Session 0804 Security Control Center by SAP Active Global Support Kristian Lehment, Senior Product Manager, SAP AG

Orange County Convention Center Orlando, Florida June 3-5, 2014 Session 0804 Security Control Center by SAP Active Global Support Kristian Lehment, Senior Product Manager, SAP AG

Abstract Running secure business systems requires not only a secure configuration during implementation but also regular validation to "stay clean". In this session, you will learn about the self services and tools available for security, which are centered around the Security section in the SAP EarlyWatch Alert report. Using the Security Optimization Service and the application Configuration Validation within SAP Solution Manager, you can validate if the system matches to your corporate security policy and you can move from pure reporting to continuous security validation in your "Security Control Center" as proposed by SAP Active Global Support. 2014 SAP AG or an SAP affiliate company. All rights reserved. 3

IT Risk & Security Lifecycle for each single IT organization Develop an implementation plan covering the missing IT Security measures according the criticality of the related risk to be mitigated. Implement the security measures. Moni- Inventoring Inventory tory Collect and document all systems maintained/operated. Monitor changes in processes, infrastructure and risk situation. Planning / Implementation Information Classification Evaluate the operational risk resulting from the identified gaps Report the results of the risk assessment according the defined operational IT Risk Management process. For each IT organization All systems have to be assigned to a category of systems according the criticality of the data/information stored/processed on the system. Risk Assessment IT Security Requirements Compare implemented security measures vs. security requirements and identify existing gaps. Gap analysis The IT security measures based on the system classification have to be aligned with the business requirements. Compromises might have to be made on both sides. Remaining risks have to be identified and addressed with respective business owners 2014 SAP AG or an SAP affiliate company. All rights reserved. 5

IT Risk & Security Lifecycle for each single IT organization Develop an implementation plan covering the missing IT Security measures according the criticality of the related risk to be mitigated. Implement the security measures. Authentication Prove who you are. Passwords, SSO, Federation. Evaluate the operational risk resulting from the identified gaps Report the results of the risk assessment according the defined operational IT Risk Management process. Planning / Implementation User Management Maintain accounts. Identity Management and more. Authorizations Risk Assessment Who s allowed to do what? Privilege management. Analysis+Reporting Company wide consolidation of security settings. Moni- Inventoring Inventory tory For each IT organization Information Classification IT Security Requirements Collect and document all systems maintained/operated. Monitor changes in processes, infrastructure and risk situation. Investment on authorizations and user management ( putting locks on doors ) often endangered by negligent handling of baseline security measures ( leaving open the windows ) All systems have to be assigned to a category of systems according the criticality of the data/information stored/processed on the system. The IT security measures based on the system classification have to be aligned with the business System+Infrastructure Security requirements. Compromises might Gap analysis Compare implemented security have to be made on both sides. measures vs. security requirements Remaining risks have to be Code security, RFC gateway, network and interfaces. and identify existing gaps. identified and addressed with respective business owners 2014 SAP AG or an SAP affiliate company. All rights reserved. 6

IT Risk & Security Lifecycle for each single IT organization Develop an implementation plan covering the missing IT Security measures according the criticality of the related risk to be mitigated. Implement the security measures. Analysis+Reporting Company wide consolidation of security settings. Moni- Inventoring Inventory tory Collect and document all systems maintained/operated. Monitor changes in processes, infrastructure and risk situation. Evaluate the operational risk resulting from the identified gaps Report the results of the risk assessment according the defined operational IT Risk Management process. Planning / Implementation For each IT organization Information Classification Internal and external auditors are discovering these topics at the moment! All systems have to be assigned to a category of systems according the criticality of the data/information stored/processed on the system. Risk Assessment IT Security Requirements The IT security measures based on the system classification have to be aligned with the business System+Infrastructure Security requirements. Compromises might Gap analysis Compare implemented security have to be made on both sides. measures vs. security requirements Remaining risks have to be Code security, RFC gateway, network and interfaces. and identify existing gaps. identified and addressed with respective business owners 2014 SAP AG or an SAP affiliate company. All rights reserved. 7

