Compliant User Provisioning Role Factory Controls Management Audit Services

Agenda Company Presentation wikima4 Interdependencies Operational Risks Security Areas Security Processes Security Reporting Security Framework Compliance /Access Controls Configuration Controls Incident Controls Process Controls Risk Mitigation Security Monitoring Role Mining and Optimisation Best Pratcise Template Roles for all areas rolebee: Smart SAP Mass Role Maintenance Role Factory SAP NetWeaver IDM ComplianceEngine FireFighter/AuditTicker Password Self Service Single Sign-On GoogleAppsConnector Enhanced IDM SAPLoginCracker SAP Audit Catalogue SAP Hacking Fraud Analysis and Detection Post Audit Support Audit Services

wikima4 AG Headquarters wikima4 AG Bahnhofstrasse 28, 6304 Zug Development Center wikima4 SA Rue du Torrent 1 1800 Vevey Representative wikima4 AG Scottsdale AZ/US wikima4, founded 2001, is one of the leading Swiss software and development companies for security, compliance, IT Governance, process optimization and Identity Management. Special Expertise in Identity Access Management (SAP, Siemens, Novell, Omada,...) Special Expertise in Governance, Risk & Compliance (SAP, mesaforte,...) Member of the SAP Global Security Alliance Certified for SAP NetWeaver: mesaforte Your SAP Control Management in a mouse click Head of IGSAP of ISACA Switzerland Chapter Head of SAP Roundtable Switzerland Chances and Risks in SAP Systems Head of IT-Governance Interest Group of the SwissICT Various lectureship for Swiss and German institution in the field of SAP Compliance, Security & Process Management

Recommendations is one of the pioneers in Switzerland recognizing the importance and the challenges in securing SAP systems. organized and educated the SAP user community in Switzerland and was able to take even influence in the security practice of the vendor. Giampaolo Trenta, Bank Julius Baer has brought state-ofthe-art knowledge and expertise to the table. consulting approach and the best-practices I could gain allowed an accelerated introduction of new concepts and the implementation of a secure and compliant system. Michael Bosshard, Zurich Financial Services I highly rate for professionalism and excellent technical knowhow. not only delivers very good concepts but also implements them on time and within budget against all odds and political difficulties! gave me the confidence to complete a challenging task in a difficult environment. Rudolf Walther, Winterthur Insurances has a unique combination of SAP-specific audit and security know-how and at the same time management understanding and leadership skills which allows to help SAP shops to tackle the most critical area when it comes to security: responsibility. Sachar Paulus, Chief Security Officer at SAP AG is both customer and detail-oriented, watches the balance sheet like a hawk, yet without losing sight of the strategic objectives. has a deep and detailed solid knowledge of SAP systems. Usama Abdelamid, Ciba Speciality Chemicals We are happy, that wikima4 provides consulting services to us. is probably the best authority on this field you can find! Jean-Luc Nottaris at OIZ It's always a pleasure to discuss issues and work with has a solid understanding of (SAP) information and IT-security as well as high professional competence. I have been highly satisfied with the work performed and the way worked with my staff on a joint audit. Rolf-Christian Andersen at Baloise Deep security expertise in the SAP environment Martin Frick at AVIS

mesaforte & rolebee Value Chain Compliance / SOD Security Intern/ Extern Mining / Prozess Optimierung Lizenz Optimierung Rollen Designer &Tuner Rulesets (IT Controls, SAP FI, SAP SD/MM, GMP, IKS, esox..) Datenschutz Berechtigungs- Analyse Nutzungsgerechte Verteilung Rollen Templates Kontinuierliche Prüfungen, Real time Schutz SLA Überwachung Risiko- Mitigation Prozess Zuordnung Organisatorische Kalibrierung Schutz vor Hacking Portfolio- Management Compliant Vertrags- Management Rollen Ableitung

Compliance Services for SAP Secure Software Development, Secure Change & Configuration Management Security Reviews, Security Concepts Services Risk Management, Regulatory Compliance, Roles and Authorizations Inter-Company Communication, Digital Signatures Authentication & SSO, Public Key Infrastructure, Trust Centre Services Secure Network Architecture

SFW.Dependencies Business Continuity Planning Operation & Maintenance Non System Non System Availability Non System Recovery Authentication Identity Identity Theft OpRisks Network Communication Unautho- Unauthorized rized Access System System Damage Access Control Policy Framework Non Audit Ability Non-React- Ability Software Life Cycle Inflexibility Audit Trail Security Organisation Incident Monitoring

