO
Federation
SSO
Federation
SAP NetWeaver Identity
Management
with SAML 2 Identity Provider (IDP) and
Security Token Service (STS)
Standardized SAML 2 SSO and Single Log-out
Shared infrastructure in user interactive and
service applications on the Web
identity management
trust management
Efficient user productivity enablement of secure
cross-business scenarios
Application Service Providers
(SPs)
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
8
copy 2010 SAP AG All rights reserved Page 15
Message-Level and Transport-Level Security
Intermediary
Business Server Business Server
Transport level security is not sufficient
Standardization related to transport level security is in progress
SAML
WS-Security
Point-to-Point
Security
Message Security
copy 2010 SAP AG All rights reserved Page 16
Secure Network Topology
On-Premise Solutions
Outer DMZ Inner DMZ
Firewall
End User Backend Networks
Application
server farm
R3
R3
Application
server farm
ERP
ERP
DIR
Application
Gateways
Pre-scan user
request for validity
and known exploits
Preprocessing and
validation of user
input and output
Process business logic or
Web service request
WebAS Portal
or other
Web service
Firewall Firewall
9
copy 2010 SAP AG All rights reserved Page 17
Secure Communication and Interaction
On-Demand Solutions
Backend Networks
Company B
R3
R3
Application
server farm
ERP
ERP
DIR
Backend Networks
Company A
R3
R3
Application
server farm
ERP
ERP
DIR
On-
Demand
On-
Demand
Company A
Identity
Provider
Company B
Identity
Provider
On-
Demand
SAML SAML
SAML SAML
SAP
Logon
Tickets
SAP
Logon
Tickets
SAML
copy 2010 SAP AG All rights reserved Page 18
Monitoring and Auditing in
ABAP- and Java-Based SAP Solutions
Configuration and
results of Security
Audit Log in ABAP
Transactions
SM 18 SM19 SM20
Results of Log
Viewer in Java
10
copy 2010 SAP AG All rights reserved Page 19
Monitoring and Auditing
The SAP Audit Information System (AIS)
Audit planning
Work program
- System audit
- Business audit
Exp
ort
in
terf
ace
Online controls on
the SAP database
System information
Reconciliation
BS PampL
Account balances
Documents
Data export
Account balances
Line items
Non-SAP Environment SAP Environment
Work
paper
prep
Report
Analysis software
( ACL IDEA hellip )
Reporting software
Line items
Balances
Accounts
Customers
Vendors
Assets
Material
Orders
Invoices
hellip
copy 2010 SAP AG All rights reserved Page 20
Monitoring and Auditing The SAP Audit
Information System (AIS)
The Audit Information
System facilitates smoother
and better quality audits
It consists of a number of
single roles and is a
- Collection
- Structure and
- Default setup
of SAP standard programs
The AIS is the Toolbox
of the auditor
in SAP environment
11
copy 2010 SAP AG All rights reserved Page 21
SAP Security Monitor Logging Solution
Functional Overview
The SAP Security Monitor Logging Solution
provides logging of all data a user views in an
SAP application
Captured data includes
All inputoutput fields
Field labels titles headings
Tables trees lists
etc
Implicitly also database access operations are
logged
Search and retrieval
Storing and updating
Logging is fully transparent to the user The
application behavior and performance is not
affected For an end-user a solution appears
identical whether logging is enabled or not
copy 2010 SAP AG All rights reserved Page 22
SAP Security Monitor Logging Solution
Architecture Overview
SAP UI RepositorySAP Backend System
Dynpro Processor
Control Framework
Request
Response
Database layer
Legend Logging functionality
Observed
data traffic
Temporary Log
(Asynchronous)
Call of
log service
Log Storage
Straightforward high-performance solution tailored to SAP applications
Server-side logging - log entry is written with each client-server roundtrip
Log records are written to provided log service
Modification
Development
12
copy 2010 SAP AG All rights reserved Page 23
Data Encryption Using
Secure Store and Forward (SSF)
Credit card data
encrypted in
database
Application
Decryption
Authorized
administrator
Data is
displayed
unencrypted
SSF
API
PCI-DSS-compliant encryption
Use of SAP Cryptographic Library
Available as of release 46 C
copy 2010 SAP AG All rights reserved Page 24
The SAP Authorization Concept
hellip how to
create
users in a
systemhellipwho may
execute which
actions
especially
how to
The SAP authorization concept
defines rules on
hellip restrict
display and
change of data
depending
on user roles
This enhances
the security of
the system
hellip show
users only those
actions which are
relevant for their
roles
This simplifies
system usage
13
copy 2010 SAP AG All rights reserved Page 25
The SAP Authorization Concept
copy 2010 SAP AG All rights reserved Page 26
Sammelrolle
RolleRole
Composite role
Felder
Werte
Authorization object
Berechtigung
Profil
Fields
Values
Authorization
Profile
User
Rolle
Data Model
Felder
Werte
Authorization object
Berechtigungsdaten
Assignment
Generation
Authorization data
Fields
Values
RoleSammelprofil
Sammel-
profil
Profil
Composite
Profile
Profile
Composite profile
14
copy 2010 SAP AG All rights reserved Page 27
P_ORGIN
S_USER_AGR
S_USER_GRP
hellip
PA30
PFCG
RSUSR002
hellip
Menu Transactions
Web links reports
Etc
UserABAP
Role
Authorization
Data
Authorizations
ABAP Roles
1n 1n
copy 2010 SAP AG All rights reserved Page 28
Functional Roles - Menu
Functional Roles
are related to
jobs
Menu containing
transactions
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
4
copy 2010 SAP AG All rights reserved Page 7
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 8
SAP NetWeaver Technology Capabilities
Service Bus Based IntegrationRepository Based Modeling and Design
Service-enabledApplications
SAP Business Suite 7 Customer amp PartnerApplications
OrderMgmt
Non SAP ampLegacy
TechnologyCapabilities
Heterogeneous Landscapes
ABAP Development
Security and Identity ManagementApplication Life-cycle Management
Java Development
Portal amp Collaboration Search
Content Management
Business Intelligence
Information
Composition
Service Composition
User Interface Composition
Mobile User Interface Technology
Application Foundation
Process Integration for networked applications
Data Management
User Productivity
Business Process Management
Information Management
Composition
Bu
sin
ess C
on
te
nt
Master Data Management
Data Management And Integration
Business Process Monitoring
Human Interaction Management
Business Process Modeling
Business Rules Management
5
copy 2010 SAP AG All rights reserved Page 9
Service-enabledApplications
SAP Business Suite 7 Customer amp PartnerApplications
OrderMgmt
Non SAP ampLegacy
Service Bus Based IntegrationRepository Based Modeling and Design
TechnologyCapabilities
Master Data Management
Data Management And Integration
Portal amp Collaboration Search
Information Composition
Service Composition
SOA Management
Content Management
Business Intelligence
User Interface Composition
Mobile User Interface Technology
Data Management
User Productivity
Business Process ManagementComposition
Integration (Service Oriented Architecture (SOA) Middleware)
Business C
ontent
Information Management
Business Process Monitoring
Human Interaction Management
Business Process Modeling
Business Rules Management
Security
Ensure integrated and easy to configure
SECURITY FRAMEWORK
Enhance security and reduce TCO via
standards based SINGLE SIGN-ON amp
IDENTITY FEDERATION
MANAGE IDENTITIES across processes to lower costs and security risks
Enable a common security concept via
STANDARDIZED SECURITY services
Efficient and comprehensive feature set to
configure administrate and run SECURE
BUSINESS PROCESSES
SAP NetWeaver provides a comprehensive and efficient security
infrastructure for secure and compliant business processes
ABAP Development
Security and Identity ManagementApplication Life-cycle Management
Java Development
Application Foundation
SAP NetWeaver Technology Capabilities
Security and Identity Management
copy 2010 SAP AG All rights reserved Page 10
Single Sign-On Within the Enterprise
SAP NetWeaver Portal
SAP applications3rd Party
applications
SAML 11
PKI-based
authentication
(X509 certificates)
SP Nego (Kerberos)
Header variables
SAP Logon Tickets
Identity Federation
SAML 20
JAAS Login Module
Single Sign-On
Options
SS
O
6
copy 2010 SAP AG All rights reserved Page 11
Secure User Access Web User Authentication
and Single Sign-On to SAP Applications
1 Requires Portal or AS Java
2 IDP capability available with SAP NetWeaver Identity Management 71
SP capability available with SAP Business Suite 702e SAP NetWeaver CE 72 and AS Java 72 Web applications
SA
P N
etW
eaver
Ap
pli
cati
on
s
Anonymous access Named anonymous users with SAP NetWeaver Portal
Interactive user
authentication SAP user ID password
PKI-based
authentication
X509 client certificatesndash Rule based client authentication 1
ndash Certificate filtering 1
ndash Automated certificate mapping 1
ndash CRL support 1
External
authentication
SPNego 1
ndash user authentication against a Kerberos infrastructure
Header variables 1
SSO via trusted
application system
SSO Logon ticketsndash Principal solution for SSO in SAP landscapes
SAML 11 Browser Artifact 1
ndash Interoperable SSO from trusted non-SAP token issuers
Identity Federation
interoperable SSO
and Single Log-out
SAML 2 2
ndash Identity Provider (IDP) for centralized user authentication and
SAML 2 SSO token issuing authority
ndash Service Provider (SP) for accepting SAML 2 SSO token to grant
user access to Web enabled content
Custom
authentication
JAAS Login Module 1
ndash Standardized extensions to out-of-the-box authentication
mechanisms
Web
Bro
wser
copy 2010 SAP AG All rights reserved Page 12
Single Sign-On Strategy
SAP NetWeaver
Portal
SAML 11
PKI-based
authentication
(X509 certificates)
SP Nego (Kerberos)
Header variables
SAP Logon Tickets
Identity Federation
SAML 20
JAAS Login Module
Single Sign-On
Options
SAML 2 Identity
Provider (IDP) amp
Security Token
Service (STS)
NET
SS
O
Non-
SAP
7
copy 2010 SAP AG All rights reserved Page 13
Cross-Domain Single Sign-On
SAP NetWeaver Portal
SA
ML
Identity
Provider (IDP)
SA
ML
Company A