Security in Operations The big picture

Innovation Control Center and Operation Control Center with premium access to Mission Control Center Innovation Control Center Build SAP like a factory Reduce implementation cost Reduce time to value Smoothen transition to operations Avoid unnecessary modifications Mission Control Center Enhanced Back Office Direct access to unmatched expertise from SAP and ecosystem Fast issue resolution SAP Solution Manager Operations Control Center Run SAP like a factory Improve business continuity Higher degree of automation Better business performance Reduce total cost of operations Customer SAP 2014 SAP AG or an SAP affiliate company. All rights reserved. 9

Run SAP Like Factory Operations Control Center Business Process Operations Application Operations IT Infrastructure Operations Operations Control Center (OCC) Central Monitors/ Dashboards Status Core Business Processes Central Alert Inbox Event Management Status Business Users Status System Components Act Check Continuous Improvement Process Plan Do Problem Management (re-active / pro-active) Change Management Incident and Problem Management 2014 SAP AG or an SAP affiliate company. All rights reserved. 10

Security in Operations The Big Picture Management Dashboards Provide an overview on system landscape status For Security could also include the progress of getclean projects Mainly used for quick status overview as required by management and operations Incident Management Guided Procedures (Immediate Resolution) Alert Inbox with Work Items used as trigger for action For Security may contain Snapshot Spot Check Events (identified issues at time of check) Security critical events (complete independent of time of check) Change Management (Change Projects) 2014 SAP AG or an SAP affiliate company. All rights reserved. 12

Management Dashboards Security View Monitoring Stay Clean Views Monitoring Get Clean Projects Monitoring Security Alerts Situation Critical System Parameters Compliance of Systems 50 Target: System_Params Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ, SAP* / SAP_ALL Compliance of Systems 47 Target: SAP_Star-SAP_ALL Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ, Missing Security HotNews Compliance of Systems 22 28 Target: Security_HotNews Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ, 3 Secure AS Gateway Config Compliance of Systems 7 13 Target: Gateway_Security_Project Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ, System w. Security Alerts Compliance of Systems 49 1 Target: Security_Alerts Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ, System w. Security Alerts Compliance of Systems Target: Security_Alerts Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ, See Configuration Validation based Management Dashboards for Examples 2014 SAP AG or an SAP affiliate company. All rights reserved. 13

Achievements to be unlocked Security Reporting Operations Control Center Strong recommendations from SAP Cross system security validation Security Optimization Service Security dashboards and Alerts Required notes for Security Patch Process Integration of security validation into Operations Control Center 2014 SAP AG or an SAP affiliate company. All rights reserved. 14

Security Reporting using the SAP Solution Manager EarlyWatch Alert Strong recommendations from SAP, including security topics Security Optimization Service Extensive analysis about security, including recommendations System Recommendations Analysis about missing Security Notes Configuration Validation & Change Reporting Cross system analysis of security configuration Dashboards Show summary about Configuration Validation results Alerting based on SAP EarlyWatch Alert Alerting based on Security Audit Log Alerting based on Configuration Validation 2014 SAP AG or an SAP affiliate company. All rights reserved. 15

EarlyWatch Alert Strong recommendations from SAP including security topics

The Role of EarlyWatch Alert (EWA) for Security SAP EarlyWatch Alert (EWA) (see http://service.sap.com/ewa) SAP EarlyWatch Alert is an important part of making sure that your core business processes work. It is a tool that monitors the essential administrative areas of SAP components and keeps you up to date on their performance and stability. SAP EarlyWatch Alert runs automatically to keep you informed, so you can react to issues proactively, before they become critical. Security in the EarlyWatch Alert: The EWA Report includes selected information on critical security observations SAP Security Notes: ABAP and Kernel Software Corrections Default Passwords of Standard Users Password Policy Gateway and Message Server Security Users with Critical Authorizations More detailed and additional information can be found with the help of the security self-services 2014 SAP AG or an SAP affiliate company. All rights reserved. 17

EarlyWatch Alert in the System Monitoring Work Center Filter sessions by your solution Generate HTML report 2014 SAP AG or an SAP affiliate company. All rights reserved. 18

