SAP Secure Operations Map SAP Active Global Support Security Services May 2015
SAP Secure Operations Map Security Compliance Security Governance Audit Cloud Security Emergency Concept Secure Operation Users and Authorizations Authentication and Single Sign-On Support Security Security Review and Monitoring Secure Setup Secure Configuration Communication Security Data Security Secure Code Security Maintenance of SAP Code Custom Code Security Infrastructure Security Network Security Operating System and Database Security Frontend Security 2015 SAP SE. All rights reserved. 2
SAP Secure Operations Map The 16 Secure Operation Tracks cover the following topics: Security Governance: Adopt security policies for your SAP landscape, create and implement an SAP Security Baseline Audit: Ensure and verify the compliance of a company s IT infrastructure and operation with internal and external guidelines Cloud Security: Ensure secure operation in cloud and outsourcing scenarios Emergency Concept: Prepare for and react to emergency situations Users and Authorizations: Manage IT users and authorizations including special users like administrators Authentication and Single Sign-On: Authenticate users properly but only as often as really required Support Security: Resolve software incidents in a secure manner Security Review and Monitoring: Review and monitor the security of your SAP systems on a regular basis Secure Configuration: Establish and maintain a secure configuration of standard and custom business applications Communication Security: Utilize communication security measures available in your SAP software Data Security: Secure critical data beyond pure authorization protection Security Maintenance of SAP Code: Establish an effective process to maintain the security of SAP delivered code Custom Code Security: Develop secure custom code and maintain the security of it Network Security: Ensure a secure network environment covering SAP requirements Operating System and Database Security: Cover SAP requirements towards the OS and DB level Frontend Security: Establish proper security on the frontend including workstations and mobile devices 2015 SAP SE. All rights reserved. 3
Security Governance Create and implement an SAP Security Baseline, containing the governing SAP-specific regulations to be applied for all SAP systems in the customer s landscapes. Define and implement an operational model with clear defined roles and responsibilities as well as the operational process ensuring that the requirements become real action in the different system landscapes. Goal is to achieve a common understanding about the responsibilities of the different parties involved and comparable results for implementation of measures and the regular reporting. To ensure full transparency on the implemented IT Security level each area has to implement and operate and appropriate Risk Management and IT Risk and Security Lifecycle Identify systems or landscapes for which on a first informal assessment the standard SAP Security Baseline may not be sufficient. This may be the case if specific security requirements or restrictions apply to a certain system. For such systems after covering the SAP Security Baseline requirements a detailed risk analysis is required. Measures required beyond the Baseline need then to be included into the rule set, operations and risk management for such systems. 2015 SAP SE. All rights reserved. 4
Audit Prepare for internal and external audits Identify relevant regulations like ITIL, BASEL II, SOX, FDA, Data Protection or ISO 27000 and derive required measures and controls from there. Ensure the auditability of systems by enforcing appropriate and effective security, e.g. no unrestricted authorizations (e.g. SAP_ALL ) or debug/change authorizations on production systems. Define logs and traces to be collected (consider data protection laws, put limits on production environment, define clipping levels etc.). Restrict access to log data and logging facilities. Assess your systems on a regular basis Analyze logs with appropriate tools (Audit Information System, Security Audit Log, User Information System (SUIM), SAP Solution Manager, etc.) Perform Security Assessments (Security Optimization Services, penetration tests) Audit the different Secure Operations Tracks e.g. infrastructure settings and communication interfaces (firewall, RFC destinations, ALE, ICF, WS, etc.) users and authorizations (spot checks, GRC access control, etc.) Respond to audit results resolve audit complaints appropriately improve operations and rule sets to avoid similar findings in future 2015 SAP SE. All rights reserved. 5
Cloud Security Define minimum security requirements for Service Level Agreements (SLAs) Definition of roles and responsibilities (e.g. basis administration by the outsourcing partner, application administration by the company itself) Definition of interfaces, communication and controls between the parties Regulations for security maintenance, secure configuration and secure operation of systems For those parts, that remain in the customer s responsibility (e.g. application operations for HEC systems) the standard recommendations and Secure Operation Tracks recommendations remain unchanged Establish suitable infrastructures (Identity Management, Single Sign-On) and secure connections to integrate the cloud service into your landscape and to connect hybrid scenarios. 2015 SAP SE. All rights reserved. 6
Emergency Concept Prepare for incidents Define processes and responsibilities Create and maintain emergency users for relevant systems Collect required logs and data Define rules and triggers for incident identification and classification Define processes for incident response, impact containment and remediation and incident recovery Prepare for technical and non-technical (e.g. legal) follow-up and improvements Ensure a suitable backup and recovery concept (which targets availability; not part of the Security standard) 2015 SAP SE. All rights reserved. 7
Users & Authorizations Define a User Authorization Concept including Define appropriate authorizations for business users and roles Ensure cross-system and landscape consistency of authorizations Segregate basis authorization from application-level authorizations Define appropriate roles and authorizations for all administration topics (security administrator, IT administrator, data custodian, auditor, etc.) Define and maintain support and emergency users with appropriate roles and authorizations as well as activation/deactivation rules and documentation requirements. Clarify the overall identity and authorization provisioning architecture Define and implement processes for the proper creation, modification and removal of users and authorizations (led by HCM) Implement Identity Management or integrate with an existing Identity Management Infrastructure. Integrate with any existing Corporate Directory. Check replication and synchronization among user stores (IdM, LDAP, UME, CUA, etc.) Implement proper Segregation of Duty (SoD) rules, controls and mechanisms 2015 SAP SE. All rights reserved. 8