SAP NetWeaver PortalS
AM
L
Identity
Provider (IDP)
Lo
go
n
Tic
ke
t
Business Partner
SAML
copy 2010 SAP AG All rights reserved Page 14
Secure Collaboration Support for Web User
SSO and Identity Federation
Trust
Relationship
SAP applications3rd Party
applications
SSO
Federation
SSO
Federation
SAP NetWeaver Identity
Management
with SAML 2 Identity Provider (IDP) and
Security Token Service (STS)
Standardized SAML 2 SSO and Single Log-out
Shared infrastructure in user interactive and
service applications on the Web
identity management
trust management
Efficient user productivity enablement of secure
cross-business scenarios
Application Service Providers
(SPs)
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
8
copy 2010 SAP AG All rights reserved Page 15
Message-Level and Transport-Level Security
Intermediary
Business Server Business Server
Transport level security is not sufficient
Standardization related to transport level security is in progress
SAML
WS-Security
Point-to-Point
Security
Message Security
copy 2010 SAP AG All rights reserved Page 16
Secure Network Topology
On-Premise Solutions
Outer DMZ Inner DMZ
Firewall
End User Backend Networks
Application
server farm
R3
R3
Application
server farm
ERP
ERP
DIR
Application
Gateways
Pre-scan user
request for validity
and known exploits
Preprocessing and
validation of user
input and output
Process business logic or
Web service request
WebAS Portal
or other
Web service
Firewall Firewall
9
copy 2010 SAP AG All rights reserved Page 17
Secure Communication and Interaction
On-Demand Solutions
Backend Networks
Company B
R3
R3
Application
server farm
ERP
ERP
DIR
Backend Networks
Company A
R3
R3
Application
server farm
ERP
ERP
DIR
On-
Demand
On-
Demand
Company A
Identity
Provider
Company B
Identity
Provider
On-
Demand
SAML SAML
SAML SAML
SAP
Logon
Tickets
SAP
Logon
Tickets
SAML
copy 2010 SAP AG All rights reserved Page 18
Monitoring and Auditing in
ABAP- and Java-Based SAP Solutions
Configuration and
results of Security
Audit Log in ABAP
Transactions
SM 18 SM19 SM20
Results of Log
Viewer in Java
10
copy 2010 SAP AG All rights reserved Page 19
Monitoring and Auditing
The SAP Audit Information System (AIS)
Audit planning
Work program
- System audit
- Business audit
Exp
ort
in
terf
ace
Online controls on
the SAP database
System information
Reconciliation
BS PampL
Account balances
Documents
Data export
Account balances
Line items
Non-SAP Environment SAP Environment
Work
paper
prep
Report
Analysis software
( ACL IDEA hellip )
Reporting software
Line items
Balances
Accounts
Customers
Vendors
Assets
Material
Orders
Invoices
hellip
copy 2010 SAP AG All rights reserved Page 20
Monitoring and Auditing The SAP Audit
Information System (AIS)
The Audit Information
System facilitates smoother
and better quality audits
It consists of a number of
single roles and is a
- Collection
- Structure and
- Default setup
of SAP standard programs
The AIS is the Toolbox
of the auditor
in SAP environment
11
copy 2010 SAP AG All rights reserved Page 21
SAP Security Monitor Logging Solution
Functional Overview
The SAP Security Monitor Logging Solution
provides logging of all data a user views in an
SAP application
Captured data includes
All inputoutput fields
Field labels titles headings
Tables trees lists
etc
Implicitly also database access operations are
logged
Search and retrieval
Storing and updating
Logging is fully transparent to the user The
application behavior and performance is not
affected For an end-user a solution appears
identical whether logging is enabled or not
copy 2010 SAP AG All rights reserved Page 22
SAP Security Monitor Logging Solution
Architecture Overview
SAP UI RepositorySAP Backend System
Dynpro Processor
Control Framework
Request
Response
Database layer
Legend Logging functionality
Observed
data traffic
Temporary Log
(Asynchronous)
Call of
log service
Log Storage
Straightforward high-performance solution tailored to SAP applications
Server-side logging - log entry is written with each client-server roundtrip
Log records are written to provided log service
Modification
Development
12
copy 2010 SAP AG All rights reserved Page 23
Data Encryption Using
Secure Store and Forward (SSF)
Credit card data
encrypted in
database
Application
Decryption
Authorized
administrator
Data is
displayed
unencrypted
SSF
API
PCI-DSS-compliant encryption
Use of SAP Cryptographic Library
Available as of release 46 C
copy 2010 SAP AG All rights reserved Page 24
The SAP Authorization Concept
hellip how to
create
users in a
systemhellipwho may
execute which
actions
especially
how to
The SAP authorization concept
defines rules on
hellip restrict
display and
change of data
depending
on user roles
This enhances
the security of
the system
hellip show
users only those
actions which are
relevant for their
roles
This simplifies
system usage
13
copy 2010 SAP AG All rights reserved Page 25
The SAP Authorization Concept
copy 2010 SAP AG All rights reserved Page 26
Sammelrolle
RolleRole
Composite role
Felder
Werte
Authorization object
Berechtigung
Profil
Fields
Values
Authorization
Profile
User
Rolle
Data Model
Felder
Werte
Authorization object
Berechtigungsdaten
Assignment
Generation
Authorization data
Fields
Values
RoleSammelprofil
Sammel-
profil
Profil
Composite
Profile
Profile
Composite profile
14
copy 2010 SAP AG All rights reserved Page 27
P_ORGIN
S_USER_AGR
S_USER_GRP
hellip
PA30
PFCG
RSUSR002
hellip
Menu Transactions
Web links reports
Etc
UserABAP
Role
Authorization
Data
Authorizations
ABAP Roles
1n 1n
copy 2010 SAP AG All rights reserved Page 28
Functional Roles - Menu
Functional Roles
are related to
jobs
Menu containing
transactions
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
5
copy 2010 SAP AG All rights reserved Page 9
Service-enabledApplications
SAP Business Suite 7 Customer amp PartnerApplications
OrderMgmt
Non SAP ampLegacy
Service Bus Based IntegrationRepository Based Modeling and Design
TechnologyCapabilities
Master Data Management
Data Management And Integration
Portal amp Collaboration Search
Information Composition
Service Composition
SOA Management
Content Management
Business Intelligence
User Interface Composition
Mobile User Interface Technology
Data Management
User Productivity
Business Process ManagementComposition
Integration (Service Oriented Architecture (SOA) Middleware)
Business C
ontent
Information Management
Business Process Monitoring
Human Interaction Management
Business Process Modeling
Business Rules Management
Security
Ensure integrated and easy to configure
SECURITY FRAMEWORK
Enhance security and reduce TCO via
standards based SINGLE SIGN-ON amp
IDENTITY FEDERATION
MANAGE IDENTITIES across processes to lower costs and security risks
Enable a common security concept via
STANDARDIZED SECURITY services
Efficient and comprehensive feature set to
configure administrate and run SECURE
BUSINESS PROCESSES
SAP NetWeaver provides a comprehensive and efficient security
infrastructure for secure and compliant business processes
ABAP Development
Security and Identity ManagementApplication Life-cycle Management
Java Development
Application Foundation
SAP NetWeaver Technology Capabilities
Security and Identity Management
copy 2010 SAP AG All rights reserved Page 10
Single Sign-On Within the Enterprise
SAP NetWeaver Portal
SAP applications3rd Party
applications
SAML 11
PKI-based
authentication
(X509 certificates)
SP Nego (Kerberos)
Header variables
SAP Logon Tickets
Identity Federation
SAML 20
JAAS Login Module
Single Sign-On
Options
SS
O
6
copy 2010 SAP AG All rights reserved Page 11
Secure User Access Web User Authentication
and Single Sign-On to SAP Applications
1 Requires Portal or AS Java
2 IDP capability available with SAP NetWeaver Identity Management 71
SP capability available with SAP Business Suite 702e SAP NetWeaver CE 72 and AS Java 72 Web applications
SA
P N
etW
eaver
Ap
pli
cati
on
s
Anonymous access Named anonymous users with SAP NetWeaver Portal
Interactive user
authentication SAP user ID password
PKI-based
authentication
X509 client certificatesndash Rule based client authentication 1
ndash Certificate filtering 1
ndash Automated certificate mapping 1
ndash CRL support 1
External
authentication
SPNego 1
ndash user authentication against a Kerberos infrastructure
Header variables 1
SSO via trusted
application system
SSO Logon ticketsndash Principal solution for SSO in SAP landscapes
SAML 11 Browser Artifact 1
ndash Interoperable SSO from trusted non-SAP token issuers
Identity Federation
interoperable SSO
and Single Log-out
SAML 2 2
ndash Identity Provider (IDP) for centralized user authentication and
SAML 2 SSO token issuing authority
ndash Service Provider (SP) for accepting SAML 2 SSO token to grant
user access to Web enabled content
Custom
authentication
JAAS Login Module 1
ndash Standardized extensions to out-of-the-box authentication
mechanisms
Web
Bro
wser
copy 2010 SAP AG All rights reserved Page 12
Single Sign-On Strategy
SAP NetWeaver
Portal
SAML 11
PKI-based
authentication
(X509 certificates)
SP Nego (Kerberos)
Header variables
SAP Logon Tickets
Identity Federation
SAML 20
JAAS Login Module
Single Sign-On
Options
SAML 2 Identity
Provider (IDP) amp
Security Token
Service (STS)
NET
SS
O
Non-
SAP
7
copy 2010 SAP AG All rights reserved Page 13
Cross-Domain Single Sign-On
SAP NetWeaver Portal
SA
ML
Identity
Provider (IDP)
SA
ML
Company A
SAP NetWeaver PortalS
AM
L
Identity
Provider (IDP)
Lo
go
n
Tic
ke
t
Business Partner
SAML
copy 2010 SAP AG All rights reserved Page 14
Secure Collaboration Support for Web User
SSO and Identity Federation
Trust
Relationship
SAP applications3rd Party
applications
SSO
Federation
SSO
Federation
SAP NetWeaver Identity
Management
with SAML 2 Identity Provider (IDP) and
Security Token Service (STS)
Standardized SAML 2 SSO and Single Log-out
Shared infrastructure in user interactive and
service applications on the Web
identity management
trust management
Efficient user productivity enablement of secure
cross-business scenarios
Application Service Providers
(SPs)
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
8
copy 2010 SAP AG All rights reserved Page 15
