Upload
sap-technology
View
937
Download
3
Tags:
Embed Size (px)
Citation preview
SAP Product Management Security
Finding the Leak –Access Logging for Sensitive Data
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 2
Disclaimer
This document does not constitute a legally binding proposal, offer, quotation or bid on the part of SAP.SAP assumes that the parties negotiate legally binding contracts relating to the subject of thisdocument in a later phase. Any and all information contained in this document is preliminary andsubject to change and shall not at any time be considered as binding. Especially preliminary is thedescribed solution, the scope and the pricing. SAP expressly reserves the right to make subsequentalterations to the content of this document. This document is exclusively based on the informationprovided to SAP by the customer and SAP’s understanding of the customer’s requirements. Changingthese requirements might also cause a change in system architecture or functionality. The contents ofthis document represent business secrets of SAP and must be handled in confidence by the customer.In particular, forwarding information to third parties is prohibited. This document and informationincluded in it must be used exclusively for the purposes of evaluating the possibility of future businesscooperation between SAP and customer. Any other use requires prior written consent from SAP. If theunderlying proposal is not accepted, all documents and all copies of these documents must bereturned to SAP immediately on demand or, if no request is made, destroyed within one month afterrejection or non-acceptance of our proposal. All brands, trademarks etc. used in this document,including the SAP signature and logo, are the property of SAP and may not be used without its expresswritten consent in advance.
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 3
Agenda
Why Use Read Access Logging?
The Way it Works
Read Access Logging in Detail
Summary
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 4
Customer Challenges with Data Access
Compliance with data privacy regulations
Compliance with industry standards (e.g. Basel suite for the banking industry)
Monitor the access to classified data or other sensitive data (such as informationabout company assets or salary data)
Monitor user actions on a need-to-know basis only, deleting the logs thereafter
SAP provides a solution that allows to log read access to sensitive data:
Read Access Logging
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 5
Use Cases for Read Access Logging (RAL)
John is a data security officer in a bank. Recentanalysis of stock transactions indicate malicious orderswith insider information about bank customers. Johnwas asked to investigate the issue and identify theinformation leak.
Chelsea is a compliance manager at a big retailer. Acustomer of the retailer has complained that hisaccount details were used to contact him on privateissues by an employee of the retailer. Chelsea now hasto check who had accessed the customer’s person-related data.
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 6
Read Access Logging Application
The Read Access Logging Application can be accessed via the transaction
SRALMANAGER providing access to• Read Access Logging Configuration• Data logged with Read Access Logging• Administrative Log
In addition, Read Access Logging is integrated into the archiving framework to allow automatedarchiving of older log entries.
Read Access Logging is integrated in the Transport Framework of the AS ABAP.
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 7
Read Access Logging with SRALMANAGER
Using transaction SRALMANAGER, you start a Web Dynpro-based application shown in a browserwindow. With SRALMANAGER, you can access both administration and monitoring functions ofRead Access Logging.
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 8
The Way it Works
The Read Access Logging framework (RAL) allows customers to trace which datawas sent out of the system, by enabling remote communication and user interfaceinfrastructures to log access to sensitive data.When an application/transaction is started, the Read Access Logging configuration isread.It indicates whether the current remote-enabled function module, Web serviceoperation, Dynpro or Web Dynpro UI element is log-relevant.The RAL configuration defines which fields and elements should be logged.Knowing this, the requested field and element values are set for logging.Finally, the log data is written to the database.It can then be viewed via the Log Monitor.
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 9
The Way it Works
Read Access Logging Framework
Configurations
Log conditions
Log writerLog data indatabase
Log monitor
Dynpro
Web Dynpro
API Channels
UI Channels
Web Service
RemoteFunction Call
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 10
Features
Read Access Logging (RAL) allows you to track data access:Who had access to the dataWhich data was accessedWhen was the data accessedHow was the data accessed (transaction or user interface)
Amount of detail to be logged is customizable based onUser interfaces used to access the dataOperations executed on remote APIsUsers using the remote APIs / user interfacesEntities and their content
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 11
Supported Channels
Read Access Logging supports the following channels:
Web DynproYou can log context-bound UI elements of Web Dynpro-based user interfaces.