SFW.Complexity Developer Key User, Password, Fix-parameters Emergency Processes Emergency Concept and Roles Perimeter Server Centre walk in Printer, network setup Operating System Commands Table logging Client settings Emergency Process Server Configuration (Hardening) Backup- Media Profileparameter Standardusers System- Hardening Patch-level, Support- Packages SAP Gateway (secinfo, recinfo) Basicparameters/ Architecture Server Configuration (with OS-DB- Application) Network Security Services Port Policy, Network Architecture, DMZ Segregation of Critical Business duty conflicts in Authorisation in roles roles Segregation of Critical Systemauthorisation in duty conflicts in users roles Critical Systemauthorisation for user Data encryption Intrusion from internal/ external account Security Organization Process Credential- Management Security Organisation, Communication, Reporting Critical Business authorization for user Single Sign-On techniques Remote Policy/ Access rights allocation technique/ Autorisation Intrusion Detection Processes Security/Frame work Guidelines User provisioning Process System- Hygiene Monitoring of Log files Role- Maintenance Process User Management Process Standardisation state, Custom development rata Process- und Organisations- Transparency Role- Efficiency Concept and Process Monitoring Logging & Monitoring SAP GUI/ WebGui, Portal Development policies Change Management User Access Rights Administration Client Separation of Run and Build, ITIL- Conformity Service Level Agreements, Duties external Partner Authority Checks Operation Guidebook Backup- Concept Transport- Management- Process Support- Processes, First-, Second- &Third-Level- Support Code Inspection Operation Disaster- Recovery- Concept Backup & Recovery

SFW.Process Map Security & Compliance Identity Access Management Authentication User Provisioning Role Modification Secure System Management SAP Support Management System Sign-Off & Takeover System Monitoring & Performance Management System Maintenance Business Continuity Planning Secure Lifecycle Management Requirments Definition Change Request Management Test Management Transport Management System Replacement... Problem & Incident Management Incident Logging Incident Categorizing Incident Handling Desaster Management (Task Force) System Opening... Compliance Management Risk Management Attestation Audit & Review Forensic Analysis (ex post)......

MFX.GRC and IT-Information Security Regulation and Targets Business Rules Business Roles Management Dashboard (Configuration, Compliance, Incidents) mesaforte SAP Control Management Authorisation Analysis Automated reaction Attestation Risk Mitigation ITSM (Governance) OpRisk (Risk) IAM (Compliance) SIEM (Incidents)

mesaforte ComplianceEngine: PDCA PLAN Establish the objectives and processes necessary to deliver results in accordance with the expected output. In mesaforte, Plan tab is where the Rule Sets, Rules, Filters and Planning jobs are prepared. mesaforte is based on the PDCA cycle. PDCA cycle is widely known as the underlying concept behind the ISO 9001 Quality Management standard. DO CHECK Implement the plan and execute the process. In mesaforte, the job previously defined is executed and data for charting and analysis is collected. Study the actual results and compare against the expected results to ascertain any differences. In mesaforte, the data can be analyzed, reports can be generated, tasks can be assigned. ACT Act in the PDCA cycle requests corrective actions on significant differences between actual and planned results. In mesaforte, the logged-in user can act upon violations by simply double-clicking the pending tasks on the list.

MFX.Risk Cycle to Process Area

MFX.Risk to Process Area

MFX.Risk to Conflicting Groups

MFX.Risk per User

Configuration Compliance Incidents MFX.Internal Controls System Status in respect to security elements Profile parameters Client settings Table Logging SAP Standard user Gateway etc. Segregation of duties and user authorisation monitoring Per role Per user Per profile aso. Analysis of critical events from the system logs Security Audit Log System Log Transaction Log etc.

MFX.mesaforte Control Directory

MFX.Justification Dialog

MFX.Integration Solution Manager

Plan: Define Systems, Rule Sets, Rules, Filters and Jobs

Plan: New Rules, Own Rules Create new, copy (and change) existing rules for ALL categories; wikima4 / client naming room

Do: Run Jobs, Collect Data No limits in checking system against different rulesets SIMULTANEOUSLY

Check: Analyze and Resolve Violations,... Run reports and export data

Check: Resolve... Resolutions can be defined or taken over for users/roles/servers in rules, rulesets or activations.