Message-Level and Transport-Level Security
Intermediary
Business Server Business Server
Transport level security is not sufficient
Standardization related to transport level security is in progress
SAML
WS-Security
Point-to-Point
Security
Message Security
copy 2010 SAP AG All rights reserved Page 16
Secure Network Topology
On-Premise Solutions
Outer DMZ Inner DMZ
Firewall
End User Backend Networks
Application
server farm
R3
R3
Application
server farm
ERP
ERP
DIR
Application
Gateways
Pre-scan user
request for validity
and known exploits
Preprocessing and
validation of user
input and output
Process business logic or
Web service request
WebAS Portal
or other
Web service
Firewall Firewall
9
copy 2010 SAP AG All rights reserved Page 17
Secure Communication and Interaction
On-Demand Solutions
Backend Networks
Company B
R3
R3
Application
server farm
ERP
ERP
DIR
Backend Networks
Company A
R3
R3
Application
server farm
ERP
ERP
DIR
On-
Demand
On-
Demand
Company A
Identity
Provider
Company B
Identity
Provider
On-
Demand
SAML SAML
SAML SAML
SAP
Logon
Tickets
SAP
Logon
Tickets
SAML
copy 2010 SAP AG All rights reserved Page 18
Monitoring and Auditing in
ABAP- and Java-Based SAP Solutions
Configuration and
results of Security
Audit Log in ABAP
Transactions
SM 18 SM19 SM20
Results of Log
Viewer in Java
10
copy 2010 SAP AG All rights reserved Page 19
Monitoring and Auditing
The SAP Audit Information System (AIS)
Audit planning
Work program
- System audit
- Business audit
Exp
ort
in
terf
ace
Online controls on
the SAP database
System information
Reconciliation
BS PampL
Account balances
Documents
Data export
Account balances
Line items
Non-SAP Environment SAP Environment
Work
paper
prep
Report
Analysis software
( ACL IDEA hellip )
Reporting software
Line items
Balances
Accounts
Customers
Vendors
Assets
Material
Orders
Invoices
hellip
copy 2010 SAP AG All rights reserved Page 20
Monitoring and Auditing The SAP Audit
Information System (AIS)
The Audit Information
System facilitates smoother
and better quality audits
It consists of a number of
single roles and is a
- Collection
- Structure and
- Default setup
of SAP standard programs
The AIS is the Toolbox
of the auditor
in SAP environment
11
copy 2010 SAP AG All rights reserved Page 21
SAP Security Monitor Logging Solution
Functional Overview
The SAP Security Monitor Logging Solution
provides logging of all data a user views in an
SAP application
Captured data includes
All inputoutput fields
Field labels titles headings
Tables trees lists
etc
Implicitly also database access operations are
logged
Search and retrieval
Storing and updating
Logging is fully transparent to the user The
application behavior and performance is not
affected For an end-user a solution appears
identical whether logging is enabled or not
copy 2010 SAP AG All rights reserved Page 22
SAP Security Monitor Logging Solution
Architecture Overview
SAP UI RepositorySAP Backend System
Dynpro Processor
Control Framework
Request
Response
Database layer
Legend Logging functionality
Observed
data traffic
Temporary Log
(Asynchronous)
Call of
log service
Log Storage
Straightforward high-performance solution tailored to SAP applications
Server-side logging - log entry is written with each client-server roundtrip
Log records are written to provided log service
Modification
Development
12
copy 2010 SAP AG All rights reserved Page 23
Data Encryption Using
Secure Store and Forward (SSF)
Credit card data
encrypted in
database
Application
Decryption
Authorized
administrator
Data is
displayed
unencrypted
SSF
API
PCI-DSS-compliant encryption
Use of SAP Cryptographic Library
Available as of release 46 C
copy 2010 SAP AG All rights reserved Page 24
The SAP Authorization Concept
hellip how to
create
users in a
systemhellipwho may
execute which
actions
especially
how to
The SAP authorization concept
defines rules on
hellip restrict
display and
change of data
depending
on user roles
This enhances
the security of
the system
hellip show
users only those
actions which are
relevant for their
roles
This simplifies
system usage
13
copy 2010 SAP AG All rights reserved Page 25
The SAP Authorization Concept
copy 2010 SAP AG All rights reserved Page 26
Sammelrolle
RolleRole
Composite role
Felder
Werte
Authorization object
Berechtigung
Profil
Fields
Values
Authorization
Profile
User
Rolle
Data Model
Felder
Werte
Authorization object
Berechtigungsdaten
Assignment
Generation
Authorization data
Fields
Values
RoleSammelprofil
Sammel-
profil
Profil
Composite
Profile
Profile
Composite profile
14
copy 2010 SAP AG All rights reserved Page 27
P_ORGIN
S_USER_AGR
S_USER_GRP
hellip
PA30
PFCG
RSUSR002
hellip
Menu Transactions
Web links reports
Etc
UserABAP
Role
Authorization
Data
Authorizations
ABAP Roles
1n 1n
copy 2010 SAP AG All rights reserved Page 28
Functional Roles - Menu
Functional Roles
are related to
jobs
Menu containing
transactions
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
6
copy 2010 SAP AG All rights reserved Page 11
Secure User Access Web User Authentication
and Single Sign-On to SAP Applications
1 Requires Portal or AS Java
2 IDP capability available with SAP NetWeaver Identity Management 71
SP capability available with SAP Business Suite 702e SAP NetWeaver CE 72 and AS Java 72 Web applications
SA
P N
etW
eaver
Ap
pli
cati
on
s
Anonymous access Named anonymous users with SAP NetWeaver Portal
Interactive user
authentication SAP user ID password
PKI-based
authentication
X509 client certificatesndash Rule based client authentication 1
ndash Certificate filtering 1
ndash Automated certificate mapping 1
ndash CRL support 1
External
authentication
SPNego 1
ndash user authentication against a Kerberos infrastructure
Header variables 1
SSO via trusted
application system
SSO Logon ticketsndash Principal solution for SSO in SAP landscapes
SAML 11 Browser Artifact 1
ndash Interoperable SSO from trusted non-SAP token issuers
Identity Federation
interoperable SSO
and Single Log-out
SAML 2 2
ndash Identity Provider (IDP) for centralized user authentication and
SAML 2 SSO token issuing authority
ndash Service Provider (SP) for accepting SAML 2 SSO token to grant
user access to Web enabled content
Custom
authentication
JAAS Login Module 1
ndash Standardized extensions to out-of-the-box authentication
mechanisms
Web
Bro
wser
copy 2010 SAP AG All rights reserved Page 12
Single Sign-On Strategy
SAP NetWeaver
Portal
SAML 11
PKI-based
authentication
(X509 certificates)
SP Nego (Kerberos)
Header variables
SAP Logon Tickets
Identity Federation
SAML 20
JAAS Login Module
Single Sign-On
Options
SAML 2 Identity
Provider (IDP) amp
Security Token
Service (STS)
NET
SS
O
Non-
SAP
7
copy 2010 SAP AG All rights reserved Page 13
Cross-Domain Single Sign-On
SAP NetWeaver Portal
SA
ML
Identity
Provider (IDP)
SA
ML
Company A
SAP NetWeaver PortalS
AM
L
Identity
Provider (IDP)
Lo
go
n
Tic
ke
t
Business Partner
SAML
copy 2010 SAP AG All rights reserved Page 14
Secure Collaboration Support for Web User
SSO and Identity Federation
Trust
Relationship
SAP applications3rd Party
applications
SSO
Federation
SSO
Federation
SAP NetWeaver Identity
Management
with SAML 2 Identity Provider (IDP) and
Security Token Service (STS)
Standardized SAML 2 SSO and Single Log-out
Shared infrastructure in user interactive and
service applications on the Web
identity management
trust management
Efficient user productivity enablement of secure
cross-business scenarios
Application Service Providers
(SPs)
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
8
copy 2010 SAP AG All rights reserved Page 15
Message-Level and Transport-Level Security
Intermediary
Business Server Business Server
Transport level security is not sufficient
Standardization related to transport level security is in progress
SAML
WS-Security
Point-to-Point
Security
Message Security
copy 2010 SAP AG All rights reserved Page 16
Secure Network Topology
On-Premise Solutions
Outer DMZ Inner DMZ
Firewall
End User Backend Networks
Application
server farm
R3
R3
Application
server farm
ERP
ERP
DIR
Application
Gateways
Pre-scan user
request for validity
and known exploits
Preprocessing and
validation of user
input and output
Process business logic or
Web service request
WebAS Portal
or other
Web service
Firewall Firewall
9
copy 2010 SAP AG All rights reserved Page 17
Secure Communication and Interaction
On-Demand Solutions
Backend Networks
Company B
R3
R3
Application
server farm
ERP
ERP
DIR
Backend Networks
Company A
R3
R3
Application
server farm
ERP
ERP
DIR
On-
Demand
On-
Demand
Company A
Identity
Provider
Company B
Identity
Provider
On-
Demand
SAML SAML
SAML SAML
SAP
Logon
Tickets
SAP
Logon
Tickets
SAML
copy 2010 SAP AG All rights reserved Page 18
Monitoring and Auditing in
ABAP- and Java-Based SAP Solutions
Configuration and
results of Security
Audit Log in ABAP
Transactions
SM 18 SM19 SM20
Results of Log
Viewer in Java
10
copy 2010 SAP AG All rights reserved Page 19
Monitoring and Auditing
The SAP Audit Information System (AIS)
Audit planning
Work program
- System audit
- Business audit
Exp
ort
in
terf
ace
Online controls on
the SAP database
System information
Reconciliation
BS PampL
Account balances
Documents
Data export
Account balances
Line items
Non-SAP Environment SAP Environment
Work
paper
prep
Report
Analysis software
( ACL IDEA hellip )
Reporting software
Line items
Balances
Accounts
Customers
Vendors
Assets
Material
Orders
Invoices
hellip
copy 2010 SAP AG All rights reserved Page 20
Monitoring and Auditing The SAP Audit
Information System (AIS)
The Audit Information
System facilitates smoother
and better quality audits
It consists of a number of
single roles and is a
- Collection
- Structure and
- Default setup
of SAP standard programs
The AIS is the Toolbox
of the auditor
in SAP environment
11
copy 2010 SAP AG All rights reserved Page 21
SAP Security Monitor Logging Solution
Functional Overview
The SAP Security Monitor Logging Solution
provides logging of all data a user views in an
SAP application
Captured data includes
All inputoutput fields
Field labels titles headings
Tables trees lists
etc
