SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT



Similar documents
Security and Risk Management

SAP Secure Operations Map. SAP Active Global Support Security Services May 2015

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.

SAP WEB DISPATCHER Helps you to make decisions on Web Dispatcher implementation

Master Data Governance Security Guide

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

PortWise Access Management Suite

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

SAP Single Sign-On 2.0 Overview Presentation

PortWise Access Management Suite

SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH

Session ID: B410 A Secure Future Today with SAP NetWeaver

SECURING SAP NETWEAVER DEPLOYMENTS WITH SAFE-T RSACCESS

Application Gateway with Apache

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Introduction to Cyber Security / Information Security

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

Angel Dichev RIG, SAP Labs

Cisco ASA. Administrators

Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Achieving PCI-Compliance through Cyberoam

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Interwise Connect. Working with Reverse Proxy Version 7.x

Table of Contents. Page 1 of 6 (Last updated 30 July 2015)

Extranet Access Management Web Access Control for New Business Services

API-Security Gateway Dirk Krafzig

LBSEC.

Gateway Apps - Security Summary SECURITY SUMMARY

Hardening of SAP HTTP- and Webservices

KEMP LoadMaster. Enabling Hybrid Cloud Solutions in Microsoft Azure

Hardening of SAP HTTP- and Webservices

SAP SECURITY OPTIMIZATION

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

How To Secure Your Data Center From Hackers

GlassFish Security. open source community experience distilled. security measures. Secure your GlassFish installation, Web applications,

"Charting the Course... Implementing Citrix NetScaler 11 for App and Desktop Solutions CNS-207 Course Summary

SSO Methods Supported by Winshuttle Applications

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

An Introduction to Entrust PKI. Last updated: September 14, 2004

Agenda. How to configure

Hybrid for SharePoint Server Search Reference Architecture

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

FileCloud Security FAQ

Enterprise Security Architecture Concepts and Practice

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

March

SonicWALL PCI 1.1 Implementation Guide

A viable alternative to TMG / UAG Web Application security, acceleration and authentication with DenyAll s DA-WAF

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Security Overview Enterprise-Class Secure Mobile File Sharing

SAP NetWeaver 04 Security Guide. Security Guide for SAP Mobile Infrastructure

Security for Cloud- and On Premise Deployment. Mendix App Platform Technical Whitepaper

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Ensuring the Security of Your Company s Data & Identities. a best practices guide

Configuration Guide BES12. Version 12.3

Compliance & SAP Security. Secure SAP applications based on state-of-the-art user & system concepts. Driving value with IT

Controlling Web Access with BMC Web Access Manager WHITE PAPER

Continuous Audit and Case Management For SAP: Prevent Errors and Fraud in your most important Business Processes

CNS-207 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Chapter 1 The Principles of Auditing 1

TIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13

Configuration Guide BES12. Version 12.2

TIBCO Spotfire Platform IT Brief

SCUR204 Strong Infrastructure and Network Security for Heterogeneous Applications

NETASQ ACTIVE DIRECTORY INTEGRATION

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

ATTACKS TO SAP WEB APPLICATIONS

Mobilizing Business Processes Security Issues and Advantages of Using Sap Mobile Infrastructure In The Development of Mobile Applications

Copyright Giritech A/S. Secure Mobile Access

Entrust IdentityGuard Comprehensive

Introduction. Connection security

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Single Sign-on (SSO) technologies for the Domino Web Server

Architecture Guidelines Application Security

Enabling SSL and Client Certificates on the SAP J2EE Engine

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

Network Security Guidelines. e-governance

Integrating Single Sign-on Across the Cloud By David Strom

Cornerstones of Security

Security and Your SAP System When Working with Winshuttle Products

Using etoken for SSL Web Authentication. SSL V3.0 Overview

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

Perceptive Experience Single Sign-On Solutions

Directory and File Transfer Services. Chapter 7

NETASQ MIGRATING FROM V8 TO V9

SAP HANA Security Guide

Security. TestOut Modules

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

Business-Driven, Compliant Identity Management

Lync SHIELD Product Suite

Secure web transactions system

Eleventh Hour Security+

Transcription:

SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT Foreword by Prof. Wolfgang Lassmann... 15 Foreword by Dr. Sachar Paulus... 17 1 Introduction... 21... 1.1 Background... 21... 1.2 Contents... 23... 1.3 How to Read This Book... 23... 1.4 Acknowledgements... 24 Part 1 Basic Principles of Risk Management and IT Security 2 Risk and Control Management... 27... 2.1 Security Objectives... 27... 2.2 Company Assets... 29... 2.2.1 Types of Company Assets... 31... 2.2.2 Classification of Company Assets... 32... 2.3 Risks... 33... 2.3.1 Types of Risks... 34... 2.3.2 Classification of Risks... 36... 2.4 Controls... 37... 2.4.1 Types of Controls... 37... 2.4.2 Classification of Controls... 38 3 Security Strategy... 41... 3.1 Status Quo... 41... 3.2 Components... 43... 3.2.1 General Framework... 44... 3.2.2 Strategy... 44... 3.2.3 Methods... 45... 3.2.4 Best Practices... 46... 3.2.5 Documentation... 47... 3.3 Best Practices of an SAP Security Strategy... 47... 3.3.1 Procedure... 47... 3.3.2 Principle of Information Ownership... 56... 3.3.3 Identity Management... 61 4 Requirements... 67... 4.1 Legal Requirements... 67... 4.1.1 Sarbanes-Oxley Act... 68... 4.1.2 Basel II... 76... 4.1.3 GoBS... 79... 4.2 Internal Requirements... 81... 4.3 Summary... 82 5 Security Standards 83... 5.1 International Security Standards... 83... 5.1.1 International Security Standard ISO 17799... 83... 5.1.2 International Security Standard CoBIT... 87... 5.1.3 COSO - Integrated Framework for Company Risk Management... 90... 5.2 Country-Specific Security Standards... 94... 5.2.1 American Standard NIST Special Publications 800 12... 94

... 5.2.2 German Security Standard IT Baseline Protection of the BSI... 96 6 Basic Principles of Technical Security... 101... 6.1 Cryptography... 101... 6.1.1 Symmetric Encryption Procedure... 102... 6.1.2 Asymmetric Encryption Procedure... 103... 6.1.3 Hybrid Encryption Procedure... 104... 6.1.4 Hash Procedures... 106... 6.1.5 Digital Signature... 107... 6.2 Public Key Infrastructure... 109... 6.3 Authentication Procedures... 111... 6.3.1 User Name and Password... 111... 6.3.2 Challenge Response... 111... 6.3.3 Kerberos... 112... 6.3.4 Secure Token... 113... 6.3.5 Digital Certificate... 113... 6.3.6 Biometrics... 113... 6.4 Basic Principles of Networks... 114... 6.4.1 OSI Reference Model... 114... 6.4.2 Important Network Protocols... 117... 6.4.3 Overview of Firewall Technologies... 118... 6.4.4 Secure Sockets Layer Encryption... 120 Part 2 Security in SAP NetWeaver and Application Security 7 SAP Applications and Technology... 123... 7.1 Global Security Positioning System... 123... 7.2 SAP Applications... 123... 7.3 SAP NetWeaver... 125... 7.4 Security Technologies... 127... 7.4.1 Authorizations, Risk and Change Management, and Auditing... 127... 7.4.2 Identity Management... 128... 7.4.3 Secure Authentication and Single Sign-On (SSO)... 129... 7.4.4 Technical Security... 130... 7.4.5 Influencing Factors... 131 8 SAP Web Application Server... 135... 8.1 Introduction and Functions... 135... 8.1.1 Overview... 135... 8.1.2 Technical Architecture... 136... 8.2 Risks and Controls... 137... 8.3 Application Security... 145... 8.3.1 Technical Authorization Concept for Administrators... 145... 8.3.2 Authorization Concept for Java Applications... 152... 8.3.3 Restricting Authorizations for RFC Calls... 157... 8.4 Technical Security... 161... 8.4.1 Introducing a Single Sign-On Authentication Mechanism... 161... 8.4.2 Connecting the SAP Web AS to a Central LDAP Directory... 163... 8.4.3 Changing the Default Passwords for Default Users... 165... 8.4.4 Configuring Security on the SAP Gateway... 165... 8.4.5 Restricting Operating System Access... 167... 8.4.6 Configuring Important Security System Parameters... 168... 8.4.7 Configuring Encrypted Communication Connections (SSL and SNC)... 170