EWA Summary 2014 SAP AG or an SAP affiliate company. All rights reserved. 19

EarlyWatch Alert Chapter Security Overview 2014 SAP AG or an SAP affiliate company. All rights reserved. 20

EarlyWatch Alert Chapter Security SAP Security Notes 2014 SAP AG or an SAP affiliate company. All rights reserved. 21

EarlyWatch Alert Chapter Security Default Passwords of Standard Users 2014 SAP AG or an SAP affiliate company. All rights reserved. 22

EarlyWatch Alert Chapter Security Password Policy (1/2) 2014 SAP AG or an SAP affiliate company. All rights reserved. 23

EarlyWatch Alert Chapter Security Password Policy (2/2) 2014 SAP AG or an SAP affiliate company. All rights reserved. 24

EarlyWatch Alert Chapter Security Users with Critical Authorizations 2014 SAP AG or an SAP affiliate company. All rights reserved. 25

Security Optimization Service Extensive analysis about security including recommendations

Value Proposition The SAP Security Optimization Service is designed to verify and improve the security of the SAP systems of customers by identifying potential security issues and giving recommendations on how to improve the security of the system Keeping the security and availability of customer SAP solutions high is a tremendous value to customers businesses - a value delivered by the SAP Security Optimization Service. Analysis is the key to this value, which is necessary to: Decrease the risk of a system intrusion Ensure the confidentiality of business data Ensure the authenticity of users Substantially reduce the risk of costly downtime due to wrong user interaction More information can be found under the alias SOS in the SAP Service Market Place http://www.service.sap.com/sos 2014 SAP AG or an SAP affiliate company. All rights reserved. 27

SAP Security Optimization Service Overview The SAP Solution Manager offers the possibility to locally execute the SAP Security Optimization Service SAP Security Optimization SAP Security Optimization Self Service All completely automated checks in ABAP systems No additional costs for this service SAP Security Optimization Remote Service Broad range of security checks extending the Self-Service checks Performed by experienced service engineers Part of CQC service offering SAP Security Optimization Onsite Service Individual range of security checks, e.g. for the SAP Enterprise Portal Performed by specialists Additional costs for this service 2014 SAP AG or an SAP affiliate company. All rights reserved. 28

Security Optimization Service Scope of Remote Service and Self Service SAP NetWeaver Application Server ABAP Basis administration check User management check Super users check Password check Spool and printer authorization check Background authorization check Batch input authorization check Transport control authorization check Role management authorization check Profile parameter check SAP GUI Single Sign-On (SSO) check Certificate Single Sign-On (SSO) check External authentication check Scope of the SOS Self Service SAProuter SAProuttab check OS access check SNC check SAP Enterprise Portal Landscape check Configuration check Administration check SSL check Authorization check for portal content, user management and administration SAP NetWeaver Application Server Java Landscape check Configuration check SSL check Administration check 2014 SAP AG or an SAP affiliate company. All rights reserved. 29

Guided Self-Service for Security Optimization Create new Session 2014 SAP AG or an SAP affiliate company. All rights reserved. 30

Guided Self-Service for Security Optimization Execute Session 2014 SAP AG or an SAP affiliate company. All rights reserved. 31

Guided Self-Service for Security Optimization Maintain Questionnaire 2014 SAP AG or an SAP affiliate company. All rights reserved. 32

Deriving an Action Plan Deriving an Action Plan is easy... in theory. The SOS report is designed to already contain everything you need for it: a general introduction the findings and explanations risk ratings recommendations technical background information So just go ahead! 2014 SAP AG or an SAP affiliate company. All rights reserved. 33

Deriving an Action Plan... is not that easy when the report is huge When the SOS report is huge working on it as described on the slide before takes a lot of time and resources... and may even cause that nothing happens at all The goal of the SOS however is not to just produce a nice report but to have impact and improve the security of the respective system! Recommended solution: Identify Systematic Issues (e.g. issues with the authorization concept) and trigger a solution Identify Top Issues and solve them first! Identify Quick Wins and implement them Determine the remaining risk and either address the next set of Top Issues or get agreement, that the achieved level of security looks acceptable until the next scheduled run of the SOS 2014 SAP AG or an SAP affiliate company. All rights reserved. 34

