SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT

Transcription

1 SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT Foreword by Prof. Wolfgang Lassmann Foreword by Dr. Sachar Paulus Introduction Background Contents How to Read This Book Acknowledgements Part 1 Basic Principles of Risk Management and IT Security 2 Risk and Control Management Security Objectives Company Assets Types of Company Assets Classification of Company Assets Risks Types of Risks Classification of Risks Controls Types of Controls Classification of Controls Security Strategy Status Quo Components General Framework Strategy Methods Best Practices Documentation Best Practices of an SAP Security Strategy Procedure Principle of Information Ownership Identity Management Requirements Legal Requirements Sarbanes-Oxley Act Basel II GoBS Internal Requirements Summary Security Standards International Security Standards International Security Standard ISO International Security Standard CoBIT COSO - Integrated Framework for Company Risk Management Country-Specific Security Standards American Standard NIST Special Publications

2 German Security Standard IT Baseline Protection of the BSI Basic Principles of Technical Security Cryptography Symmetric Encryption Procedure Asymmetric Encryption Procedure Hybrid Encryption Procedure Hash Procedures Digital Signature Public Key Infrastructure Authentication Procedures User Name and Password Challenge Response Kerberos Secure Token Digital Certificate Biometrics Basic Principles of Networks OSI Reference Model Important Network Protocols Overview of Firewall Technologies Secure Sockets Layer Encryption Part 2 Security in SAP NetWeaver and Application Security 7 SAP Applications and Technology Global Security Positioning System SAP Applications SAP NetWeaver Security Technologies Authorizations, Risk and Change Management, and Auditing Identity Management Secure Authentication and Single Sign-On (SSO) Technical Security Influencing Factors SAP Web Application Server Introduction and Functions Overview Technical Architecture Risks and Controls Application Security Technical Authorization Concept for Administrators Authorization Concept for Java Applications Restricting Authorizations for RFC Calls Technical Security Introducing a Single Sign-On Authentication Mechanism Connecting the SAP Web AS to a Central LDAP Directory Changing the Default Passwords for Default Users Configuring Security on the SAP Gateway Restricting Operating System Access Configuring Important Security System Parameters Configuring Encrypted Communication Connections (SSL and SNC)

3 Restricting Superfluous Internet Services Secure Network Architecture for Using the SAP Web AS with the Internet Introducing an Application-Level Gateway to Make Internet Applications Secure Introducing Hardening Measures on the Operating System Level Introducing a Quality Assurance Process for Software Development SAP ERP Central Component Introduction and Functions Risks and Controls Application Security Authentication Authorizations Other Authorization Concepts Best-Practice Solutions Technical Security mysap ERP Human Capital Management Introduction and Functions Risks and Controls Application Security HCM Master Data Authorizations HCM Applicant Authorizations HCM Personnel Planning Authorizations HCM Reporting Authorizations Structural Authorizations Authorizations for Personnel Development Tolerated Authorizations Authorizations for Inspection Procedures Customized Authorization Checks Indirect Role Assignment Through the Organizational Structure Additional Transactions Relevant to Internal Controls Technical Security SAP Industry Solutions Introduction and Functions Risks and Controls Application Security SAP Max Secure SAP Role Manager Technical Security SAP NetWeaver Business Intelligence Introduction and Functions Risks and Controls Application Security Authorizations Other Concepts Technical Security SAP NetWeaver Master Data Management Introduction and Functions

4 Risks and Controls Application Security Identity Management and Authorizations Revision Security Technical Security Communications Security Important Additional GSPS Components mysap Customer Relationship Management Introduction and Functions Risks and Controls Application Security Technical Security Technical Protection of the Mobile Application Additional Important GSPS Components mysap Supplier Relationship Management Introduction and Functions Risks and Controls Application Security Important Authorizations Rules-Based Security Checks Using Business Partner Attributes User Management Technical Security mysap Supply Chain Management Introduction and Functions Risks and Controls Application Security Authorizations for the ippe Workbench Authorizations for Supply Chain Planning Authorizations for Event Management Technical Security SAP Strategic Enterprise Management Introduction and Functions Risks and Controls Application Security Technical Security SAP Solution Manager Introduction and Functions Risks and Controls Application Security Technical Security System Monitoring Function RFC Communication Security Important Additional GSPS Components SAP Enterprise Portal Introduction and Functions Technical architecture Description of the User Management Engine Risks and Controls