...Justify Resolutions... ALL resolutions/ changes need to be justified

...Or Assign Tasks...For all violations that should be corrected in the related system(s)

Check: Inform Responsible Persons A mail will be sent to the responsible person automatically

Act: Work on Tasks Assigned

Audit: Record All Changes and Resolutions

MF2.mesaforte Dashboard

MF3.mesaforte Dashboard

Real-time Dashboard

Agenda Company Presentation wikima4 Interdependencies Operational Risks Security Areas Security Processes Security Reporting Security Framework Compliance /Access Controls Configuration Controls Incident Controls Process Controls Risk Mitigation Security Monitoring Role & User Mining Best Practise Template Roles for all areas rolebee: SAP Role Design, Creation & Tuning Role Optimisation SAP NetWeaver IDM ComplianceEngine FireFighter/AuditTicker Password Self Service Single Sign-On GoogleAppsConnector Enhanced IDM SAPLoginCracker SAP Audit Catalogue SAP Hacking Fraud Analysis and Detection Post Audit Support Audit Services

SFW.Solution Architecture Access rights limitation ( get clean ) wikima4 SecurityFramework rolebee RoleDesigner/ RoleTuner mesaforte ComplianceEngine mesaforte RoleMining Monitoring & Controlling ( stay clean I ) mesaforte Your SAP Control in a Mouse Click Configuration, Compliance and Incident Controls Management Dashboard and Reporting Segregation of Duties ( stay clean II ) Implementation SAP NetWeaver Identity Management (IDM) plus mesaforte ComplianceEngine

RFY.Role Design Project Tasks Policies System Analysis Role Creation User Role Matrix User Provisioning Role Test (automated) Definition of Baselines Role Mining (Transaction & Role Usage) Implementation of Role Templates, Adoptions according Clients Request (e.g. Renaming) Assignment of Single to Composite Roles to Users; Transport in Q and P Creation of Test Users and Assignment of Roles Test Procedures Positive Testing Tracing of used Authorization Objects IDM IDM Role Derivation Role Documentation Role Test (User) Go-Live Preparation Go-Live Support Continuous Monitoring Derivation according Organizational Setup Short text, Description, Test Procedures Positive Testing Functionality Negative Test SoD Conflicts, Critical Rights Transport in Q and P, Assignment of Users to Roles Role Adoptions on request Monitoring und Review SoD Conflicts, Critical Rights IDM IDM supported by wikima4 mesaforte supported by wikima4 rolebee IDM Supported by SAP NetWeaver IDM

Policies Policies Definition of Baselines

SFW.Templates/Tools/Reporting Control Framework Identity Access Management Compliance and Governance Management Delivery & Operations Management Life-Cycle & Configuration Management Infrastructure & Perimeter Management mesaforte SAPIDM SAP SolMan SAP TMS Assessment Tool System Owner Internal Audit External Audit Privacy Officer Compliance Officer

System Analysis System Analysis Role Mining (Transactions & Role Usage)

RFY.Limitation to the necessary All Roles/assignments 6700 Reduction/removal of unused roles 1200 Reduction/removal of unused transactions/reports 120

RFY.RoleMining System Usage

RFY.RoleMining Role Usage

RFY.RoleMining Role Usage per user

RFY.RoleMining Independent role usage

RFY.RoleMining Role efficiency

Role Creation Role Creation Implementation of RoleTemplates, Modification acc. Customer needs

User Role Assignment User Role Matrix Assignment of Single to Composite Roles to Users; Transport in Q and P

Test User Provisioning and Testing Benutzer- Provisionierung Anlage Testbenutzer und Zuordnung Rollen, Favoriten IDM Rollen-Test (automatisiert) Testprozeduren Positiv-Test Tracing genutzte Berechtigungsobjekte

Role Documentation and Role Derivation Role Documentation Kurztext, Langbeschreibung, Menustrukturen Role Derivation Ableitung gemäss Organisationsmodell

Role Test (by Users) Role Test (User) Testprozeduren Positiv-Test Funktionalität Negativ-Test SoD-Konflikte Kritische Rechte

rolebee Supporting Tools mesaforte.rolemining rolebee.roledesigner rolebee.roletuner Analyse usage of transactions, reports Analyse role and role assignment effectiveness Analyse role healthiness Analyse segregation of duties conflicts Map used transactions and reports to wikima4 template roles Support role aggregations and assignment to users by pattern recognition Adapt role contents (objects, fields) and default values Mass derive, document, aggregate, rename, provide, delete, converse, screen, create roles according customer needs