Implicitly also database access operations are
logged
Search and retrieval
Storing and updating
Logging is fully transparent to the user The
application behavior and performance is not
affected For an end-user a solution appears
identical whether logging is enabled or not
copy 2010 SAP AG All rights reserved Page 22
SAP Security Monitor Logging Solution
Architecture Overview
SAP UI RepositorySAP Backend System
Dynpro Processor
Control Framework
Request
Response
Database layer
Legend Logging functionality
Observed
data traffic
Temporary Log
(Asynchronous)
Call of
log service
Log Storage
Straightforward high-performance solution tailored to SAP applications
Server-side logging - log entry is written with each client-server roundtrip
Log records are written to provided log service
Modification
Development
12
copy 2010 SAP AG All rights reserved Page 23
Data Encryption Using
Secure Store and Forward (SSF)
Credit card data
encrypted in
database
Application
Decryption
Authorized
administrator
Data is
displayed
unencrypted
SSF
API
PCI-DSS-compliant encryption
Use of SAP Cryptographic Library
Available as of release 46 C
copy 2010 SAP AG All rights reserved Page 24
The SAP Authorization Concept
hellip how to
create
users in a
systemhellipwho may
execute which
actions
especially
how to
The SAP authorization concept
defines rules on
hellip restrict
display and
change of data
depending
on user roles
This enhances
the security of
the system
hellip show
users only those
actions which are
relevant for their
roles
This simplifies
system usage
13
copy 2010 SAP AG All rights reserved Page 25
The SAP Authorization Concept
copy 2010 SAP AG All rights reserved Page 26
Sammelrolle
RolleRole
Composite role
Felder
Werte
Authorization object
Berechtigung
Profil
Fields
Values
Authorization
Profile
User
Rolle
Data Model
Felder
Werte
Authorization object
Berechtigungsdaten
Assignment
Generation
Authorization data
Fields
Values
RoleSammelprofil
Sammel-
profil
Profil
Composite
Profile
Profile
Composite profile
14
copy 2010 SAP AG All rights reserved Page 27
P_ORGIN
S_USER_AGR
S_USER_GRP
hellip
PA30
PFCG
RSUSR002
hellip
Menu Transactions
Web links reports
Etc
UserABAP
Role
Authorization
Data
Authorizations
ABAP Roles
1n 1n
copy 2010 SAP AG All rights reserved Page 28
Functional Roles - Menu
Functional Roles
are related to
jobs
Menu containing
transactions
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
7
copy 2010 SAP AG All rights reserved Page 13
Cross-Domain Single Sign-On
SAP NetWeaver Portal
SA
ML
Identity
Provider (IDP)
SA
ML
Company A
SAP NetWeaver PortalS
AM
L
Identity
Provider (IDP)
Lo
go
n
Tic
ke
t
Business Partner
SAML
copy 2010 SAP AG All rights reserved Page 14
Secure Collaboration Support for Web User
SSO and Identity Federation
Trust
Relationship
SAP applications3rd Party
applications
SSO
Federation
SSO
Federation
SAP NetWeaver Identity
Management
with SAML 2 Identity Provider (IDP) and
Security Token Service (STS)
Standardized SAML 2 SSO and Single Log-out
Shared infrastructure in user interactive and
service applications on the Web
identity management
trust management
Efficient user productivity enablement of secure
cross-business scenarios
Application Service Providers
(SPs)
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
8
copy 2010 SAP AG All rights reserved Page 15
Message-Level and Transport-Level Security
Intermediary
Business Server Business Server
Transport level security is not sufficient
Standardization related to transport level security is in progress
SAML
WS-Security
Point-to-Point
Security
Message Security
copy 2010 SAP AG All rights reserved Page 16
Secure Network Topology
On-Premise Solutions
Outer DMZ Inner DMZ
Firewall
End User Backend Networks
Application
server farm
R3
R3
Application
server farm
ERP
ERP
DIR
Application
Gateways
Pre-scan user
request for validity
and known exploits
Preprocessing and
validation of user
input and output
Process business logic or
Web service request
WebAS Portal
or other
Web service
Firewall Firewall
9
copy 2010 SAP AG All rights reserved Page 17
Secure Communication and Interaction
On-Demand Solutions
Backend Networks
Company B
R3
R3
Application
server farm
ERP
ERP
DIR
Backend Networks
Company A
R3
R3
Application
server farm
ERP
ERP
DIR
On-
Demand
On-
Demand
Company A
Identity
Provider
Company B
Identity
Provider
On-
Demand
SAML SAML
SAML SAML
SAP
Logon
Tickets
SAP
Logon
Tickets
SAML
copy 2010 SAP AG All rights reserved Page 18
Monitoring and Auditing in
ABAP- and Java-Based SAP Solutions
Configuration and
results of Security
Audit Log in ABAP
Transactions
SM 18 SM19 SM20
Results of Log
Viewer in Java
10
copy 2010 SAP AG All rights reserved Page 19
Monitoring and Auditing
The SAP Audit Information System (AIS)
Audit planning
Work program
- System audit
- Business audit
Exp
ort
in
terf
ace
Online controls on
the SAP database
System information
Reconciliation
BS PampL
Account balances
Documents
Data export
Account balances
Line items
Non-SAP Environment SAP Environment
Work
paper
prep
Report
Analysis software
( ACL IDEA hellip )
Reporting software
Line items
Balances
Accounts
Customers
Vendors
Assets
Material
Orders
Invoices
hellip
copy 2010 SAP AG All rights reserved Page 20
Monitoring and Auditing The SAP Audit
Information System (AIS)
The Audit Information
System facilitates smoother
and better quality audits
It consists of a number of
single roles and is a
- Collection
- Structure and
- Default setup
of SAP standard programs
The AIS is the Toolbox
of the auditor
in SAP environment
11
copy 2010 SAP AG All rights reserved Page 21
SAP Security Monitor Logging Solution
Functional Overview
The SAP Security Monitor Logging Solution
provides logging of all data a user views in an
SAP application
Captured data includes
All inputoutput fields
Field labels titles headings
Tables trees lists
etc
Implicitly also database access operations are
logged
Search and retrieval
Storing and updating
Logging is fully transparent to the user The
application behavior and performance is not
affected For an end-user a solution appears
identical whether logging is enabled or not
copy 2010 SAP AG All rights reserved Page 22
SAP Security Monitor Logging Solution
Architecture Overview
SAP UI RepositorySAP Backend System
Dynpro Processor
Control Framework
Request
Response
Database layer
Legend Logging functionality
Observed
data traffic
Temporary Log
(Asynchronous)
Call of
log service
Log Storage
Straightforward high-performance solution tailored to SAP applications
Server-side logging - log entry is written with each client-server roundtrip
Log records are written to provided log service
Modification
Development
12
copy 2010 SAP AG All rights reserved Page 23
Data Encryption Using
Secure Store and Forward (SSF)
Credit card data
encrypted in
database
Application
Decryption
Authorized
administrator
Data is
displayed
unencrypted
SSF
API
PCI-DSS-compliant encryption
Use of SAP Cryptographic Library
Available as of release 46 C
copy 2010 SAP AG All rights reserved Page 24
The SAP Authorization Concept
hellip how to
create
users in a
systemhellipwho may
execute which
actions
especially
how to
The SAP authorization concept
defines rules on
hellip restrict
display and
change of data
depending
on user roles
This enhances
the security of
the system
hellip show
users only those
actions which are
relevant for their
roles
This simplifies
system usage
13
copy 2010 SAP AG All rights reserved Page 25
The SAP Authorization Concept
copy 2010 SAP AG All rights reserved Page 26
Sammelrolle
RolleRole
Composite role
Felder
Werte
Authorization object
Berechtigung
Profil
Fields
Values
Authorization
Profile
User
Rolle
Data Model
Felder
Werte
Authorization object
Berechtigungsdaten
Assignment
Generation
Authorization data
Fields
Values
RoleSammelprofil
Sammel-
profil
Profil
Composite
Profile
Profile
Composite profile
14
copy 2010 SAP AG All rights reserved Page 27
P_ORGIN
S_USER_AGR
S_USER_GRP
hellip
PA30
PFCG
RSUSR002
hellip
Menu Transactions
Web links reports
Etc
UserABAP
Role
Authorization
Data
Authorizations
ABAP Roles
1n 1n
copy 2010 SAP AG All rights reserved Page 28
Functional Roles - Menu
Functional Roles
are related to
jobs
Menu containing
transactions
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
8
copy 2010 SAP AG All rights reserved Page 15
Message-Level and Transport-Level Security
Intermediary
Business Server Business Server
Transport level security is not sufficient
Standardization related to transport level security is in progress
SAML
WS-Security
Point-to-Point
Security
Message Security
copy 2010 SAP AG All rights reserved Page 16
Secure Network Topology
On-Premise Solutions
Outer DMZ Inner DMZ
Firewall
End User Backend Networks
Application
server farm
R3
R3
Application
server farm
ERP
ERP
DIR
Application
Gateways
Pre-scan user
request for validity
and known exploits
Preprocessing and
validation of user
input and output
Process business logic or
Web service request
WebAS Portal
or other
Web service
Firewall Firewall
9
copy 2010 SAP AG All rights reserved Page 17
Secure Communication and Interaction
On-Demand Solutions
Backend Networks
Company B
R3
R3
Application
server farm
ERP
ERP
DIR
Backend Networks
Company A
R3
R3
Application
server farm
ERP
ERP
DIR
On-
Demand
On-
Demand
Company A
Identity
Provider
Company B
Identity
Provider
On-
Demand
SAML SAML
SAML SAML
SAP
Logon
Tickets
SAP
Logon
Tickets
SAML
copy 2010 SAP AG All rights reserved Page 18
Monitoring and Auditing in
ABAP- and Java-Based SAP Solutions
Configuration and
results of Security
Audit Log in ABAP
Transactions
SM 18 SM19 SM20
Results of Log
Viewer in Java
10
copy 2010 SAP AG All rights reserved Page 19
Monitoring and Auditing
The SAP Audit Information System (AIS)
Audit planning
Work program
- System audit
- Business audit
Exp
ort
in
terf
ace
Online controls on
the SAP database
System information
Reconciliation
BS PampL
Account balances
Documents
Data export
Account balances
Line items
Non-SAP Environment SAP Environment
Work
paper
prep
Report
Analysis software
( ACL IDEA hellip )
Reporting software
Line items
Balances
Accounts
Customers