How to Identify Top Issues Candidate Standard Users with Default Password Candidate: Standard Users with Default Passwords Threat: Standard users with default passwords allow anyone, who is able to establish a network connection to your system, to anonymously enter it and execute code under potentially high authorizations. In the SOS report look for section User Authorization Standard Users. Check-ID 0041 Action: Change the password Remark: Look for the other checks in this SOS section as well. They also contain valuable recommendations to protect your system from this threat! 2014 SAP AG or an SAP affiliate company. All rights reserved. 35

How to Identify Top Issues Candidate Insufficient Password Policy Candidate: Insufficient Password Policy Threat: Weak passwords may give unauthorized people access to potentially powerful accounts. This risks the confidentiality, integrity and availability of your data In the SOS report look for section Authentication Passwords Check-ID 0123 Action: Carefully review the whole Password section of the SOS. Decide on an appropriate password policy (if not already defined) and implement it with recommended settings as given suggested in the SOS report 2014 SAP AG or an SAP affiliate company. All rights reserved. 36

How to Identify Top Issues Candidate Users with full authorization for S_RFC Candidate: Users with full authorizations for S_RFC Threat: These users can be used to call any RFC function from outside the system In the SOS report look for section Basis Authorization Incoming RFC Check-ID 0241 Action: Limit users with authorization S_RFC with RFC_NAME=* to the minimum. Limit the RFC functions, for which a specific user is authorized to the required set or remove the authorization completely where possible 2014 SAP AG or an SAP affiliate company. All rights reserved. 37

Further Information and Contact Contact address SecurityCheck@sap.com Public information SAP Service Marketplace, using alias /SOS http://service.sap.com/sos SAP Notes: Note 696478 - SAP Security Optimization: Preparation & Additional Info Note 837490 - Execution of the Security Optimization Self-Service Note 863362 - Security Checks in the SAP EarlyWatch Alert Related SAP education training opportunities http://www.sap.com/education Search for ADM960: Security in SAP system environments 2014 SAP AG or an SAP affiliate company. All rights reserved. 38

System Recommendations Analysis about missing Security Notes

Where s The Risk Of Not Patching? Without closing the addressed vulnerabilities it cannot be ensured that business applications are operated in a duly manner because standard security measures such as authentication mechanisms authorizations implementations security settings (parameters) can potentially be fully circumvented This may in turn, negligently, lead to system / application misuse for various purposes loss of reputation (see the Sony incident as an example) falsified financial data and reporting -> issue for financial audits indirect losses through sabotage, direct losses through theft and more, like negative impact on the share price etc. 2014 SAP AG or an SAP affiliate company. All rights reserved. 40

Security Notes in the Service Marketplace https://service.sap.com/securitynotes Security Notes Search The rightmost column Automatic check in EWA shows which security notes get checked in the EarlyWatch Alert and with the tool RSECNOTE. 2014 SAP AG or an SAP affiliate company. All rights reserved. 41

System Recommendations To keep your SAP systems up-to-date and secure you have to apply various types of notes and patches. System recommendations show all relevant notes and patches for the selected systems and help you to easily keep all of your systems up-to-date Java patches Legal change notes Performance -relevant notes HotNews Security notes SAP System General SAP notes 2014 SAP AG or an SAP affiliate company. All rights reserved. 42

System Recommendations: Process Flow Customer SAP 1. Select system to check & update 3. Connect to SAP Global Support Backbone 2. Retrieve system information (SP level, patch level) 5. Send information back to the customer s SAP Solution Manager system 4. Provide information on latest relevant notes (for SP level, patch level) 6. Retrieve system information (implemented notes) 7. Calculate delta between OSS provided notes and already implemented notes. Show relevant notes of the system(s) via System Recommendations or Configuration Validation 2014 SAP AG or an SAP affiliate company. All rights reserved. 44

System Recommendation SAP Solution Manager Work Center Change Management Quick link for Easy Access Menu: WebDynpro WDC_NOTE_CENTER 2014 SAP AG or an SAP affiliate company. All rights reserved. 45

