Hétpecsét Információvédelem menedzselése XLIII. Szakmai FórumSecurity@SAP

János Kis, SAP Labs Hungary17/11/2010

© SAP AG 2009. All rights reserved. / Page 2

Security Features, Offerings, and Services

SAPSecurity

Software SecurityAssurance and Quality

Internal and External Security Assessments

Security Response Process

Security Product Standard and Validation

Security Functionality

SAP NetWeaver Identity Management

Web Services Security

Single Sign-On

Compliance

Security Services and Information

Best practices and security configuration guides on SDN

Documentation in the SAP Online Help

Security Optimization Service

© SAP AG 2009. All rights reserved. / Page 3

Service- enabledApplications

SAP Business Suite 7 Customer & PartnerApplications

OrderMgmt.

...

Non SAP &Legacy

Service Bus Based IntegrationRepository Based Modeling and Design

TechnologyCapabilities

Master Data Management

Data Management And Integration

Portal & Collaboration Search

Information Composition

Service Composition

SOA Management

Content Management

Business Intelligence

User Interface Composition

Mobile User Interface Technology

Data Management

User Productivity

Business Process ManagementComposition

Integration (Service Oriented Architecture (SOA) Middleware)Bu

siness

Con

tent

Information Management

Business Process Monitoring

Human Interaction Management

Business Process Modeling

Business Rules Management

Security

Ensure integrated and easy to configure SECURITY FRAMEWORK

Enhance security and reduce TCO via standards based SINGLE SIGN-ON & IDENTITY FEDERATION

MANAGE IDENTITIES across processes to lower costs and security risks

Enable a common security concept via STANDARDIZED SECURITY services

Efficient and comprehensive feature set to configure, administrate and run SECURE BUSINESS PROCESSES

SAP NetWeaver provides a comprehensive and efficient security infrastructure for secure and compliant business processes

ABAP Development

Security and Identity ManagementApplication Life-cycle Management

Java Development

Application Foundation

SAP NetWeaver Technology CapabilitiesSecurity and Identity Management

© SAP AG 2009. All rights reserved. / Page 4

Secure Network Topology: On-Premise Solutions

Outer DMZ Inner DMZ

Firewall

End User Backend Networks

Applicationserver farm

R/3

R/3

Applicationserver farm

ERP

ERP

DIR

ApplicationGateways

Pre-scan user request for validity and known exploits

Preprocessing and validation of user input and output

Process business logic or Web service request.

WebAS, Portal or other

Web service

Firewall Firewall

© SAP AG 2009. All rights reserved. / Page 5

Monitoring and Auditing in ABAP- and Java-Based SAP Solutions

Configuration and results of Security Audit Log in ABAP: Transactions SM 18, SM19, SM20

Results of Log Viewer in Java

© SAP AG 2009. All rights reserved. / Page 6

Data Encryption Using Secure Store and Forward (SSF)

Credit card data encrypted in database

Application

Decryption

Authorized administrator

Data is displayed unencrypted

SSF API

PCI-DSS-compliant encryption

Use of SAP Cryptographic Library

Available as of release 4.6 C

© SAP AG 2009. All rights reserved. / Page 7

The SAP Authorization Concept

… how to create users in a system

…who may execute which actions, especially how to:

The SAP authorization concept defines rules on:

… restrict display and change of data depending on user roles. This enhances the security of the system.

… show users only those actions which are relevant for their roles.This simplifies system usage

© SAP AG 2009. All rights reserved. / Page 8

SAP ABAP Authorization Check

Access type

Area Organization

Authoritycheck

Business

ObjectCheck of a combination of authorization relevant attributesof a business object