... 8.4.8 Restricting Superfluous Internet Services... 174... 8.4.9 Secure Network Architecture for Using the SAP Web AS with the Internet... 176... 8.4.10 Introducing an Application-Level Gateway to Make Internet Applications Secure... 176... 8.4.11 Introducing Hardening Measures on the Operating System Level... 177... 8.4.12 Introducing a Quality Assurance Process for Software Development... 177 9 SAP ERP Central Component... 181... 9.1 Introduction and Functions... 181... 9.2 Risks and Controls... 181... 9.3 Application Security... 187... 9.3.1 Authentication... 187... 9.3.2 Authorizations... 188... 9.3.3 Other Authorization Concepts... 202... 9.3.4 Best-Practice Solutions... 213... 9.4 Technical Security... 221 10 mysap ERP Human Capital Management... 223... 10.1 Introduction and Functions... 223... 10.2 Risks and Controls... 223... 10.3 Application Security... 229... 10.3.1 HCM Master Data Authorizations... 231... 10.3.2 HCM Applicant Authorizations... 232... 10.3.3 HCM Personnel Planning Authorizations... 233... 10.3.4 HCM Reporting Authorizations... 233... 10.3.5 Structural Authorizations... 233... 10.3.6 Authorizations for Personnel Development... 234... 10.3.7 Tolerated Authorizations... 234... 10.3.8 Authorizations for Inspection Procedures... 234... 10.3.9 Customized Authorization Checks... 235... 10.3.10 Indirect Role Assignment Through the Organizational Structure... 235... 10.3.11 Additional Transactions Relevant to Internal Controls... 236... 10.4 Technical Security... 236 11 SAP Industry Solutions... 237... 11.1 Introduction and Functions... 237... 11.2 Risks and Controls... 238... 11.3 Application Security... 240... 11.3.1 SAP Max Secure... 240... 11.3.2 SAP Role Manager... 241... 11.4 Technical Security... 244 12 SAP NetWeaver Business Intelligence... 245... 12.1 Introduction and Functions... 245... 12.2 Risks and Controls... 247... 12.3 Application Security... 249... 12.3.1 Authorizations... 249... 12.3.2 Other Concepts... 254... 12.4 Technical Security... 258 13 SAP NetWeaver Master Data Management... 261... 13.1 Introduction and Functions... 261