Vendors
Assets
Material
Orders
Invoices
hellip
copy 2010 SAP AG All rights reserved Page 20
Monitoring and Auditing The SAP Audit
Information System (AIS)
The Audit Information
System facilitates smoother
and better quality audits
It consists of a number of
single roles and is a
- Collection
- Structure and
- Default setup
of SAP standard programs
The AIS is the Toolbox
of the auditor
in SAP environment
11
copy 2010 SAP AG All rights reserved Page 21
SAP Security Monitor Logging Solution
Functional Overview
The SAP Security Monitor Logging Solution
provides logging of all data a user views in an
SAP application
Captured data includes
All inputoutput fields
Field labels titles headings
Tables trees lists
etc
Implicitly also database access operations are
logged
Search and retrieval
Storing and updating
Logging is fully transparent to the user The
application behavior and performance is not
affected For an end-user a solution appears
identical whether logging is enabled or not
copy 2010 SAP AG All rights reserved Page 22
SAP Security Monitor Logging Solution
Architecture Overview
SAP UI RepositorySAP Backend System
Dynpro Processor
Control Framework
Request
Response
Database layer
Legend Logging functionality
Observed
data traffic
Temporary Log
(Asynchronous)
Call of
log service
Log Storage
Straightforward high-performance solution tailored to SAP applications
Server-side logging - log entry is written with each client-server roundtrip
Log records are written to provided log service
Modification
Development
12
copy 2010 SAP AG All rights reserved Page 23
Data Encryption Using
Secure Store and Forward (SSF)
Credit card data
encrypted in
database
Application
Decryption
Authorized
administrator
Data is
displayed
unencrypted
SSF
API
PCI-DSS-compliant encryption
Use of SAP Cryptographic Library
Available as of release 46 C
copy 2010 SAP AG All rights reserved Page 24
The SAP Authorization Concept
hellip how to
create
users in a
systemhellipwho may
execute which
actions
especially
how to
The SAP authorization concept
defines rules on
hellip restrict
display and
change of data
depending
on user roles
This enhances
the security of
the system
hellip show
users only those
actions which are
relevant for their
roles
This simplifies
system usage
13
copy 2010 SAP AG All rights reserved Page 25
The SAP Authorization Concept
copy 2010 SAP AG All rights reserved Page 26
Sammelrolle
RolleRole
Composite role
Felder
Werte
Authorization object
Berechtigung
Profil
Fields
Values
Authorization
Profile
User
Rolle
Data Model
Felder
Werte
Authorization object
Berechtigungsdaten
Assignment
Generation
Authorization data
Fields
Values
RoleSammelprofil
Sammel-
profil
Profil
Composite
Profile
Profile
Composite profile
14
copy 2010 SAP AG All rights reserved Page 27
P_ORGIN
S_USER_AGR
S_USER_GRP
hellip
PA30
PFCG
RSUSR002
hellip
Menu Transactions
Web links reports
Etc
UserABAP
Role
Authorization
Data
Authorizations
ABAP Roles
1n 1n
copy 2010 SAP AG All rights reserved Page 28
Functional Roles - Menu
Functional Roles
are related to
jobs
Menu containing
transactions
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
9
copy 2010 SAP AG All rights reserved Page 17
Secure Communication and Interaction
On-Demand Solutions
Backend Networks
Company B
R3
R3
Application
server farm
ERP
ERP
DIR
Backend Networks
Company A
R3
R3
Application
server farm
ERP
ERP
DIR
On-
Demand
On-
Demand
Company A
Identity
Provider
Company B
Identity
Provider
On-
Demand
SAML SAML
SAML SAML
SAP
Logon
Tickets
SAP
Logon
Tickets
SAML
copy 2010 SAP AG All rights reserved Page 18
Monitoring and Auditing in
ABAP- and Java-Based SAP Solutions
Configuration and
results of Security
Audit Log in ABAP
Transactions
SM 18 SM19 SM20
Results of Log
Viewer in Java
10
copy 2010 SAP AG All rights reserved Page 19
Monitoring and Auditing
The SAP Audit Information System (AIS)
Audit planning
Work program
- System audit
- Business audit
Exp
ort
in
terf
ace
Online controls on
the SAP database
System information
Reconciliation
BS PampL
Account balances
Documents
Data export
Account balances
Line items
Non-SAP Environment SAP Environment
Work
paper
prep
Report
Analysis software
( ACL IDEA hellip )
Reporting software
Line items
Balances
Accounts
Customers
Vendors
Assets
Material
Orders
Invoices
hellip
copy 2010 SAP AG All rights reserved Page 20
Monitoring and Auditing The SAP Audit
Information System (AIS)
The Audit Information
System facilitates smoother
and better quality audits
It consists of a number of
single roles and is a
- Collection
- Structure and
- Default setup
of SAP standard programs
The AIS is the Toolbox
of the auditor
in SAP environment
11
copy 2010 SAP AG All rights reserved Page 21
SAP Security Monitor Logging Solution
Functional Overview
The SAP Security Monitor Logging Solution
provides logging of all data a user views in an
SAP application
Captured data includes
All inputoutput fields
Field labels titles headings
Tables trees lists
etc
Implicitly also database access operations are
logged
Search and retrieval
Storing and updating
Logging is fully transparent to the user The
application behavior and performance is not
affected For an end-user a solution appears
identical whether logging is enabled or not
copy 2010 SAP AG All rights reserved Page 22
SAP Security Monitor Logging Solution
Architecture Overview
SAP UI RepositorySAP Backend System
Dynpro Processor
Control Framework
Request
Response
Database layer
Legend Logging functionality
Observed
data traffic
Temporary Log
(Asynchronous)
Call of
log service
Log Storage
Straightforward high-performance solution tailored to SAP applications
Server-side logging - log entry is written with each client-server roundtrip
Log records are written to provided log service
Modification
Development
12
copy 2010 SAP AG All rights reserved Page 23
Data Encryption Using
Secure Store and Forward (SSF)
Credit card data
encrypted in
database
Application
Decryption
Authorized
administrator
Data is
displayed
unencrypted
SSF
API
PCI-DSS-compliant encryption
Use of SAP Cryptographic Library
Available as of release 46 C
copy 2010 SAP AG All rights reserved Page 24
The SAP Authorization Concept
hellip how to
create
users in a
systemhellipwho may
execute which
actions
especially
how to
The SAP authorization concept
defines rules on
hellip restrict
display and
change of data
depending
on user roles
This enhances
the security of
the system
hellip show
users only those
actions which are
relevant for their
roles
This simplifies
system usage
13
copy 2010 SAP AG All rights reserved Page 25
The SAP Authorization Concept
copy 2010 SAP AG All rights reserved Page 26
Sammelrolle
RolleRole
Composite role
Felder
Werte
Authorization object
Berechtigung
Profil
Fields
Values
Authorization
Profile
User
Rolle
Data Model
Felder
Werte
Authorization object
Berechtigungsdaten
Assignment
Generation
Authorization data
Fields
Values
RoleSammelprofil
Sammel-
profil
Profil
Composite
Profile
Profile
Composite profile
14
copy 2010 SAP AG All rights reserved Page 27
P_ORGIN
S_USER_AGR
S_USER_GRP
hellip
PA30
PFCG
RSUSR002
hellip
Menu Transactions
Web links reports
Etc
UserABAP
Role
Authorization
Data
Authorizations
ABAP Roles
1n 1n
copy 2010 SAP AG All rights reserved Page 28
Functional Roles - Menu
Functional Roles
are related to
jobs
Menu containing
transactions
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
10
copy 2010 SAP AG All rights reserved Page 19
Monitoring and Auditing
The SAP Audit Information System (AIS)
Audit planning
Work program
- System audit
- Business audit
Exp
ort
in
terf
ace
Online controls on
the SAP database
System information
Reconciliation
BS PampL
Account balances
Documents
Data export
Account balances
Line items
Non-SAP Environment SAP Environment
Work
paper
prep
Report
Analysis software
( ACL IDEA hellip )
Reporting software
Line items
Balances
Accounts
Customers
Vendors
Assets
Material
Orders
Invoices
hellip
copy 2010 SAP AG All rights reserved Page 20
Monitoring and Auditing The SAP Audit
Information System (AIS)
The Audit Information
System facilitates smoother
and better quality audits
It consists of a number of
single roles and is a
- Collection
- Structure and
- Default setup
of SAP standard programs
The AIS is the Toolbox
of the auditor
in SAP environment
11
copy 2010 SAP AG All rights reserved Page 21
SAP Security Monitor Logging Solution
Functional Overview
The SAP Security Monitor Logging Solution
provides logging of all data a user views in an
SAP application
Captured data includes
All inputoutput fields
Field labels titles headings
Tables trees lists
etc
Implicitly also database access operations are
logged
Search and retrieval
Storing and updating
Logging is fully transparent to the user The
application behavior and performance is not
affected For an end-user a solution appears
identical whether logging is enabled or not
copy 2010 SAP AG All rights reserved Page 22
SAP Security Monitor Logging Solution
Architecture Overview
SAP UI RepositorySAP Backend System
Dynpro Processor
Control Framework
Request
Response
Database layer
Legend Logging functionality
Observed
data traffic
Temporary Log
(Asynchronous)
Call of
log service
Log Storage
Straightforward high-performance solution tailored to SAP applications
Server-side logging - log entry is written with each client-server roundtrip
Log records are written to provided log service
Modification
Development
12
copy 2010 SAP AG All rights reserved Page 23
Data Encryption Using
Secure Store and Forward (SSF)
Credit card data
encrypted in
database
Application
Decryption
Authorized
administrator
Data is
displayed
unencrypted
SSF
API
PCI-DSS-compliant encryption
Use of SAP Cryptographic Library
Available as of release 46 C
copy 2010 SAP AG All rights reserved Page 24
The SAP Authorization Concept
hellip how to
create
users in a
systemhellipwho may
execute which
actions
especially
how to
The SAP authorization concept
defines rules on
hellip restrict
display and
change of data
depending
on user roles
This enhances
the security of
the system
hellip show
users only those
actions which are
relevant for their