System Recommendations: Key Elements Filter by solution, product system, technical system and date Filter by application component Settings Structured recommendations BW reporting as of SolMan 7.1 SP 3 Multiple views Status management and filter Integration of Change Request Management and Maintenance Optimizer Export to Excel 2014 SAP AG or an SAP affiliate company. All rights reserved. 46

Cross-System check for System Recommendations Integrated BW Reporting as of SolMan 7.1 SP 3 List SAP notes not yet implemented in the systems of the selected solution, within the specified time period 2014 SAP AG or an SAP affiliate company. All rights reserved. 47

Maintenance Optimizer (MopZ) Step 4: Implementation Show relevant Security Notes The Maintenance Optimizer shows relevant security notes as well https://service.sap.com/mopz Example used here: The planned Support Package Upgrade of the ABAP part of a SolMan 7.1 from SP 5 to SP 7 reduces the count of notes by 50 from 373 to 322 (Most of these remaining notes are not software-related) 2014 SAP AG or an SAP affiliate company. All rights reserved. 48

Achievements unlocked Security Reporting Operations Control Center Strong recommendations from SAP in the security chapter of the EarlyWatch Cross system security validation Extensive checks in the Guided selfservice Security Optimization Service Security dashboards and Alerts Required notes for Security Patch Process by System Recommendations Integration of security validation into Operations Control Center system specific, get clean 2014 SAP AG or an SAP affiliate company. All rights reserved. 49

Configuration Validation & Change Reporting Cross system analysis of security configuration

Consider Customers Situation of Today Are the OS, DB, Software and Kernel on the certain / latest level? on all Systems?.. Please show me? Have we applied SAP Note xxxxx on all systems? please report implementation status for all systems? Have we imported Transport request xxxx (with important performance changes) on all systems? could I have a list of the systems where it is still missing? Are all our CRM systems compliant with the new Configuration Baseline?.. not compliant.. which systems? what exactly? Challenges Are security settings applied? on all systems? could you please confirm and report? A large number of systems Complex SAP Landscape Need to perform comparison of current configuration status against a defined target or standard configuration baselines with minimum efforts and ASAP 2014 SAP AG or an SAP affiliate company. All rights reserved. 51

What is Configuration Validation? The Idea behind Configuration Validation A reporting to understand how homogeneous the configuration of systems is Reference System Compared Systems Configuration Items Software Packages ABAP Notes Kernel level Transports... Parameters Configuration Validation System 1 Configuration Items ABAP Notes Software Packages Transports... Parameters... System N Configuration Items ABAP Notes Software Packages Transports... Parameters Compliance with Reference System Software Packages ABAP Notes... Transports System 1 System 2... System N Typical questions are: All systems on a certain OS level or DB level? Template configuration (SAP or DB parameter) applied on all systems? No kernel older than 6 month on all systems? Security policy settings applied? Security defaults in place? Have certain transports arrived in the systems? 2014 SAP AG or an SAP affiliate company. All rights reserved. 52

Configuration Validation Target System Maintenance 2014 SAP AG or an SAP affiliate company. All rights reserved. 53

Configuration Validation Drilldown Reporting Formatting Drilldown Instance Name 2014 SAP AG or an SAP affiliate company. All rights reserved. 54

New with Solution Manager 7.1 Critical User Authorizations: Analysis of user profiles AUTH_PROFILE_USER: User profile check store in the Target System (reference) defines that no user is allowed to have SAP_ALL profile Validation Output: The Users which have critical authorizations in the system SI7 (compared system) 2014 SAP AG or an SAP affiliate company. All rights reserved. 55

New Features of Configuration Validation 2014 SAP AG or an SAP affiliate company. All rights reserved. 56

New Features of Configuration Validation Solution Manager release Config Store with Project Attributes of ABAP Transports Weighted Security Item Reporting Documentation for Config Items Additional House Keeping Features for CCDB (anti-aging) X-Single Column Reporting for Configuration Validation 7.1 SP09 2014 SAP AG or an SAP affiliate company. All rights reserved. 57