... 13.2 Risks and Controls... 262... 13.3 Application Security... 266... 13.3.1 Identity Management and Authorizations... 267... 13.3.2 Revision Security... 272... 13.4 Technical Security... 273... 13.4.1 Communications Security... 273... 13.4.2 Important Additional GSPS Components... 274 14 mysap Customer Relationship Management... 275... 14.1 Introduction and Functions... 275... 14.2 Risks and Controls... 275... 14.3 Application Security... 277... 14.4 Technical Security... 284... 14.4.1 Technical Protection of the Mobile Application... 285... 14.4.2 Additional Important GSPS Components... 285 15 mysap Supplier Relationship Management... 287... 15.1 Introduction and Functions... 287... 15.2 Risks and Controls... 288... 15.3 Application Security... 289... 15.3.1 Important Authorizations... 289... 15.3.2 Rules-Based Security Checks Using Business Partner Attributes... 297... 15.3.3 User Management... 300... 15.4 Technical Security... 301 16 mysap Supply Chain Management... 303... 16.1 Introduction and Functions... 303... 16.2 Risks and Controls... 303... 16.3 Application Security... 304... 16.3.1 Authorizations for the ippe Workbench... 304... 16.3.2 Authorizations for Supply Chain Planning... 305... 16.3.3 Authorizations for Event Management... 305... 16.4 Technical Security... 306 17 SAP Strategic Enterprise Management... 307... 17.1 Introduction and Functions... 307... 17.2 Risks and Controls... 308... 17.3 Application Security... 309... 17.4 Technical Security... 309 18 SAP Solution Manager... 311... 18.1 Introduction and Functions... 311... 18.2 Risks and Controls... 314... 18.3 Application Security... 316... 18.4 Technical Security... 318... 18.4.1 System Monitoring Function... 318... 18.4.2 RFC Communication Security... 319... 18.4.3 Important Additional GSPS Components... 319 19 SAP Enterprise Portal... 321... 19.1 Introduction and Functions... 321... 19.1.1 Technical architecture... 322... 19.1.2 Description of the User Management Engine... 324... 19.2 Risks and Controls... 328

... 19.3 Application Security... 335... 19.3.1 Structure and Design of Portal Roles... 335... 19.3.2 Delegated User Administration for Portal Roles by Involving the Information Owners... 341... 19.3.3 Synchronization of Portal Roles with the ABAP Roles of SAP Backend Applications... 344... 19.3.4 Change Management Process for New Portal Content... 350... 19.4 Technical Security... 352... 19.4.1 Connecting SAP EP to a Central LDAP Directory or SAP System... 352... 19.4.2 Implementation of a Single Sign-On Mechanism Based on a One-Factor Authentication... 354... 19.4.3 Implementation of a Single Sign-On Mechanism Based on an Integrated Authentication... 357... 19.4.4 Implementation of a Single Sign-On Mechanism Based on Person-Related Certificates... 359... 19.4.5 Configuration for Anonymous Access... 361... 19.4.6 Secure Initial Configuration... 362... 19.4.7 Definition and Implementation of Security Zones... 363... 19.4.8 Secure Network Architecture... 365... 19.4.9 Introducing an Application-Level Gateway to Make Portal Applications Secure... 368... 19.4.10 Configuration of Encrypted Communication Channels... 371... 19.4.11 Implementation of a Virus Scan for Avoiding a Virus Infection... 373 20 SAP Exchange Infrastructure... 375... 20.1 Introduction and Functions... 375... 20.2 Risks and Controls... 379... 20.3 Application Security... 384... 20.3.1 Authorizations for the Integration Builder... 384... 20.3.2 Passwords and Authorizations for Technical Service Users... 385... 20.4 Technical Security... 387... 20.4.1 Definition of Technical Service Users for Communication Channels at Runtime... 387... 20.4.2 Setting Up Encryption for Communication Channels... 388... 20.4.3 Digital Signature for XML-Based Messages... 394... 20.4.4 Encryption of XML-Based Messages... 399... 20.4.5 Network-Side Security for Integration Scenarios... 399... 20.4.6 Audit of the Integration Builder and the SAP XI Communication... 401... 20.4.7 Securing the File Adapter at Operating-System Level... 404 21 SAP Partner Connectivity Kit... 405... 21.1 Introduction and Functions... 405... 21.2 Risks and Controls... 406... 21.3 Application Security... 409... 21.4 Technical Security... 410... 21.4.1 Separate Technical Service User for Every Connected Partner System... 410... 21.4.2 Setting Up Encryption for Communication Channels... 410... 21.4.3 Digital Signature for XML-Based Messages... 410... 21.4.4 Network-Side Security for Integration Scenarios... 410... 21.4.5 Audit of the Message Exchange... 410... 21.4.6 Securing the File Adapter at Operating-System Level... 411 22 SAP Mobile Infrastructure... 413... 22.1 Introduction and Functionality... 413... 22.2 Risks and Controls... 415... 22.3 Application Security... 419... 22.3.1 Authorization Concept for SAP MI Applications... 419... 22.3.2 Authorization Concept for Administration... 422... 22.3.3 Restricting the Authorizations of the RFC User to Backend Applications... 423... 22.4 Technical Security... 424... 22.4.1 Setting Up Encrypted Communications Connections... 424... 22.4.2 Securing the Synchronization Communication... 425