roles
This simplifies
system usage
13
copy 2010 SAP AG All rights reserved Page 25
The SAP Authorization Concept
copy 2010 SAP AG All rights reserved Page 26
Sammelrolle
RolleRole
Composite role
Felder
Werte
Authorization object
Berechtigung
Profil
Fields
Values
Authorization
Profile
User
Rolle
Data Model
Felder
Werte
Authorization object
Berechtigungsdaten
Assignment
Generation
Authorization data
Fields
Values
RoleSammelprofil
Sammel-
profil
Profil
Composite
Profile
Profile
Composite profile
14
copy 2010 SAP AG All rights reserved Page 27
P_ORGIN
S_USER_AGR
S_USER_GRP
hellip
PA30
PFCG
RSUSR002
hellip
Menu Transactions
Web links reports
Etc
UserABAP
Role
Authorization
Data
Authorizations
ABAP Roles
1n 1n
copy 2010 SAP AG All rights reserved Page 28
Functional Roles - Menu
Functional Roles
are related to
jobs
Menu containing
transactions
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
11
copy 2010 SAP AG All rights reserved Page 21
SAP Security Monitor Logging Solution
Functional Overview
The SAP Security Monitor Logging Solution
provides logging of all data a user views in an
SAP application
Captured data includes
All inputoutput fields
Field labels titles headings
Tables trees lists
etc
Implicitly also database access operations are
logged
Search and retrieval
Storing and updating
Logging is fully transparent to the user The
application behavior and performance is not
affected For an end-user a solution appears
identical whether logging is enabled or not
copy 2010 SAP AG All rights reserved Page 22
SAP Security Monitor Logging Solution
Architecture Overview
SAP UI RepositorySAP Backend System
Dynpro Processor
Control Framework
Request
Response
Database layer
Legend Logging functionality
Observed
data traffic
Temporary Log
(Asynchronous)
Call of
log service
Log Storage
Straightforward high-performance solution tailored to SAP applications
Server-side logging - log entry is written with each client-server roundtrip
Log records are written to provided log service
Modification
Development
12
copy 2010 SAP AG All rights reserved Page 23
Data Encryption Using
Secure Store and Forward (SSF)
Credit card data
encrypted in
database
Application
Decryption
Authorized
administrator
Data is
displayed
unencrypted
SSF
API
PCI-DSS-compliant encryption
Use of SAP Cryptographic Library
Available as of release 46 C
copy 2010 SAP AG All rights reserved Page 24
The SAP Authorization Concept
hellip how to
create
users in a
systemhellipwho may
execute which
actions
especially
how to
The SAP authorization concept
defines rules on
hellip restrict
display and
change of data
depending
on user roles
This enhances
the security of
the system
hellip show
users only those
actions which are
relevant for their
roles
This simplifies
system usage
13
copy 2010 SAP AG All rights reserved Page 25
The SAP Authorization Concept
copy 2010 SAP AG All rights reserved Page 26
Sammelrolle
RolleRole
Composite role
Felder
Werte
Authorization object
Berechtigung
Profil
Fields
Values
Authorization
Profile
User
Rolle
Data Model
Felder
Werte
Authorization object
Berechtigungsdaten
Assignment
Generation
Authorization data
Fields
Values
RoleSammelprofil
Sammel-
profil
Profil
Composite
Profile
Profile
Composite profile
14
copy 2010 SAP AG All rights reserved Page 27
P_ORGIN
S_USER_AGR
S_USER_GRP
hellip
PA30
PFCG
RSUSR002
hellip
Menu Transactions
Web links reports
Etc
UserABAP
Role
Authorization
Data
Authorizations
ABAP Roles
1n 1n
copy 2010 SAP AG All rights reserved Page 28
Functional Roles - Menu
Functional Roles
are related to
jobs
Menu containing
transactions
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
12
copy 2010 SAP AG All rights reserved Page 23
Data Encryption Using
Secure Store and Forward (SSF)
Credit card data
encrypted in
database
Application
Decryption
Authorized
administrator
Data is
displayed
unencrypted
SSF
API
PCI-DSS-compliant encryption
Use of SAP Cryptographic Library
Available as of release 46 C
copy 2010 SAP AG All rights reserved Page 24
The SAP Authorization Concept
hellip how to
create
users in a
systemhellipwho may
execute which
actions
especially
how to
The SAP authorization concept
defines rules on
hellip restrict
display and
change of data
depending
on user roles
This enhances
the security of
the system
hellip show
users only those
actions which are
relevant for their
roles
This simplifies
system usage
13
copy 2010 SAP AG All rights reserved Page 25
The SAP Authorization Concept
copy 2010 SAP AG All rights reserved Page 26
Sammelrolle
RolleRole
Composite role
Felder
Werte
Authorization object
Berechtigung
Profil
Fields
Values
Authorization
Profile
User
Rolle
Data Model
Felder
Werte
Authorization object
Berechtigungsdaten
Assignment
Generation
Authorization data
Fields
Values
RoleSammelprofil
Sammel-
profil
Profil
Composite
Profile
Profile
Composite profile
14
copy 2010 SAP AG All rights reserved Page 27
P_ORGIN
S_USER_AGR
S_USER_GRP
hellip
PA30
PFCG
RSUSR002
hellip
Menu Transactions
Web links reports
Etc
UserABAP
Role
Authorization
Data
Authorizations
ABAP Roles
1n 1n
copy 2010 SAP AG All rights reserved Page 28
Functional Roles - Menu
Functional Roles
are related to
jobs
Menu containing
transactions
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
13
copy 2010 SAP AG All rights reserved Page 25
The SAP Authorization Concept
copy 2010 SAP AG All rights reserved Page 26
Sammelrolle
RolleRole
Composite role
Felder
Werte
Authorization object
Berechtigung
Profil
Fields
Values
Authorization
Profile
User
Rolle
Data Model
Felder
Werte
Authorization object
Berechtigungsdaten
Assignment
Generation
Authorization data
Fields
Values
RoleSammelprofil
Sammel-
profil
Profil
Composite
Profile
Profile
Composite profile
14
copy 2010 SAP AG All rights reserved Page 27
P_ORGIN
S_USER_AGR
S_USER_GRP
hellip
PA30
PFCG
RSUSR002
hellip
Menu Transactions
Web links reports
Etc
UserABAP
Role
Authorization
Data
Authorizations
ABAP Roles
1n 1n
copy 2010 SAP AG All rights reserved Page 28
Functional Roles - Menu
Functional Roles
are related to
jobs
Menu containing
transactions
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
14
copy 2010 SAP AG All rights reserved Page 27
P_ORGIN
S_USER_AGR
S_USER_GRP
hellip
PA30
PFCG
RSUSR002
hellip
Menu Transactions
Web links reports
Etc
UserABAP
Role
Authorization
Data
Authorizations
ABAP Roles
1n 1n
copy 2010 SAP AG All rights reserved Page 28
Functional Roles - Menu
Functional Roles
are related to
jobs
Menu containing
transactions
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
15
copy 2010 SAP AG All rights reserved Page 29
Functional Roles - Authorizations
All required authorizations for
transactions and other organization-
independent authorization objects are
maintained
copy 2010 SAP AG All rights reserved Page 30
SAP ABAP Authorization Check
Access type
Area Organization
Authority
check
Business
ObjectCheck of a combination of
authorization relevant attributes
of a business object
Activity eg create change
display delete hellip
Additional authorization relevant Attributes
eg record type hellip
Organizational attributes eg
company code personal area
hellip
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
16
copy 2010 SAP AG All rights reserved Page 31
HR Org Management ndash Org Structure in HR
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
1nOrg Units
S
Position
70008502
S
Position
70008501
1n
Positions
P
Employee
Eva Scott
P
Employee
John Smith
1111
Employees
US
SAP User
SMITHJ
US
SAP User
SCOTTE
11 11Infotype 105
Users
copy 2010 SAP AG All rights reserved Page 32
HR Org Management ndash Role Assignment
O
Org Unit
Market GER
O
Org Unit
Finance
O
Org Unit
HR
S
Position
70008502
S
Position
70008501
US
SAP User
SMITHJ
US
SAP User
SCOTTE
P
Employee
Eva Scott
P
Employee
John Smith
1n
1n
1111
11 11
Org Units
Positions
Employees
Infotype 105
Users
User SMITHJ
inherits roles
GEN_FIN
and HR_ADM
AG
Role
GEN_FIN
AG
Role
HR_ADM
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
17
copy 2010 SAP AG All rights reserved Page 33
HR-Org Driven User Administration
Pros amp Cons
Disadvantages
More complex user mass upload
procedure (pre-go live)
Additional ALE distribution model to
be monitored
Less flexible in terms of individual
assignments of roles to users
No transition period in terms of role
assignments after transfers
Advantages
Org view available for role
assignments
Automated role assignment for all
employee actions such as hire
transfer etc
Role accumulation avoided
Close integration of user
administration processes into HR
Clear separation of user and role
assignment administration
copy 2010 SAP AG All rights reserved Page 34
Authorization Enhancements
With Business Add-Ins (BAdIs)
Business Add-Ins (BAdIs) are the basis
for authorization enhancements in
SAP R3 applications You can access
the BAdI Builder with transaction SE18
If specific authorization check
requirements cannot be met by either the
standard system or by a customer-specific
authorization object you can replace the
authorization checks by using Business
Add-Ins (BAdI)
Example
The BAdI for the master data authorization
check is called HRPAD00AUTH_CHECK
It replaces the standard authorization check
for HR Master Data infotypes
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
18
copy 2010 SAP AG All rights reserved Page 35
Planned enhanced authorization checks
Enhancement SAP Note
Authorization Info System RSUSR100N to replace RSUSR100 completely 1307663
Authorization Info System RSUSR200 ndash Search for unused user IDs 1479062
User Management SU10 is able to generate new initial passwords and deactivate passwords 1469961
User Management Possibility to switch to old passwords for system and communication users 1410831
System Trace (ST01) New additional information in system trace regarding successful authorization checks 1373111
Start authorization checks New authorization check for Web Dynpro ABAP applications1413011
1413012
Additional authorization check for tables tbd
To search for SAP Notes please go to
the SAP Service Marketplace
httpswebsmp108sap-agdenotes
copy 2010 SAP AG All rights reserved Page 36
Federation