Configuration Validation: EGI session Get in-depth knowledge of the Configuration Validation functionality with the Expert Guided Implementation (EGI) service The EGI gives the participants the opportunity to set up ready-to-use Configuration Validation Reports in their own SAP Solution Manager Training, practical experience, remote consulting Empowering, Web session, 1-2 h. each morning SAP expert explains step-by-step configuration using training materials Execution, 2-3 h. on the same day Participants execute demonstrated steps within their own project, on their own SAP environment Expertise on demand, during execution Participants have direct access to an SAP expert who directly supports them remotely, if necessary, during the execution More information on available EGI topics and booking information can be found here: https://service.sap.com/esacademy EGI Registration 2014 SAP AG or an SAP affiliate company. All rights reserved. 58

Dashboards Show summary about Configuration Validation results

Big Picture: Reporting / Alerting / Management Dashboard Configuration Validation Target Systems could be uses in several areas Configuration Validation Management Dashboard Reporting System Monitoring / Alerting 2014 SAP AG or an SAP affiliate company. All rights reserved. 60

Management Dashboards Security View Monitoring Stay Clean Views Monitoring Get Clean Projects Monitoring Security Alerts Situation Critical System Parameters Compliance of Systems 50 Target: System_Params Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ, SAP* / SAP_ALL Compliance of Systems 47 Target: SAP_Star-SAP_ALL Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ, Missing Security HotNews Compliance of Systems 22 28 Target: Security_HotNews Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ, 3 Secure AS Gateway Config Compliance of Systems 7 13 Target: Gateway_Security_Project Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ, System w. Security Alerts Compliance of Systems 49 1 Target: Security_Alerts Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ, System w. Security Alerts Compliance of Systems Target: Security_Alerts Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ, See Configuration Validation based Management Dashboards for Examples 2014 SAP AG or an SAP affiliate company. All rights reserved. 61

New with Solution Manager 7.1 SP 3: Security Dashboards Dashboard Management Define dashboards to be used by others: WebDynpro ABAP Applications DASHBOARD_MANAGEMENT and GENERIC_DASHBOARD_VIEWER Proposal: Create individual dashboard blocks for different KPIs and include them into a specific security dashboard 2014 SAP AG or an SAP affiliate company. All rights reserved. 62

Alerting

Use Case for Security Alerts Red Alert Actions & Recommendations Resolution Green Rating Security Alert appears in Alert Inbox Alert Details recommends actions to resolve the alert, e.g. to implement a SAP Note, to change the passwords etc. Follow the recommendation. Assign alerts to processor for follow up and issue resolution Problem is solved. Next set of Alerts in Inbox is green 2014 SAP AG or an SAP affiliate company. All rights reserved. 64

Inbox & Reporting/Drill-Down Alert Inbox Unexpected Assignment of SAP_ALL Unexpected Assignment of SAP_ALL Reporting / Drill-Down 2014 SAP AG or an SAP affiliate company. All rights reserved. 65

Alerting based on SAP EarlyWatch Alert

SAP EarlyWatch Alert Integration into Operation You want to... Activate different checks for the next SAP EarlyWatch Alert (EWA) report Get all system alerts in one place Get access to SAP assistance Get business process relevant information in your EWA Continuous system improvement by leveraging EWA results EWA EWA EWA Why integrate EWA into operation? Optimize system behavior Reduce manual effort due to consolidated overview of critical EWA findings Start mitigating measures directly out of the reported issue 2014 SAP AG or an SAP affiliate company. All rights reserved. 67

EWA Results Now Available in Technical Monitoring Alert Inbox Advantages EWA results are in one place, with customizable views No need to check EWA reports manually every week Recommendations and guidelines for alert resolution are in the same place Processing of alerts in inbox supported by integration with incident management, alert assignment etc. 2014 SAP AG or an SAP affiliate company. All rights reserved. 68

Consolidated Alert Overview Short Introduction The following information is shown in the Alert Inbox overview screen: Basic information, e.g. Issue Area, category, relevant system, current status etc. History information, e.g. How many alerts have been raised / Worst rating in the past / No. of status changes etc. Processing information, e.g. Processor name, current status (automatic confirmation, manual notification, incident etc.) 2014 SAP AG or an SAP affiliate company. All rights reserved. 69