DynproYou can log Dynpro UI elements and ALV grid-based user interfaces.
Remote Function Calls (RFC)You can log server and client side of RFC-based communication.
Web service callsYou can log consumer and provider side of Web services-based communication.
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 12
Entities Used During Configuration
Log purposeEach RAL configuration requires a logging purpose. It groups the log events you want to record byuse case and reason for recording.
Log domainLog domains define the semantic meaning of the data elements that will be captured during the logrecording. This helps auditors understand the data recorded in the log results.
Log contextLog context is the key field that other visible fields are related to within the logging session.
Log groupA log group is a collection of fields that are displayed in the same log entry (based on the loggingpurpose).
Log conditionConditions are the rules you can define to decide when the fields in the log group are logged.
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 13
Transport Integration
Read Access Logging entities canbe transported to other systems andclients
Logging purposesLog domainsConfigurationsUser interface recordingsUser exclusion listParameter for activation
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 14
Authorization – Template Roles to Work with Read Access Logging
Template roles Description Assigned authorizationobjects
SAP_BC_RAL_ADMIN_BIZ A template role for businessadministrators doing the configurationand monitoring
S_RAL_BLKL User exclusion listS_RAL_CLIS- En Disabling clientS_SRAL_CFG ConfigurationS_RAL_LDOM Log domainsS_RAL_PURP Logging purposesS_RAL_REC RecordingS_RAL_ELOG Administrative logS_RAL_LOG Log Data
SAP_BC_RAL_ADMIN_TEC For technical administrators responsiblefor archiving, maintaining the userexclusion list, en- and disabling client andmonitoring administrative log
(S_ARCHIVE) ArchivingS_RAL_BLKL User exclusion listS_RAL_CLIS En-/Disabling clientS_RAL_ELOG Administrative log
SAP_BC_RAL_ANALYZER A template role for Read Access Logginganalyzer
S_RAL_LOG Log Data
SAP_BC_RAL_SUPPORTER A template role for Read Access Loggingsupport engineer
See authorization objects assigned toSAP_BC_RAL_ADMIN_BIZ with displayactivity specification
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 15
Availability I
NW 7.40 SP0First shipment of framework and Web service channel
NW 7.40 SP2Shipment connection to archiving / ILM, RFC channel, Web Dynpro channel
NW 7.40 SP3Automatic transport of configurations
NW 7.40 SP4Shipment of Web Dynpro query logging, Dynpro + ALV grid channel
NW 7.31 SP9Same as NW 7.40 SP4
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 16
Availability II
NW 7.30 SP11Available as of 28.02.2014
NW 7.11 SP13Available as of 07.02.2014
NW 7.02 SP15Available as of 07.02.2014
NW 7.01 SP15Available as of 31.01.2014
For legacy releases, you can use the UI logging solution from SAP Custom Development services
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 17
Key Take-Aways !
• Read Access Logging supports you instaying compliant with data privacyregulations
• Logging access to sensitive data is madeeasy with the Read Access Loggingsolution
• Read Access Logging is deeply integratedinto SAP Netweaver
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 18
Further Information
Read Access Logging on SAP Community Networkhttp://scn.sap.com/docs/DOC-53843
SAP Insider Article about Read Access Logginghttp://scn.sap.com/docs/DOC-44006
Documentation on SAP Help Portalhttp://help.sap.com/saphelp_nw74/helpdata/en/54/69bbeab2e94c93b9031584711d989d/content.htm?frameset=/en/54/69BBEAB2E94C93B9031584711D989D/frameset.htm
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 19
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, andSAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forthin the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany andother countries.
Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.