RFY.RoleTuner rolebee - Features When rolebee has been created, client requirements, own research efforts, and lessons learnt out of daily project work have been taken into consideration. O M O O C C OrgSets: Define required organisation levels or upload workload from an external file. Derivation: Derive single or multiple single or composite roles automatically for one or multiple or upload workload from an external file. rolebee automates mass activities within the areas role creation and maintenance, which are not provided by SAP standard. rolebee reduces efforts, time and resources needed massively and eliminates sources of potential failures. In order to ensure all records are created same way as a manual maintenance rolebee is working like a normal SAP user. This guarantees the mandatory audit trail. R R S S U R R C R R Documentation: Edit short text and description easily per role and automatically update it in SAP or upload workload from an external file. Renaming: Rename multiple roles automatically or upload workload from an external file. rolebee automatically corrects assignments of single roles in composite roles. Aggregating: Aggregate automatically single roles to composite roles or upload workload from an external file. Provisioning: Create users and assign roles automatically or upload workload from an external file. This feature has been designed especially for the creation of test users. Deletion: Mass deletion of no longer needed roles or upload workload from an external file.

RFY.RoleTuner rolebee

rolebee Interaction Role Mining Role Designer Role Tuner Compliance Engine Transactions & Reports actually used Upload roles in SAP Update transactions to roles SAP Map transactions and reports to w4 template roles Map transactions and reports to SAP process steps Recognise patterns to aggregate roles Upload roles in SAP Synchronise info Synchronise info SAP Adapt wikima4 template roles Create new wikima4 template roles Aggregate composite and IDM roles SAP SAP SAP Check compliance of adapted or newly created wikima4 template roles, of composite and IDM roles of role assignments to users SAP Update OrgSet info Recognise patterns to derive roles Synchronise info Derive single & composite roles SAP

RFY.Challenge of SOD Conflicts All authorizations within a role Critical combination within a role Transaction ME21N Transaction MIGO Transaction MIRO Purchase Manager has the right to accept goods and to release purchase invoices Order ME21N Goods receive MIGO Invoice release MIRO Purchase Manager is simultaneously responsible for materials management and invoice procedure All roles that are given to one user Transaction ME21N Transaction MIGO Transaction MIRO Allocated critical rights Transaction ME21N Transaction ME21N Transaction MIGO Transaction MIGO Transaction MIRO Transaction MIRO

RFY.Risk-Mitigation workshops SoD-Risk- Statement evaluation Evaluation of System- Situation Evaluation of involved Reports and Processes Identify possible Authorization Values Establishment of controls via System- Configuration Logging of User activities Understand the Risk Is there really a risk? Role deletion or replacement Authorization Object limitation Definition of Key values for the approvers Establish User-Logs/ Justification Is access to a certain field critical? yes Is there a risk at all? non Could conflicts be spitted up? non Could critical values be eliminated? non Could controls be set via System? non Determination of Mitigating controls nein Justification missing criticality yes Description of Configuration yes Description of Role adjustment yes Description of value adjustment yes Description of Systemconfiguration

Agenda Company Presentation wikima4 Interdependencies Operational Risks Security Areas Security Processes Security Reporting Security Framework Compliance /Access Controls Configuration Controls Incident Controls Process Controls Risk Mitigation Security Monitoring Role & User Mining Best Practise Template Roles for all areas rolebee: Smart SAP Role Design, Creation & Tuning Role Optimization SAP NetWeaver IDM ComplianceEngine FireFighter/AuditTicker Password Self Service Single Sign-On GoogleAppsConnector. Enhanced IDM SAPLoginCracker SAP Audit Catalogue SAP Hacking Fraud Analysis and Detection Post Audit Support Audit Services

eidm.concept Requirements Organization Structure Operations Creation of roles and authorization concept Establishment of Support Organization for user management Compliance conform execution of the IT Audit requirements for the user management Request and approval for new authorizations Change of existing authorizations Re-setting of Passwords Management von Super User authorization Definition of efficient and effective processes in the User Management Definition and Communication of a support concept for the operative user Definition of a embedded approach and unified mythology of the user management / change of not transparent user access management (c) wikima4 (C) wikima4 2007-2016 2010 64

eidm.user Provisioning Processes Use cases Create user 1 Request new user Create user Master Data in HCM Import HCM-Data in SAP IDM Create user (manually) SAP IDM 1 2 1 Create user credential in target System 2 De-provisioning Access rights provisioning 1 Request user access rights Allocation of rights in target system Request Rights (Group) Access right allocation (manually) SAP IDM Approval of access rights (Line Manager) 2 User deactivation 3 User deprovisioning requirement Approval of deprovisioning (Line Manager) User deletion in the target system 1 User deactivation due to elimination of roles 1 Systems SAP ABAP SAP Java AD... (C) wikima4 2010