Alert Details and Metrics Opening a specific alert displays the individual details of the alert Mark a line to see how to resolve the issue 2014 SAP AG or an SAP affiliate company. All rights reserved. 70

Alert Handling The handling of alerts is supported by Sending mail or SMS notifications Integration of Issue Management Assigning a person responsible to an alert 2014 SAP AG or an SAP affiliate company. All rights reserved. 71

Technical Details Prerequisites Solution Manager system and connected managed systems with activated EWA Alert Inbox for EarlyWatch Alert is available with Solution Manger 7.1 SP05 onwards Activation EWA integration into Alert Inbox is activated automatically. No manual configuration steps are required Currently, updates to the EWA Alert Inbox template are shipped via Support Packages. New template content has to be activated manually. In the future it is planned that new content will be imported and activated dynamically 2014 SAP AG or an SAP affiliate company. All rights reserved. 72

Alerting based on Security Audit Log

Overview Prerequisites The Security Audit Log is activated on managed system using transaction SM19 The Security monitor within the monitor set SAP CCMS Monitor Template is activated using transaction RZ20 Monitoring in general http://sdn.sap.com/irj/sdn/monitoring Security Monitor http://help.sap.com/saphelp_nw70/helpdata/en/23/c9833b3bb1780fe10000000a11402f/frameset.htm Activation Activate the corresponding alerts in the SAP Solution Manager Defining User Alerts in the SAP Solution Manager https://help.sap.com/saphelp_sm71_sp08/helpdata/en/3b/a8413599b244b6a03ac9d2a3bdaf2f/frameset.htm 2014 SAP AG or an SAP affiliate company. All rights reserved. 74

Recommended Filter settings for the Security Audit Log according to blog http://scn.sap.com/message/14404056 1. Filter: Activate everything which is critical for all users '*' in all clients '*'. You may deactivate the messages of class User master record change (32) because you get change documents for users in transaction SUIM anyway. Consider to add messages AUO, AUZ, BU5, BU6, BU7, BU9, BUA, BUB BUC, BUH, AUP, AUQ. If you maintain logical file names using transaction FILE (see note 1497003) than add messages CUQ, CUR, CUS, CUT. 2. Filter: Activate everything for users 'SAP*' in all clients '*' This includes the built-in user 'SAP*' as well as all users account names starting with 'SAP', e.g.'sapsupportx' because of rsau/user_selection = 1. To show log entries in for user 'SAP*' only, filter by 'SAP#*' in SM20 or use report RSAU_SELECT_EVENTS instead. 3. Filter: Activate everything for other support and emergency users, e.g. 'FF*' (FireFighter) in all clients '*' 4. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients. This user should not be used in dialog mode. It's only required for specific activities while applying support packages or while importing transports (however in this case you can use another background user as well). 5. Filter: Activate everything for client '066'. This client is not used anymore and can be deleted (see http://scn.sap.com/community/security/blog/2013/06/06/how-to-remove-unused-clients-including-client-001-and-066 ). 6. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily (see http://scn.sap.com/community/security/blog/2010/12/05/how-to-get-rfc-call-traces-to-build-authorizations-for-srfc-for-free ). 7.-10. Filter: free for other project specific purpose 2014 SAP AG or an SAP affiliate company. All rights reserved. 75

Security monitor within the monitor set SAP CCMS Monitor Template Transaction RZ20 2014 SAP AG or an SAP affiliate company. All rights reserved. 76

Alert Inbox in System Monitoring Limitation: No drilldown into details 2014 SAP AG or an SAP affiliate company. All rights reserved. 77

Alerting based on Configuration Validation

Setup Configuration Validation Target System Starting with SAP Solution Manager 7.1 SP6 specific alerts are available in the standard template based on target system 0ALERT: Alert: Expiring ABAP certificates Alert: Failed ABAP transports Alert: Global changes allowed Alert: Users with critical profiles In addition you can add use any target system of Configuration Validation: Alert: Configuration Validation Password policy settings Other Profile Parameter settings Standard users with known password RFC Gateway ACL etc. 2014 SAP AG or an SAP affiliate company. All rights reserved. 79

