Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

SAP invests in

Hétpecsét Információvédelem
menedzselése XLIII. Szakmai Fórum
Security@SAP
János Kis, SAP Labs Hungary
17/11/2010
Security Features, Offerings, and Services
Security
Functionality
Security Services and
Information

SAP NetWeaver Identity
Management

Best practices and security
configuration guides on SDN

Web Services Security


Single Sign-On
Documentation in the SAP
Online Help

Compliance

Security Optimization Service
SAP
Security
Software Security
Assurance and Quality
© SAP AG 2009. All rights reserved. / Page 2

Internal and External Security Assessments

Security Response Process

Security Product Standard and Validation
SAP NetWeaver Technology Capabilities
Security and Identity Management
SAP NetWeaver provides a comprehensive and efficient security
infrastructure for secure and compliant business processes
Security
Search
Portal & Collaboration
Mobile
User Interface Technology
User Productivity
User Interface Composition
Information Composition
Service Composition
Business Content
Business Process
Monitoring
Human Interaction
Management
Business Rules
Management
Business Process Management
Composition
Technology
Capabilities
Business Process
Modeling
Data Management And Integration
Business Intelligence
Content Management
Data Management
Repository Based Modeling and Design
Service Bus Based Integration
SOA Management
MANAGE IDENTITIES across processes to
lower costs and security risks
Integration (Service Oriented Architecture (SOA) Middleware)
Application Life-cycle Management
Security and Identity Management
Java Development
ABAP Development
Application Foundation
© SAP AG 2009. All rights reserved. / Page 3
Enhance security and reduce TCO via
standards based SINGLE SIGN-ON &
IDENTITY FEDERATION
Master Data Management
Information Management
Serviceenabled
Applications
Ensure integrated and easy to configure
SECURITY FRAMEWORK
SAP Business Suite 7
Order
Mgmt.
...
Customer & Partner
Applications
Non SAP &
Legacy
Enable a common security concept via
STANDARDIZED SECURITY services
Efficient and comprehensive feature set to
configure, administrate and run SECURE
BUSINESS PROCESSES
Secure Network Topology:
On-Premise Solutions
End User
Outer DMZ
Firewall
Backend Networks
Inner DMZ
Firewall
Firewall
Application
server farm
R/3
ERP
Application
Gateways
Pre-scan user
request for validity
and known exploits
© SAP AG 2009. All rights reserved. / Page 4
WebAS, Portal
or other
Web service
Preprocessing and
validation of user
input and output
R/3
ERP
DIR
Process business logic or
Web service request.
Monitoring and Auditing in
ABAP- and Java-Based SAP Solutions
Configuration and
results of Security
Audit Log in ABAP:
Transactions
SM 18, SM19, SM20
Results of Log
Viewer in Java
© SAP AG 2009. All rights reserved. / Page 5
Data Encryption Using
Secure Store and Forward (SSF)
Data is
displayed
unencrypted
 Use
Authorized
administrator
SSF
API Decryption
Credit card data
encrypted in
database
encryption
of SAP Cryptographic Library
 Available
Application
© SAP AG 2009. All rights reserved. / Page 6
 PCI-DSS-compliant
as of release 4.6 C
The SAP Authorization Concept
The SAP authorization concept
defines rules on:
… how to
create
users in a
system
© SAP AG 2009. All rights reserved. / Page 7
…who may
execute which
actions,
especially
how to:
… restrict
display and
change of data
depending
on user roles.
This enhances
the security of
the system.
… show
users only those
actions which are
relevant for their
roles.
This simplifies
system usage
SAP ABAP Authorization Check
Access type
Business
Object
Authority
check
Area
Additional authorization relevant Attributes,
e.g. record type, …
© SAP AG 2009. All rights reserved. / Page 8
Activity, e.g. create, change,
display, delete, …
Check of a combination of
authorization relevant attributes
of a business object
Organization
Organizational attributes, e.g.
company code, personal area,
…
SAP Security – Building on Industry Standards
Federation
OpenID
Metadata
Authorization
Authentication
WS-Policy
SPML
JAAS
Interoperability
Message Security
Document Security
Transport Security
Status: February 2010
© SAP AG 2009. All rights reserved. / Page 9
WS-Security Policy
XACML
SAML 1.x
WS-Trust
SAML 2.0
Kerberos
WS-I BSP 1.0
WS-Security
XML Sig
LDAP
X.509 Certs
Provisioning
OAuth
WS-I BSP 1.1
S/MIME
WS-Secure
Conversation
WS-Reliable
Messaging
XML Enc
PKCS#7
PCI DSS
SSL/TLS
Supported by SAP
GSS
Future Work
Under Evaluation
SAP Security Services Overview
Support
Customer
Engagement
Service Delivery
Best Practices
Tools
Self-Services
Security in Early Watch
Alert
Security Notes Report
Security Optimization
Self-Service
Security in Config Validation
© SAP AG 2009. All rights reserved. / Page 10
Services
delivered by SAP
Security Optimization
Remote Service
Recommendations
Guidelines
Run SAP
E2E Solution Operations
Standard for Security
Run SAP Methodology: SAP Security Standard
Assessment &
Scoping
Design
Operations
Setup
Operations
Operational
Requirements
Analysis
End User Support
Concept
End User Support
Implementation
Knowledge Transfer
and Certification
End User Support
Scope Definition
Change
Management
Concept
Change
Management
Implementation
Final Testing
Change
Management
Technical
Requirements and
Architecture
SAP Application
Management
Concept
SAP Application
Management
Implementation
Transition into
Production
SAP Application
Management
Project Setup
Business Process
Operations
Concept
Business Process
Operations
Implementation
Handover and SignOff
Business Process
Operations
Governance
Model for
Operations
SAP Technical
Operations
Concept
SAP Technical
Operations
Implementation
SAP Technical
Operations
Technical
Infrastructure
Design
Technical
Infrastructure
Implementation
Technical
Infrastructure
Management
© SAP AG 2009. All rights reserved. / Page 11
Handover into
Production
Operations &
Optimization
Run SAP Methodology: Secure Operations
The 10 secure operation tracks of the Secure Operations Map
cover the following topics:
1. Audit: Ensure and verify the compliance of a company’s IT infrastructure
and operation with internal and external guidelines
2. Outsourcing: Ensure secure operation in IT outsourcing scenarios
3. Emergency Concept: Prepare for and react to emergency situations
4. Secure Process and People Collaboration: Maintain security of
process and people collaboration by security capabilities of
automated business processes or document exchanges
5. User and Authorization Management: Manage IT users, their authorizations and authentication
6. Administration Concept: Securely administer all aspects of solution operations
7. Network, System, Database and Workstation Security: Establish and maintain the security of all infrastructure and base
components
8. Secure Application Lifecycle: Securely develop and maintain the code base of standard and custom business applications
9. Secure Configuration: Establish and maintain a secure configuration of standard and custom business applications
10. Secure Support: Resolve software incidents in a secure manner
© SAP AG 2009. All rights reserved. / Page 12
Key Concept for Secure Programming:
PIL Security Standard
The Product Innovation Lifecycle (PIL) is SAP‘s approach to product quality.
It consists of process and product standards. The product standards define common
requirements for all SAP products.
The PIL Security Standard defines security requirements targeting:
Vulnerability
Prevention
Legal
Compliance
TCO
Reduction
Requirements are
Organization