Activity, e.g. create, change, display, delete, …

Additional authorization relevant Attributes, e.g. record type, …

Organizational attributes, e.g. company code, personal area, …

© SAP AG 2009. All rights reserved. / Page 9

Federation

Metadata

Transport Security

Document Security

Message Security

SAP Security – Building on Industry Standards

WS-Security

Under Evaluation

WS-Policy

WS-Trust

WS-Security Policy

WS-SecureConversation

SAML 2.0

Future Work

S/MIME

Supported by SAPStatus: February 2010

Authorization Provisioning

Authentication X.509 CertsKerberosSAML 1.x JAAS

XACML SPML LDAP

XML Sig PKCS#7XML Enc

SSL/TLS GSS

OpenID

OAuth

PCI DSS

Interoperability WS-I BSP 1.1WS-I BSP 1.0

WS-ReliableMessaging

© SAP AG 2009. All rights reserved. / Page 10

SAP Security Services Overview

Best Practices

SupportCustomer

EngagementService Delivery

ToolsSelf-Services

Servicesdelivered by SAP

RecommendationsGuidelines

Security in Early Watch Alert

Security Notes Report

Security Optimization Self-Service

Security in Config Validation

Security Optimization Remote Service

Run SAPE2E Solution Operations

Standard for Security

© SAP AG 2009. All rights reserved. / Page 11

Run SAP Methodology: SAP Security Standard

Assessment & Scoping

OperationalRequirements

Analysis

GovernanceModel for Operations

Scope Definition

Technical Requirements and

Architecture

Project Setup

Operations & Optimization

End User Support

SAP TechnicalOperations

ChangeManagement

Technical InfrastructureManagement

SAP Application Management

Business Process Operations

Design Operations

End User SupportConcept

SAP Technical Operations

Concept

ChangeManagement

Concept

TechnicalInfrastructure

Design

SAP Application Management

Concept

Business Process Operations

Concept

Setup Operations

End User SupportImplementation

SAP Technical Operations

Implementation

ChangeManagement

Implementation

Technical Infrastructure

Implementation

SAP Application Management

Implementation

Business Process Operations

Implementation

Handover into Production

Knowledge Transfer and Certification

Final Testing

Transition into Production

Handover and Sign-Off

© SAP AG 2009. All rights reserved. / Page 12

The 10 secure operation tracks of the Secure Operations Mapcover the following topics:

1. Audit: Ensure and verify the compliance of a company’s IT infrastructure and operation with internal and external guidelines

2. Outsourcing: Ensure secure operation in IT outsourcing scenarios

3. Emergency Concept: Prepare for and react to emergency situations

4. Secure Process and People Collaboration: Maintain security of process and people collaboration by security capabilities of automated business processes or document exchanges

5. User and Authorization Management: Manage IT users, their authorizations and authentication

6. Administration Concept: Securely administer all aspects of solution operations

7. Network, System, Database and Workstation Security: Establish and maintain the security of all infrastructure and base components

8. Secure Application Lifecycle: Securely develop and maintain the code base of standard and custom business applications

9. Secure Configuration: Establish and maintain a secure configuration of standard and custom business applications

10. Secure Support: Resolve software incidents in a secure manner

Run SAP Methodology: Secure Operations

© SAP AG 2009. All rights reserved. / Page 13

The Product Innovation Lifecycle (PIL) is SAP‘s approach to product quality. It consists of process and product standards. The product standards define common requirements for all SAP products.

The PIL Security Standard defines security requirements targeting:

Requirements are Included in planning phase, Implemented during development

phase, and Checked in test phase

Organization Standard Owner Expert Network:

Multiplication and reporting across all development units and SAP labs

Production Unit:Enforces compliance of SAP product development

Vulnerability Prevention

TCO Reduction

Legal Compliance

Key Concept for Secure Programming: PIL Security Standard

© SAP AG 2009. All rights reserved. / Page 14

SAP Investments in Software Security and Quality Assurance

Security is embedded in all stages of the software development lifecycle Software design and architecture is reviewed for conformity to security requirements Development fulfills secure programming requirements through the Product Innovation

Lifecycle (PIL) Security Standard What we do:

Train developers Provide guidelines on how to fulfill the requirements Provide test cases and test services on how to check source code and software behavior

Security of the software is checked before delivery: Source code and runtime testing by internal and contracted external security specialists Separate validation unit, acting as a “first customer”

Capabilities for reaction to security issues discovered after delivery: Security Response process

– Handles and solves security issues – Provides customers with information, workarounds, solutions and patches

Findings are fed back into secure programming requirements and security assessment planning Active communication policy to customers, security specialists and to the public

SAP invests to achieve the security of all its code

© SAP AG 2009. All rights reserved. / Page 15

State-of-the-Art Software Lifecycle Security

SAP is certified for: ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium Quality management standard ISO9001 Common Criteria certification is currently underway FIPS 140-2 certification is planned

SAP offers: Applications built according to state-of-the-art industry secure programming practices Efficient security response processes Security services that cover the entire software lifecycle (Security Optimization Service) A highly specialized and experienced SAP security consulting team, as well as a security

consultant certification, to offer qualified implementation support

SAP invests in: A large internal research division dedicated to security Joint industry projects for secure programming practices, such as

SAFECODE Secologic

Security is a quality characteristic of SAP solutions.

© SAP AG 2009. All rights reserved. / Page 16

Further Information

SAP Public Web:

SAP Developer Network (SDN) - Security: www.sdn.sap.com/irj/sdn/security

SAP Developer Network (SDN) – Identity Management: http://www.sdn.sap.com/irj/sdn/nw-identitymanagement

SAP Public Web – Security: www.sap.com/security

SAP Public Web – Identity Management: www.sap.com/platform/netweaver/components/IDM/index.epx

SAP Service Marketplace – Security:http://service.sap.com/security

SAP Support Portal – Security Notes:http://service.sap.com/securitynotes