Setup Configuration Validation Target System 0ALERT You can copy the target system and adjust the rules. 2014 SAP AG or an SAP affiliate company. All rights reserved. 80

Setup Configuration Validation Target System SAP_ALL (Example) Config Store AUTH_PROFILE_USER Contains only one rule Use 0SECN template to create target system. Delete all config stores besides AUTH_PROFILE_USER 2014 SAP AG or an SAP affiliate company. All rights reserved. 81

Setup Technical Monitoring Step 1-3: Prerequisites Prerequisites: perform steps 1 3 which are not system specific 2014 SAP AG or an SAP affiliate company. All rights reserved. 82

Setup Technical Monitoring Step 4: Template Maintenance: Deriving a template and adding a target system Metric Number of non-compliant items is non active. It is necessary to active it. Create template for the SAP basis version your system is running on 1. Mark Template 2 2. Create Custom Template 3. New template appears 1 3 2014 SAP AG or an SAP affiliate company. All rights reserved. 83

Setup Technical Monitoring Step 4: Add target System SAP_ALL to metric number of non-compliant items Tab Metrics click on Number of noncompliant items 3 1. In tab data collection add target system 2. in tab Metrics Check Active 2 3. Save button is at the top 1 2014 SAP AG or an SAP affiliate company. All rights reserved. 84

Setup Technical Monitoring Step 5: Define Scope Choose a system Next 2014 SAP AG or an SAP affiliate company. All rights reserved. 85

Setup Technical Monitoring Step 6: Setup Monitoring 1. Assign Template for Technical System 2. Apply and activate it 3. Configuration Managed Object is the next step 1 2 3 2014 SAP AG or an SAP affiliate company. All rights reserved. 86

Verify Alert Settings using the Alerting Directory Browser Alerts from EWA Alerts from Template 0ALERT Alerts from ConfigVal 2014 SAP AG or an SAP affiliate company. All rights reserved. 87

Technical Monitoring Alert Inbox Personalized query for Security Configuration 2014 SAP AG or an SAP affiliate company. All rights reserved. 88

Technical Monitoring Alert Inbox Detail View Show report 2 Show Target report Systems 2014 SAP AG or an SAP affiliate company. All rights reserved. 89

Guided Procedures for regular Tasks You can create Guided Procedures for regular tasks Option to link Guided Procedures to alerts Accessible from Technical Administration Work Center via Guided Procedure Browser 2014 SAP AG or an SAP affiliate company. All rights reserved. 90

Achievements unlocked: Security Reporting Operations Control Center Strong recommendations from SAP in the security chapter of the EarlyWatch Extensive checks in the Guided selfservice Security Optimization Service Custom specific cross system security validation using application Configuration Validation Use of Configuration Validation for Security dashboards and Alerts Required notes for Security Patch Process by System Recommendations system specific, get clean Integration of security validation into Operations Control Center cross-system, stay clean 2014 SAP AG or an SAP affiliate company. All rights reserved. 91

SAP Enterprise Support Academy Learning from Experts to Experts The SAP Enterprise Support Academy is a dedicated platform for simplified access to and consumption of SAP Enterprise Support offerings How it can help What it offers Where to find more Easily access SAP Enterprise Support services Up-skill professionals Boost cross-functional collaboration between the business and IT units A comprehensive learning environment that allows the creation of individual learning plans and provides a personalized learning experience. Aggregated views on services and educational elements Home page: service.sap.com/esacademy News subscription Contact: sap_es_academy@sap.com 2014 SAP AG or an SAP affiliate company. All rights reserved. 92

Monthly ASUG Security Webcast Hosted by the ASUG Security SIG: http://www.asug.com/special-interest-groups/4267 E. g.: http://www.asug.com/events/detail/sap-security-patch-day-june 2014 SAP AG or an SAP affiliate company. All rights reserved. 93

THANK YOU THANK YOU FOR PARTICIPATING Please provide feedback on this session by completing a short survey via the event mobile application. SESSION CODE: 0804 For ongoing education on this area of focus, visit www.asug.com