eidm.possible savings Possible savings Increase productivity Administration User Mitigate Risk User Value drivers Create/delete users Add/delete access rights Problems with passwords Information to audit Non-productive time when entering company Non-productive time when changing roles Problems with passwords Abuse Sabotage

eidm.value Driver Calculation 1 2 3 4 5 6 7 Pre-Requisites: FTE cost as of 130 000 CHF, 650. CHF/day 1 Increase 8.5% (600), Fluctuation 5% (350), 3 days not productive 2 Change of Roles 5% (350), 1 day not productive 3 Password problems 5% (350), ½ day not productive 4 Increase 8.5% (600), Fluctuation 5% (350), 0.5h/system 5 Change of Roles 5% (350), 0.5h/system (15) 6 Problem with Password 5% (350), 1h 7 4 days per Audit (2)

eidm.add-ons for IDM solutions Compliance Engine SAP NetWeaver Identity Management Omada, Siemens, Novell, BMC FireFighter AuditTicker Compliant User Provisioning Reporting

eidm.complianceengine IDM Access Rights/role requirement mesaforte Risk Assessment/ Mitigation Role Delivery Role change requirement Control-/ Rule- Definition Change Request Closing Business Role/ technical Role Approval/ Justification Role Design/ maintenance Compliance- Check (SOD) Approval Workflow Compliance- Check (Role) Compliant Provisioning Compliant Auditing Compliant Role Delivery

eidm.complianceengine live

eidm.complianceengine: System Chart HCM Peoplesoft SAP Applications Active Directory Flat File Lotus People-soft JD Edwards Active Directory IDM System SAP IDM, Omada, Novell, Siemens,... 1 2 SAP ERP SAP Portal SAP CRM SAP CRM mesaforte Compliance Engine 3 4 1 2 3 4 User ID information Check for conflicts during provisioning process Creation of User ID s, provisioning of roles Check for conflicts during role creation/ Continuous Monitoring for Conflicts

eidm.firefighter Code Orange is requested in emergency cases where normal authorizations are insufficient and normal work flows take too long Role is assigned automatically for a limited period of time

eidm.firefighter live

eidm.auditticker Request FireFighter role (here: CodeOrange) for a productive system via IDM standard or eidm. Automatic activation of the Security Audit Log for system, user and clients related to the requested FireFighter role. Automatic assignment of the FireFighter role (via IDM). Working with the extended access rights Automatic de-provisioning of the FireFighter role (via IDM). Automatic de-activation of the Security Audit Log. Reading-out data and copying in a separate database. Auditing, who applied when and for which system a FireFighter Role and what has been done with it.

eidm.auditticker live

eidm.reporting

Agenda Company Presentation wikima4 Interdependencies Operational Risks Security Areas Security Processes Security Reporting Security Framework Compliance /Access Controls Configuration Controls Incident Controls Process Controls Risk Mitigation Security Monitoring Role Mining and Optimisation Best Pratcise Template Roles for all areas rolebee: Smart SAP Mass Role Maintenance Role Factory SAP NetWeaver IDM ComplianceEngine FireFighter AuditTicker Password Self Service Single Sign-On Enhanced IDM SAPLoginCracker SAP Audit Catalogue SAP Hacking Fraud Analysis and Detection Post Audit Support Audit Services

SAC.SAPLoginCracker The SAP Gateway vulnerability has been known for years* but SAP users are still not actively taking steps to close this gap. To demonstrate what can be done if this vulnerability if it is not properly closed, wikima4 security experts decided to implement the SAPLoginCracker.. The SAPLoginCracker lets a user log in without specifying a password. It even works when passwords are disabled for the specified user name. There is no special knowledge required to operate the SAPLoginCracker". Its effects can be demonstrated visually. *see for example OSS-Note 1394093

Thank You! Priska Altorfer Managing Partner wikima4 AG Bahnhofstrasse 28 / 6304 Zug / Switzerland T: +41 (0)41 711 94 54 / F: +41 (0)41 711 96 54 mail@wikima4.com / www.wikima4.com Jörg Altmeier Managing Partner wikima4 AG Bahnhofstrasse 28 / 6304 Zug / Switzerland T: +41 (0)41 711 94 54 / F: +41 (0)41 711 96 54 mail@wikima4.com / www.wikima4.com