... 22.4.3 Deactivating Superfluous Services on the SAP MI Server... 427... 22.4.4 Secure Network Architecture... 427... 22.4.5 Monitoring... 428 23 Database Server... 431... 23.1 Introduction and Functions... 431... 23.2 Risks and Controls... 431... 23.3 Application Security... 434... 23.4 Technical Security... 435... 23.4.1 Changing Default Passwords... 435... 23.4.2 Removing Unnecessary Database Users... 438... 23.4.3 Limiting Database Access... 438... 23.4.4 Design and Implementation of a Database Backup Concept... 439... 23.4.5 Design and Implementation of an Upgrade Concept... 440 24 SAP Web Dispatcher... 441... 24.1 Introduction and Functions... 441... 24.2 Risks and Controls... 441... 24.3 Application Security... 443... 24.4 Technical Security... 443... 24.4.1 Use of SAP Web Dispatcher as a Reverse Proxy... 443... 24.4.2 Configuration of SAP Web Dispatcher as a URL Filter... 445... 24.4.3 SSL Configuration... 447... 24.4.4 Monitoring... 449 25 SAProuter... 451... 25.1 Introduction and Functions... 451... 25.2 Risks and Controls... 451... 25.3 Application Security... 452... 25.4 Technical Security... 452 26 SAP Internet Transaction Server... 455... 26.1 Introduction and Functions... 455... 26.2 Risks and Controls... 457... 26.3 Application Security... 460... 26.3.1 Defining Access Rights for Service Files... 460... 26.3.2 Administration Concept... 461... 26.4 Technical Security... 462... 26.4.1 Installing a DMZ Network Segmentation... 462... 26.4.2 Encrypting Communications Connections... 463... 26.4.3 Setting Up a Certificate-Based Authentication Process... 466... 26.4.4 Setting Up a Pluggable Authentication Service... 467 27 SAP GUI... 471... 27.1 Introduction and Functions... 471... 27.2 Risks and Controls... 471... 27.3 Application Security... 474... 27.3.1 Types of Signatures... 474... 27.3.2 Supported Electronic Document Formats... 476... 27.3.3 Technical Implementation of the SSF Functions... 476... 27.3.4 Saving Digitally Signed Documents... 479... 27.3.5 Installing the SSF Functions... 480... 27.4 Technical Security... 481... 27.4.1 SSO for the WebGUI by Integration into the OS Authentication Process... 481

... 27.4.2 SSO for the WebGUI by Using Digital Certificates... 481... 27.4.3 Restricting Access to an SAP Web AS Using SAProuter... 483 28 Web Browser... 485... 28.1 Introduction and Functions... 485... 28.2 Risks and Controls... 486... 28.3 Application Security... 487... 28.4 Technical Security... 487... 28.4.1 Anti-Virus Software and Its Update for the Desktop PC... 487... 28.4.2 Using a Personal Firewall on the Desktop PC... 488... 28.4.3 Security Settings for the Web Browser... 488 29 Mobile Devices... 491... 29.1 Introduction and Functions... 491... 29.2 Risks and Controls... 491... 29.3 Application Security... 494... 29.4 Technical Security... 495... 29.4.1 Using Mobile Devices with Authentication Mechanism... 495... 29.4.2 Implementing an Encryption Method for Storage Media... 496... 29.4.3 Implementing Anti-Virus Protection... 496... 29.4.4 Installing a Personal Firewall... 496... 29.4.5 Implementing a Backup Concept... 497... 29.4.6 Setting Up Access Rights for Important System Files... 497... 29.4.7 Fostering a User's Security Awareness... 497 The Authors 499 Index 501

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information