Included in planning phase,

Standard Owner

Implemented during development
phase, and


Checked in test phase
Expert Network:
Multiplication and reporting across all development
units and SAP labs

Production Unit:
Enforces compliance of SAP product development
© SAP AG 2009. All rights reserved. / Page 13
SAP Investments in Software Security
and Quality Assurance
SAP invests to achieve the security of all its code
Security is embedded in all stages of the software development lifecycle

Software design and architecture is reviewed for conformity to security requirements
 Development fulfills secure programming requirements through the Product Innovation
Lifecycle (PIL) Security Standard
 What we do:




Security of the software is checked before delivery:



Train developers
Provide guidelines on how to fulfill the requirements
Provide test cases and test services on how to check source code and software behavior
Source code and runtime testing by internal and contracted external security specialists
Separate validation unit, acting as a “first customer”
Capabilities for reaction to security issues discovered after delivery:

Security Response process
–
–


Handles and solves security issues
Provides customers with information, workarounds, solutions and patches
Findings are fed back into secure programming requirements and security assessment planning
Active communication policy to customers, security specialists and to the public
© SAP AG 2009. All rights reserved. / Page 14
State-of-the-Art Software Lifecycle Security
Security is a quality characteristic of SAP solutions.
SAP is certified for:

ITSEC (Information Technology Security Evaluation Criteria ) E2 Medium
 Quality management standard ISO9001
 Common Criteria certification is currently underway
 FIPS 140-2 certification is planned
SAP offers:




Applications built according to state-of-the-art industry secure programming practices
Efficient security response processes
Security services that cover the entire software lifecycle (Security Optimization Service)
A highly specialized and experienced SAP security consulting team, as well as a security
consultant certification, to offer qualified implementation support
SAP invests in:


A large internal research division dedicated to security
Joint industry projects for secure programming practices, such as


SAFECODE
Secologic
© SAP AG 2009. All rights reserved. / Page 15
Further Information
SAP Public Web:
SAP Developer Network (SDN) - Security: www.sdn.sap.com/irj/sdn/security
SAP Developer Network (SDN) – Identity Management:
http://www.sdn.sap.com/irj/sdn/nw-identitymanagement
SAP Public Web – Security: www.sap.com/security
SAP Public Web – Identity Management:
www.sap.com/platform/netweaver/components/IDM/index.epx
SAP Service Marketplace – Security:
http://service.sap.com/security
SAP Support Portal – Security Notes:
http://service.sap.com/securitynotes
© SAP AG 2009. All rights reserved. / Page 16
Related documents
Sample Parent / Teacher Conference Form
Sample Parent / Teacher Conference Form
Delphi
Delphi
Terms of Reference
Terms of Reference
Creating a Message on the SAP Service Marketplace (SMP)
Creating a Message on the SAP Service Marketplace (SMP)
Case Study I - Concept Software & Services Inc.
Case Study I - Concept Software & Services Inc.
Download