Metadata
Transport Security
Document Security
Message Security
SAP Security ndash Building on Industry Standards
WS-Security
Under Evaluation
WS-Policy
WS-Trust
WS-Security Policy
WS-SecureConversation
SAML 20
Future Work
SMIME
Supported by SAPStatus February 2010
Authorization Provisioning
Authentication X509 CertsKerberosSAML 1x JAAS
XACML SPML LDAP
XML Sig PKCS7XML Enc
SSLTLS GSS
OpenID
OAuth
PCI DSS
Interoperability WS-I BSP 11WS-I BSP 10
WS-ReliableMessaging
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
19
copy 2010 SAP AG All rights reserved Page 37
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 38
Global Trends and Impact
Increasing Need for Compliance
Changing Consumption Models (SaaS)
Need for Operational Efficiency
Consumption model
Platforms services software and
security as a service offerings
Changing business environment
connecting on premise with on-
demand applications securely
Identities are on the move
Business and infrastructure
applications get accessed via
mobile devices
Compliance
Increasing regulatory compliance
requirements coupled with lack of
visibility into existing controls
Complex environment and lack of
governance framework result in
audit challenges
Costly labor intensive processes
not aligned with business priorities
Lack of timely access or self-service
capabilities result in productivity loss
and reduced user satisfaction
Operational efficiency
Maintenance of multiple sources of
identity data
Manual user provisioning by help
desk delays onoff-boarding and
change in positions
Labor-intensive approval systems
Users dependent on help desk
response times
Single sign-on in heterogeneous
cross-company environments
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
20
copy 2010 SAP AG All rights reserved Page 39
Overview of SAP Road Map
SAP NetWeaver Identity Management
TODAY PLANNED INNOVATIONS FUTURE DIRECTION
Enhanced SAP Integration
Enterprise Readiness
SAP BW Reporting
Context based Role Management
CUA Replacement recommended
Federation and Web SSO
copy 2010 SAP AG All rights reserved Page 40
SAP NetWeaver Identity Management
Today
TODAY
SAP NetWeaver Identity Management ndash Compliant User
Management across SAP and Non SAP Systems
central management of identities
throughout system landscape
Rule driven workflow and approval
process
Extensive audit trail logging and
reporting capabilities
Governance through centralized
auditable identity data
Compliance through the integration
with analytics applications (SAP
Business Warehouse and SAP
Business Objects)
Compliant and integrated identity
management solution mitigates
segregation-of-duties risks
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
21
copy 2010 SAP AG All rights reserved Page 41
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 71
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead write
SA
P
GR
CW
eb
serv
ices
hellip
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
hellip
copy 2010 SAP AG All rights reserved Page 42
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp
Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
22
copy 2010 SAP AG All rights reserved Page 43
Minimal Time-to-Compliance
Quick effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous Access Management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective Management Oversight
Capabilities for management
oversight
Capabilities for internal audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-P
latf
orm
Cro
ss-F
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iatio
n Enterprise role
management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht
Identity management
Periodic access review and audit
Con
tro
l
En
vir
on
me
nt Cross-enterprise library of best practice
segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Super user privilege
management
SAP_ALL
SAP BusinessObjects Access Control
Solution Overview
copy 2010 SAP AG All rights reserved Page 44
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and
mitigation
Heterogeneous connectivity
SAP Business Suite integration
Powerful business role mapping
Password management
Compliant identity management for
the entire system landscape
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC) amp
SAP NetWeaver IDM ndash Integration Scenario
SAP BusinessObjects Access Control (GRC)
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
23
copy 2010 SAP AG All rights reserved Page 45
Compliant Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Re
qu
est R
ole
Assig
nm
en
t1
Forward request
for risk analysis
3 Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User Manager
8
copy 2010 SAP AG All rights reserved Page 46
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
24
copy 2010 SAP AG All rights reserved Page 47
SAP Security Services Overview
Best Practices
SupportCustomer
EngagementService Delivery
Tools
Self-Services
Services
delivered by SAP
Recommendations
Guidelines
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
Security Optimization
Remote Service
Run SAP
E2E Solution Operations
Standard for Security
copy 2010 SAP AG All rights reserved Page 48
Security in the EarlyWatch Alert (EWA)
Security in the EarlyWatch Alert
The EarlyWatch Alert Report includes selected information on critical security
observations
ndash Security-related SAP Notes
ndash Users with Critical Authorizations
ndash Default Passwords of Standard Users
More detailed and additional information can be found with the help of the security
self-services
SAP EarlyWatch Alert is an important part of making sure that your core business
processes work It is a tool that monitors the essential administrative areas of
SAP components and keeps you up to date on their performance and stability
SAP EarlyWatch Alert runs automatically to keep you informed so you can react to issues proactively before they become critical
httpservicesapcomewa
ldquo
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
25
copy 2010 SAP AG All rights reserved Page 49
SAP Security Optimization Service
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the
security of customerslsquo SAP systems by identifying potential security issues and
giving recommendations on how to improve the security of the system
Keeping the security and availability of SAP solutions at a high level is a tremendous
value to customerslsquo businesses - a value delivered by the SAP Security Optimization
Service Analysis is the key to this value which is necessary to
Decrease the risk of a system intrusion
Ensure the confidentiality of business data
Ensure the authenticity of users
Substantially reduce the risk of costly downtime due to wrong user interaction
More information is available in the SAP Service Market Place
httpwwwservicesapcomsos
copy 2010 SAP AG All rights reserved Page 50
SAP Security Optimization Service
Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to execute the SAP Security
Optimization Service locally
Fully automated checks
in ABAP systems
No additional cost for
this service
Broad range of security
checks extending the
self-service checks
Performed by experienced
service engineers
Part of CQC service
offering
SAP Security Optimization
Onsite Service
Individual range of
security checks eg for
the SAP Enterprise
Portal
Performed by specialists
Additional cost for this
service
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
26
copy 2010 SAP AG All rights reserved Page 51
Run SAP Methodology SAP Security Standard
Assessment amp
Scoping
Operational
Requirements
Analysis
Governance
Model for
Operations
Scope Definition
Technical
Requirements and
Architecture
Project Setup
Operations amp
Optimization
End User Support
SAP Technical
Operations
Change
Management
Technical
Infrastructure
Management
SAP Application
Management
Business Process
Operations
Design
Operations
End User Support
Concept
SAP Technical
Operations
Concept
Change
Management
Concept
Technical
Infrastructure
Design
SAP Application
Management
Concept
Business Process
Operations
Concept
Setup
Operations
End User Support
Implementation
SAP Technical
Operations
Implementation
Change
Management
Implementation
Technical
Infrastructure
Implementation
SAP Application
Management
Implementation
Business Process
Operations
Implementation
Handover into
Production
Knowledge Transfer
and Certification
Final Testing
Transition into
Production
Handover and Sign-
Off
copy 2010 SAP AG All rights reserved Page 52
The 10 secure operation tracks of the Secure Operations Map
cover the following topics
1 Audit Ensure and verify the compliance of a companylsquos IT infrastructure
and operation with internal and external guidelines
2 Outsourcing Ensure secure operation in IT outsourcing scenarios
3 Emergency Concept Prepare for and react to emergency situations
4 Secure Process and People Collaboration Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5 User and Authorization Management Manage IT users their authorizations and authentication
6 Administration Concept Securely administer all aspects of solution operations
7 Network System Database and Workstation Security Establish and maintain the security of all infrastructure and base
components
8 Secure Application Lifecycle Securely develop and maintain the code base of standard and custom business applications
9 Secure Configuration Establish and maintain a secure configuration of standard and custom business applications
10 Secure Support Resolve software incidents in a secure manner
Run SAP Methodology Secure Operations
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
27
copy 2010 SAP AG All rights reserved Page 53
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 54
Security of the SAP Remote Support
Infrastructure
The remote support infrastructure is established for nearly all SAP customers
with valid support agreements
The key to success of the remote-support infrastructure is a strong focus on
security based on two major safeguards
Every customer has full control of the established connections and opens the
connection upon request
Every remote connection to a customer system is logged