Authentication and Single Sign-On Establish appropriate single- or multi-factor authentication mechanisms Decide and implement central authentication and Single Sign-On to connected systems or integrate with existing Single Sign-On infrastructures. This may include Maintenance and Operation of corresponding Public Key Infrastructures Managements of certificates (maintenance of key stores, revocation lists, certification requests, etc.) Operation of initial authentication points and Identity Provider / Identity Consumer services Prepare for authenticator (password, certificate, token) renewal and revocation. 2015 SAP SE. All rights reserved. 9
Support Security Address the needs for getting support in a secure manner on the different levels Secure internal support by the internal support group of the respective company or organization Secure external support from third parties Secure support from SAP as the vendor Advanced Secure Support offering from SAP for companies and organization with enhanced security needs like cleared support personnel or secure support rooms Define requirements for support connections and select accordingly (NetViewer, opening of remote connections etc.) Manage support user accounts and authorizations (password policies, validity period etc.) Allow reproduction of errors on development and test systems (TDMS) Develop guidelines for message handling (interaction employee and support etc.) 2015 SAP SE. All rights reserved. 10
Security Review and Monitoring Monitor and review security settings, which includes external or internal assessments as well as tools and services like the EarlyWatch Alert Security chapter or the Security Optimization Self or Remote Service Monitor and review activity logs (including the security audit logs) Periodically review security relevant configuration settings of all systems and installed software components, e.g. via Configuration Validation and Security Dashboards. Integrate security monitoring with Alerting (e.g. SAP Solution Manager Monitoring and Alerting Infrastructure), Operation Control Centers (OCC) or Risk Management and Mitigation (e.g. GRC Process Control) 2015 SAP SE. All rights reserved. 11
Security in Operations The Big Picture Management Dashboards Provide an overview on system landscape status For Security could also include the progress of get-clean projects Mainly used for quick status overview as required by management and operations Incident Management Guided Procedures (Immediate Resolution) Inbox of Work Items used as trigger for action For Security may contain Snapshot spot checks (identified issues at time of check) Security critical events (independent of time of check) Change Management (Change Projects) Risk Management (Remediation/Exception Handling) 2015 SAP SE. All rights reserved. 12
Secure Configuration Maintain security configuration settings and changes Especially refer to the SAP Security Guides and to the SAP Security Baseline Template Setup and maintain the transport management system for ABAP and Java (protect transport directory) 2015 SAP SE. All rights reserved. 13
Communication Security Secure data in transit via communication encryption, e.g. via SSL/TLS or SNC Maintain and operate the corresponding Public Key Infrastructure Secure RFC communication by respecting system security hierarchy and setting up connections appropriately restricting RFC access e.g. via UCON assigning proper network / RFC authorizations using RFC Gateway security mechanisms to secure the usage of started or registered RFC servers Limit ICF / Web services to the required minimum 2015 SAP SE. All rights reserved. 14
Data Security Message-level security, including data encryption (e.g. of credit card numbers) and digital signatures e.g. via the Secure Store and Forward (SSF) framework. Anti-Virus scanning of files and documents, e.g. via the Virus Scan Interface (VSI) 2015 SAP SE. All rights reserved. 15
Security Maintenance of SAP Code Security Maintenance approach for handling Security Notes published on the SAP Patch Days. Note risk evaluation and Note implementation Kernel updates General software maintenance (Support Packages (SP), new versions, new patch levels) including corresponding Security Notes planning Implementation and use of corresponding tools like Maintenance Optimizer System Recommendations Configuration Validation 2015 SAP SE. All rights reserved. 16
Custom Code Security Custom Code Lifecycle Management and Custom Code Clean-Up Custom Code Secure Development Lifecycle Knowledge & Awareness Introduce security in the SW development organizations and processes Procedures & Guidelines Define and implement Secure Software Development Lifecycle Provide guidelines, best practices etc. Develop test concept for in-house and 3rd party development Tool Support Implement Code Security Scanners as e.g. the Code Vulnerability Analyzer (CVA) 2015 SAP SE. All rights reserved. 17
Network Security Maintain an appropriate network topology, network segregation and domain concept Limit network services and protocols Implement and secure SAP network components like SAProuter and SAP Web Dispatcher Cover key SAP requirements towards the network layer, e.g. introduce at least a separation between server and client networks. 2015 SAP SE. All rights reserved. 18
Operating System and Database Security Operating Systems (OS) Verify OS hardening, update and test systems, maintain and perform anti-virus checks, ensure integrity of critical system files and configurations, keep user base up-to-date Cover SAP security needs, e.g. OS level protection of critical directories like the transport directory Databases (DB) Restrict use of database, proprietary database tools and database specific functions by proper authorization management at the database level Log and analyze database security events Cover SAP security needs, e.g. avoid database usage bypassing the SAP DB abstraction layer (if not required e.g. for direct access to a HANA database) 2015 SAP SE. All rights reserved. 19
Frontend Security Manage devices and applications especially for mobile devices. Manage secure software distribution and configuration Monitor usage of licenses and installations of unauthorized software Maintain secure communication channels. Configure, distribute and activate SAPGUI security mechanisms including the SAPGUI Access Control Lists. 2015 SAP SE. All rights reserved. 20
Thank You! Contact information: SAP Active Global Support Security Services securitycheck@sap.com