5 Application Security Structure and Design of Portal Roles Delegated User Administration for Portal Roles by Involving the Information Owners Synchronization of Portal Roles with the ABAP Roles of SAP Backend Applications Change Management Process for New Portal Content Technical Security Connecting SAP EP to a Central LDAP Directory or SAP System Implementation of a Single Sign-On Mechanism Based on a One-Factor Authentication Implementation of a Single Sign-On Mechanism Based on an Integrated Authentication Implementation of a Single Sign-On Mechanism Based on Person-Related Certificates Configuration for Anonymous Access Secure Initial Configuration Definition and Implementation of Security Zones Secure Network Architecture Introducing an Application-Level Gateway to Make Portal Applications Secure Configuration of Encrypted Communication Channels Implementation of a Virus Scan for Avoiding a Virus Infection SAP Exchange Infrastructure Introduction and Functions Risks and Controls Application Security Authorizations for the Integration Builder Passwords and Authorizations for Technical Service Users Technical Security Definition of Technical Service Users for Communication Channels at Runtime Setting Up Encryption for Communication Channels Digital Signature for XML-Based Messages Encryption of XML-Based Messages Network-Side Security for Integration Scenarios Audit of the Integration Builder and the SAP XI Communication Securing the File Adapter at Operating-System Level SAP Partner Connectivity Kit Introduction and Functions Risks and Controls Application Security Technical Security Separate Technical Service User for Every Connected Partner System Setting Up Encryption for Communication Channels Digital Signature for XML-Based Messages Network-Side Security for Integration Scenarios Audit of the Message Exchange Securing the File Adapter at Operating-System Level SAP Mobile Infrastructure Introduction and Functionality Risks and Controls Application Security Authorization Concept for SAP MI Applications Authorization Concept for Administration Restricting the Authorizations of the RFC User to Backend Applications Technical Security Setting Up Encrypted Communications Connections Securing the Synchronization Communication

6 Deactivating Superfluous Services on the SAP MI Server Secure Network Architecture Monitoring Database Server Introduction and Functions Risks and Controls Application Security Technical Security Changing Default Passwords Removing Unnecessary Database Users Limiting Database Access Design and Implementation of a Database Backup Concept Design and Implementation of an Upgrade Concept SAP Web Dispatcher Introduction and Functions Risks and Controls Application Security Technical Security Use of SAP Web Dispatcher as a Reverse Proxy Configuration of SAP Web Dispatcher as a URL Filter SSL Configuration Monitoring SAProuter Introduction and Functions Risks and Controls Application Security Technical Security SAP Internet Transaction Server Introduction and Functions Risks and Controls Application Security Defining Access Rights for Service Files Administration Concept Technical Security Installing a DMZ Network Segmentation Encrypting Communications Connections Setting Up a Certificate-Based Authentication Process Setting Up a Pluggable Authentication Service SAP GUI Introduction and Functions Risks and Controls Application Security Types of Signatures Supported Electronic Document Formats Technical Implementation of the SSF Functions Saving Digitally Signed Documents Installing the SSF Functions Technical Security SSO for the WebGUI by Integration into the OS Authentication Process

7 SSO for the WebGUI by Using Digital Certificates Restricting Access to an SAP Web AS Using SAProuter Web Browser Introduction and Functions Risks and Controls Application Security Technical Security Anti-Virus Software and Its Update for the Desktop PC Using a Personal Firewall on the Desktop PC Security Settings for the Web Browser Mobile Devices Introduction and Functions Risks and Controls Application Security Technical Security Using Mobile Devices with Authentication Mechanism Implementing an Encryption Method for Storage Media Implementing Anti-Virus Protection Installing a Personal Firewall Implementing a Backup Concept Setting Up Access Rights for Important System Files Fostering a User's Security Awareness The Authors 499 Index 501