In addition various encryption mechanisms are available including
Software encryption with secure network communications (SNC)
Hardware encryption with virtual private network (VPN)
SAP has set up a remote support infrastructure that enables efficient support
processes and effective customer problem resolution
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
28
copy 2010 SAP AG All rights reserved Page 55
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
copy 2010 SAP AG All rights reserved Page 56
The Product Innovation Lifecycle (PIL) is SAPs approach to product quality
It consists of process and product standards The product standards define common
requirements for all SAP products
The PIL Security Standard defines security requirements targeting
Requirements are
Included in planning phase
Implemented during development
phase and
Checked in test phase
Organization
Standard Owner
Expert Network
Multiplication and reporting across all development
units and SAP labs
Production Unit
Enforces compliance of SAP product development
Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Key Concept for Secure Programming
PIL Security Standard
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
29
copy 2010 SAP AG All rights reserved Page 57
SAP Investments in Software Security
and Quality Assurance
Security is embedded in all stages of the software development lifecycle
Software design and architecture is reviewed for conformity to security requirements
Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
What we do
Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Security of the software is checked before delivery
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit acting as a ―first customer
Capabilities for reaction to security issues discovered after delivery
Security Response process
ndash Handles and solves security issues
ndash Provides customers with information workarounds solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers security specialists and to the public
SAP invests to achieve the security of all its code
copy 2010 SAP AG All rights reserved Page 58
Digital Signatures for SAP Software Delivery
Digital Signing Instance
Certificates
Private KeysFirewallSigning Services (Hardware Token)
SMPAssembly
Trust Center
Non-ABAP SP ABAP SP Release
Authenticity and Integrity of SAP Software
Digital signatures for SAP software packages planned for end of 2010
Validation of signatures planned for mid-2011
Enablement of signatures and verification for additional SAP solutions and partner products planned for 20112012
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
30
copy 2010 SAP AG All rights reserved Page 59
State-of-the-Art Software Lifecycle Security
SAP is certified for
ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
Quality management standard ISO9001
Common Criteria certification is currently underway
FIPS 140-2 certification is planned
SAP offers
Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team as well as a security
consultant certification to offer qualified implementation support
SAP invests in
A large internal research division dedicated to security
Joint industry projects for secure programming practices such as
SAFECODE
Secologic
Security is a quality characteristic of SAP solutions
copy 2010 SAP AG All rights reserved Page 60
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
31
copy 2010 SAP AG All rights reserved Page 61
SAP is certified according to the ITSEC standard for information technology security
ITSEC evaluates security within software products and systems
SAP is certified according to the ISO 9001 standard for quality management systems
Security Certifications for SAP Software
Current Certifications
ITSEC (Information Technology Security Evaluation Criteria )
E2 Medium
ISO 9001
copy 2010 SAP AG All rights reserved Page 62
SAP is currently undergoing a security certification according to the Common Criteria (CC) for
Information Technology Security evaluation assurance level 4 CC is an international standard (ISO
15408) for computer security certification
Originated out of three standards (ITSEC (Europe) CTCPEC (Canada) TCSEC (US))
Mutual recognition arrangement (CCRA)
Each party thereto recognizes evaluations against the CC standard done by other parties
Currently 26 countries recognize the CC
Certification target is SAP NetWeaver Application Server Java 702
Certification body is the German Federal Office for Information Security (BSI)
An overview of products currently in certification at BSI is available here
FIPS 140-2 is a US government computer security standard that specifies requirements for
cryptography modules
SAP is planning a certification of its cryptographic library in cooperation with its partner Secude
Additional security certifications are planned
Security Certifications for SAP Software
Certifications Planned and Underway
Federal Information Processing Standardization 140-2 (FIPS)
Common Criteria for Information Technology Security (CC)
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
32
copy 2010 SAP AG All rights reserved Page 63
Common Criteria Certification
Certification Target
Approach in three phases
SAP NetWeaver Application Server Java 702
SAP NetWeaver Application Server ABAP 702
SAP NetWeaver Application Server ABAP amp Java 702 combined certificate
Security Functionalities
Audit
Users and authorizations
Identification and authentication
Security management (administration of security functionality)
Assurance Class
EAL4+
Why Application Server and not business application
The application server is the underlying infrastructure providing the basic security functionality and
frameworks The business application on top ―inherits the security qualities
Why 702
Main release for next Business Suite
copy 2010 SAP AG All rights reserved Page 64
Common Criteria Certification
Project Plan Phases High-Level
0909 09100310 0511
Phase 1
Phase 2 and 3
Java amp Kernel
ABAPABAP Prep amp Implementation
EAL4 certificate
Phase 4
Java amp Kernel
ABAP
Certificate for double stack EAL4
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
33
copy 2010 SAP AG All rights reserved Page 65
2009 2010
A S O N D J F M A M J J A S O N D J
Common Criteria Certification Project Phase 1
SAP NW AS Java 702 Plan and Status
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
Dev Site Audits (WDFRot)
Ralsquoanana
Sofia
Bangalore
Moscow
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETRtoday
Legend Duration Milestone
CERTIFICATE
copy 2010 SAP AG All rights reserved Page 66
2010
J F M A M J J A S O N D J F M A M J
Common Criteria Certification Project Phase 2
SAP NW AS ABAP 702 Plan and Status
ABAP Prep and Implementation
ASE Security Target
ADV_FSP4
AGD_OPE1
ALC Lifecycle support (inc site visit)
ADV_TDS3
ADV_IMP1
ADV_ARC1
AGD_PRE1
ATE_COV2 _DPT2 _FUN1
ATE_IND2 AVA_VAN3
ETR
today
2011
CERTIFICATE
Legend Duration Milestone
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
34
copy 2010 SAP AG All rights reserved Page 67
The Security Consultant Certification test
Verifies the participantlsquos profound knowledge in the area of SAP NetWeavertrade Security
Proves that the candidate has an advanced understanding of this topic and is able to apply
these skills in consulting projects providing implementation guidance
Booking code P_ADM_SEC_70
SAP courses for certification preparation
Course ADM200 Administration AS Java
Course ADM940 Authorization Concept AS ABAP
Course ADM950 Secure SAP System Management
Course ADM960 Security in SAP System Environment
Course TZNWIM SAP NetWeaver Identity Management
Software components covered
SAP NetWeavertrade 70
SAP Security Consultant Certification
SAP Certified Technology Professional ndash Security with SAP NetWeaver 70
copy 2010 SAP AG All rights reserved Page 68
Agenda
1 Introduction
2 SAP Solutions for Security Identity Management and Governance Risk amp Compliance
SAP NetWeaver Security Solutions
SAP NetWeaver Identity Management
SAP BusinessObjects Access Control
3 SAP Security Services and Secure Support Offerings
Security Services
Support Security
4 Secure Software Development Standards and Security Certifications
Secure Programming
Security Certifications for SAP Software
5 Summary
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
35
copy 2010 SAP AG All rights reserved Page 69
Summary
Key Take-Away
SAP NetWeaver TODAY is the favored technology platform for
SAP customers integrating heterogeneous landscapes
Significant investments into security for networked solutions identity
management and integrated security management offering will allow
customers to implement secure business processes
Planned support for SAML 20 for Identity Federation will provide
international standards support and heterogeneity mandatory for
composite business applications and networked solutions
SAP will lead the industry in helping our customers to
thrive in today`s business networks
This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any
reason without notice This document is provided without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement
copy 2010 SAP AG All rights reserved Page 70
Further Information
SAP Public Web
SAP Developer Network (SDN) - Security wwwsdnsapcomirjsdnsecurity
SAP Developer Network (SDN) ndash Identity Management
httpwwwsdnsapcomirjsdnnw-identitymanagement
SAP Public Web ndash Security wwwsapcomsecurity
SAP Public Web ndash Identity Management
wwwsapcomplatformnetweavercomponentsIDMindexepx
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
36
copy 2010 SAP AG All rights reserved Page 71
Further Information
Related WorkshopsLectures at SAP TechEd 2010
copy 2010 SAP AG All rights reserved Page 72
Further Information
Related WorkshopsLectures at SAP TechEd 2010
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
37
copy 2010 SAP AG All rights reserved Page 73
Further Information
Related WorkshopsLectures at SAP TechEd 2010
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
38
copy 2010 SAP AG All rights reserved Page 75
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved