SIS100 - Overview About Product Security, IDM and SSO

SIS100

Overview About Product Security, Identity Management, and Single Sign-On SAP Product Management SAP TechEd 2013

Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.

© 2013 SAP AG or an SAP affiliate company. All rights reserved.

2

Security – What is the problem realm?

Budget restrictions

Secure Software Development Lifecycle

Security Services Secure by Default

Non-repudiation

Lower cost

Security Optimization Self Service Vulnerability Analysis and Testing


IT Security

Secure Programming

Raise Efficiency

Read Access Logging

Digital Signature/e-Signature

Security, Logging, Monitoring

Social identities

SIEM

Data Privacy

Open ID Connect

Cloud Security

SAP NetWeaver Identity Management SAP NetWeaver Single Sign-On SSL/TLS Mobile Security SAP ID Service SNC SCIM HANA Kerberos

Web Services Security

LDAP

SAP GRC

Security Management

Confidentiality Authorization

Integrity

Authentication

3

SAP offers a holistic suite of security products, features and services to ensure secure customer systems Security Services and Information Best practices and security configuration guides on SCN, SAP Online Help, Security Optimization (self-) Service, Configuration Validation

SAP NetWeaver Cloud and SAP ID Service

Security Products

Security features for cloud applications

SAP NetWeaver Identity Management

Authentication, Single Sign-On and Identity Federation for cloud applications

SAP GRC Access Control SAP NetWeaver Single Sign-On

SAP NetWeaver 7.40 Secure basis for SAP HANA OAuth for mobile scenarios

Internal and External Security Assessments

Virus Scan Interface 2.0

Security Response Process

Security Policies

Security Product Standard and Validation

Read Access Logging © 2013 SAP AG or an SAP affiliate company. All rights reserved.

Software Security Assurance

Common Criteria Certification 4

The SAP Ecosystem Advantage: Strong Security Partner Network The SAP ecosystem responds to a growing need for a more collaborative business approach – an approach designed specifically to deliver unparalleled customer value The SAP ecosystem puts customers in the center of a dynamic universe that includes SAP, other customers, partners, and individuals

For security and compliant identity management, SAP collaborates with numerous partners, offering specialized solutions and services to fulfill even the most specific requirements of SAP customers


5

Agenda SAP Solutions for Security, Identity Management, and Single Sign-On  SAP NetWeaver Security Solutions – – – – – – – –

Authentication and Single Sign-On Authorization and Role Management SAP HANA Security Mobile Security / Cloud Security Logging and Monitoring Encryption of Data at Rest and in Transit Secure Software Development, Standards and Certifications Security Services and Support Offerings

 SAP NetWeaver Single Sign-On – Single Sign-On / Enterprise Single Sign-On – Identity Federation

 SAP NetWeaver Identity Management  SAP GRC Access Control


6

SAP NetWeaver Security Features Authentication and Single Sign-On

Secure access to applications Improve corporate security, decrease operational costs SAP Business Suite

SAP cloud applications

SAP mobile applications

3rd party systems

authentication and single sign-on

make it easy for your users to do what they’re allowed to do

security governance and compliance

ensure corporate compliance to regulatory requirements

identity management

making sure you know your users and what they can do

70%

Faster onboarding of new hires


70%

Reduction of password related help desk calls

8

SAP NetWeaver Authentication and Single Sign-On Functionalities SAP GUI

 User-ID + Password  X.509 Client Certificates  SAP NetWeaver Single Sign-On – Kerberos – 2-Factor Authentication

 3rd party SNC provider

Web Based

     

User-ID + Password X.509 Authentication SAML2 SAP Logon Tickets Kerberos / SPNego* OAuth*

* For Kerberos / SPNego on SAP NetWeaver AS ABAP, the SAP NetWeaver Single Sign-On product is required © 2013 SAP AG or an SAP affiliate company. All rights reserved.

9

Security Policies Security Policies allow to control abilities of users to access a system*  The permitted mechanisms to authenticate  Settings for password strength and expiration  Settings on how combinations of mechanisms work together  Privileges to allow authentication when the system is in a maintenance mode

* Availability of features is dependent on the application server version used © 2013 SAP AG or an SAP affiliate company. All rights reserved.

10

SAP NetWeaver Security Features Authorization and Role Management

The SAP NetWeaver AS ABAP Authorization Concept The SAP ABAP Role Based Authorization Concept • allows for enforcing the best practices (segregation of duties, least-privilege, etc.)  enables to meet the required system protection

Karen

John

Susan


12

SAP ABAP Authorization Concept  They provide the meta-level on top of which authorization checks are defined

 Authorization Objects are the key pillar of the ABAP Authorization Concept

Authorization Object X Field1

Users Master Record

...

System

Field10

User assigned to

Role

assigned to

instanciated and assigned

Authorization Profile Authorization

Authorization Object X

Field1 = ValuesX1 Authorization...Object Y Authorization Field 10 = Values 10 Field1 = ValuesY1 ... Authorization Object Z Field 10 = Values 10 Authorization Field1 = ValuesZ1 ... Field10 = ValuesZ10


Runtime  check  for each field

checked against specific values

Transaction T Program P ... AUTHORITY-CHECK OBJECT X ID Field1 FIELD ValueX1 ... ID Field10 FIELD ValueX10 IF SY-SUBRC NE 0 MESSAGE “Bad authz.” ENDIF. ...

13

HR Organizational Management – Org Structure in HR O - Org Unit Market GER 1:n

Org Units

O-Org Unit Finance

O-Org Unit HR

1:n

Positions Employees Infotype 105

Users © 2013 SAP AG or an SAP affiliate company. All rights reserved.

S Position 70008501

S Position 70008502

1:1

1:1

P Employee John Smith 1:1 US SAP User SMITHJ

P Employee Eva Scott 1:1 US SAP User SCOTTE 14

HR Organizational Management – Role Assignment O - Org Unit Market GER AG Role GEN_FIN O-Org Unit Finance

Org Units AG Role HR_ADM

Positions Employees Infotype 105

Users

1:n

User SMITHJ inherits roles GEN_FIN and HR_ADM


O-Org Unit HR

1:n S Position 70008501

S Position 70008502

1:1

1:1

P Employee John Smith 1:1 US SAP User SMITHJ

P Employee Eva Scott 1:1 US SAP User SCOTTE 15

SAP NetWeaver Security Solutions SAP HANA Security

SAP HANA – overview of security functions

SAP HANA Studio

Client

Administration SQL

SQL MDX

Client

HTTP(S)

Application Server

Application

XS Encryption

Authentication/SSO Authorization

Identity Store

Audit Logging

SAP HANA © 2013 SAP AG or an SAP affiliate company. All rights reserved.

17

SAP HANA – authentication and single sign-on

 SQL access

 HTTP access (SAP HANA XS)

– User name and password (incl. password policy) – Kerberos – SAML

– User name and password (basic authentication, form-based login; incl. password policy) – SAML – X.509 – SAP logon tickets

Application

XS Encryption


Identity Store

Audit Logging


18

SAP HANA – user and role management

 For logon, users must exist in the identity store of the SAP HANA database  Roles (and privileges) can be assigned to users

 Roles are used to bundle and structure privileges – Create roles for specific groups of users, role hierarchies supported

 Role lifecycle: design time roles  export to production system  activate  runtime Application

XS Encryption


Identity Store

Audit Logging


19

SAP HANA – authorization Privilege types  System privileges: Authorize execution of administrative actions for the entire SAP HANA database  SQL privileges: Authorize access to data and operations on database objects  Analytic privileges: Authorize read access on analytic views at run-time, provide row-level access control based on dimensions of the respective view  Package privileges: Authorize access in the repository (modeling environment) at design time  Application privileges: Authorize access to SAP HANA XS application functions Application

XS Encryption


Identity Store

Audit Logging


20

SAP HANA – communication and data encryption  Communication encryption – SSL

 Data encryption – Data volumes on disk

Application

XS Encryption


Identity Store

Audit Logging


21

SAP HANA – audit logging

 Logging of critical events for security and compliance, e.g. – User, role and privilege changes – Configuration changes

 User-defined policies for audit logging  Data access logging – Read and write access (tables, views), execution of procedures

 Audit trail written to Linux syslog Application

XS Encryption


Identity Store

Audit Logging


22

SAP HANA – security administration  SAP HANA Studio

SAP HANA Studio Administration

SQL

 SQL interface (command line tool hdbsql available)

Application

XS Encryption


Identity Store

Audit Logging


23

SAP NetWeaver Security Solutions Mobile Security / Cloud Security

Mobile app security A strong foundation makes mobile successful

SAP Mobile Security Device

Application

Content

Communications

Mobile Device Management

Mobile App Security Mobile Enterprise App Store Secure e-Mail Container

Mobile Content Management

Telecom Expense Management Systems Management

Mobile Security

Enterprise Mobility Management System On-Premise


Hybrid

Cloud

25

Introducing SAP Mobile Documents SAP Mobile Documents is designed for enterprise deployments where collaboration, security and control of business content is critical. Users enjoy anytime, anywhere access to view and collaborate on personal and corporate content, in an easy-to-use, native mobile app My Files - Any Device

Mobilize Enterprise Content

Share My Files

Access personal business documents instantly on your laptop or any mobile device

Discover and access content from corporate document management systems

Share files with teams, colleagues, and business partners from anywhere

Session MOB118: Secure Mobile Content Management with SAP Mobile Documents © 2013 SAP AG or an SAP affiliate company. All rights reserved.

26

SAP ID Service – One Login for Cloud Applications Authentication SAP ID service bridges the gap between:

One SAP identity On-premise app

• customer’s on-premise application •

User Management

SAP on-demand applications

•

SAP websites

•

3rd party on-demand applications

SAP Cloud

Managing identities and their lifecycle within the SAP Cloud

SAP ID service

by verifying user identities and granting authentication

Single Sign-On Leverage SSO to SAP web sites, On-Demand applications

Session SIS102: SAP ID Service – Single Sign-On for Cloud Applications © 2013 SAP AG or an SAP affiliate company. All rights reserved.

27

Enterprise  Cloud: Two Identity „Camps“ – Handled With Industry Standards

Enterprise

Internet/Cloud

(OnPremise)

(OnDemand)

SAML

OAuth

WS-* Kerberos

SOAP

Liberty ID-WSF

OpenID REST XRDS

SAP bridges the gap between these two „camps“ © 2013 SAP AG or an SAP affiliate company. All rights reserved.

28

Support of Industry Standards  REST is the preferred choice for UI consumption scenarios in the cloud  SOAP/WS-* is the preferred choice for process integration in the enterprise  Public consumable SaaS-APIs tend to support a RESTful protocol style rather than SOAP/WS-*

 Integration between OnDemand to OnPremise requires SSO in both directions and restricted permissions on enterprise resources for inbound calls  The "Web SSO" profile of SAML is a commonly deployed protocol in the enterprise and broadly supported for browser-based access to applications hosted in the (public) cloud


29

On-Premise Authentication via IdP Proxying Integrating Customer’s On-Premise IdP and 3rd Party Applications with SAP ID Service

Customer On-Premise Network

SAP On-Demand Network SAP Business ByDesign

User

X.509

SAML

On-Premise IdP

SAP ID service SAML

Social IdP

SAP HANA Cloud

3rd party App.

Simple Trust Configuration OP  OD instead of point-to-point connections © 2013 SAP AG or an SAP affiliate company. All rights reserved.

30

OnDemand and OnPremise Integration SAP NetWeaver Identity Management OnDemand integration

OnPremise integration

OnDevice integration SAP NetWeaver Identity Management supports integration with OnDemand and OnPremise SAP solutions. The solution offers secure connectivity, authentication, and single sign-on as well as compliant user and role management. Integration with software-as-a-service offerings from SAP is also supported © 2013 SAP AG or an SAP affiliate company. All rights reserved.

31

Secure Communication and Interaction: OnDemand Solutions Company B

Company A SAP Logon Tickets

OnDemand

Identity Provider

SAML

Identity Provider

SAML

SAP Logon Tickets

Backend Networks Company B

Backend Networks Company A SAML

SAML

OnDemand

Application server farm ERP R/3 ERP R/3 DIR


SAML

OnDemand

Application server farm ERP R/3 ERP R/3

DIR

32

SAP NetWeaver Security Solutions Logging and Monitoring

Monitoring and Auditing in ABAP- and Java-Based SAP Solutions

Configuration and results of Security Audit Log in ABAP: Transactions SM18, SM19, SM20

Results of Log Viewer in Java © 2013 SAP AG or an SAP affiliate company. All rights reserved.

34

Logging and Monitoring – AS ABAP Tools Overview Audit Information System  Used to ensure secure and compliant operations of business functions  Target Audience: Auditor

Read Access Log  Used to ensure compliant access to sensitive or classified data  Allows to track who did access which data when and via which interface  Target Audience: Data Protection Officer

Security Audit Log  Monitoring of security relevant events in the system like logon, access control violations and more  Target Audience: Security Administrator


35

Monitoring and Auditing: The SAP Audit Information System (AIS) Non-SAP Environment

SAP Environment

 Audit planning  Work program

...

- System audit - Business audit Analysis software ( ACL / IDEA / … )

Line items

Reporting software

Balances

Work paper prep.

Report


Export interface

Online controls on the SAP database

 System information  Reconciliation  B/S, P&L  Account balances  Documents Data export  Account balances  Line items

Accounts Customers Vendors

Assets Material Orders

Invoices … 36

Monitoring and Auditing: The SAP Audit Information System (AIS) The Audit Information System facilitates smoother and better quality audits It consists of a number of single roles and is a  collection  structure  default setup

…of SAP standard programs

The AIS is the Toolbox for the AUDITOR in the SAP environment © 2013 SAP AG or an SAP affiliate company. All rights reserved.

37

Read Access Logging Features Read Access Logging (RAL) allows to log all access to classified or sensitive data and supports the evaluation of these events. It allows to track  Who did access the data  Which data was accessed  When was the data accessed  How did the data access take part, via which transaction or user interface

Amount of detail to be logged is customizable based on    

user interfaces used to access the data operations executed on remote APIs users using the remote APIs / user interfaces entities and their content Session SIS104 – Finding the Leak – Using Access Logging to Monitor Access to Sensitive Data


38

SAP NetWeaver AS ABAP Read Access Logging Framework Users accessing applications via a configured channel (ABAP Web Dynpro, SAP GUI, WebService or RFC) will trigger the framework to store data presented to the user via this channel in the read access log according to the logging configuration

Web Dynpro

Application

Read Access Log ABAP Server © 2013 SAP AG or an SAP affiliate company. All rights reserved.

39

Read Access Logging Framework Features Read Access Logging allows to log all access to classified or sensitive data and support the evaluation of these events. Using filters, you can restrict the amount of data logged and also the data logged, thus keeping private data out of the logs


40

SAP Custom Development – User Interface (UI) Logging In addition to the Read Access Logging framework, you can use the SAP Custom Development UI logging solution for releases before NW 7.40. UI logging is currently available as RCS product for the channels SAP GUI for Windows/HTML/Java, CRM Web Client UI and Business Warehouse (BEx Analyzer, BEx Web, BW-IP, MDX, BICS). Further channels as well as individual enhancements can be provided on request

SAP GUI for Windows

Repository

SAP Backend System Dynpro Processor Request

Permanent Log Storage

Application Logic

Response

Observed data traffic

Temporary Log Asynchronous call of log service  Delivered


sample Implementation 41

UI Logging: Log Record Example I Transaction BP (Business Partner)


Log Record

42

UI Logging: Log Record Example II Transaction SE16 (Table Viewer)


Log Record

43

Access Logging with Business Warehouse SAP Business Warehouse supports logging of access to data via the BaDI RSEC_LEGAL_AUDIT_SAP (LOPD solution) LOPF was first available with the BW 7.0 release Within the solution you can configure the information to be logged per InfoProvider. The LOPD logging mechanism will at first do a simple relevance check for the InfoProvider underlying a query For further information see SAP Note 933441 - Frequently asked questions on BW 7.0 and data protection


44

Read Access Logging versus UI Logging Read Access Logging is a framework to enable compliant logging of data access by SAP systems developed and available as of SAP Netweaver AS ABAP 7.40 The UI Logging solution from SAP Custom Development Services is available on AS ABAP versions 7.00, 7.01, 7.02, 7.10, 7.11 Supported by Channel SAP GUI Web Dynpro ABAP CRM Web Client UI Business Warehouse Web Services SAP RFC Business Server Pages (BSP)


Read Access Logging No 7.40 SP02 No No 7.40 7.40 SP02 No

UI Logging 7.00…7.31 On Req. 7.00…7.31 7.00…7.31 On Req. On Req. On Req.

Channel Solution

BW 7.0

45

Read Access Logging Compliance to Legal Regulations Please note that often there are different regulations in place, which may partially contradict each other to a certain extent. Some of them my limit the amount of data, which may be recorded without violating legal regulations or other standards. Examples are for instance full credit card details When recording data containing information about individuals, this may be subject to the data protection and privacy laws. Often these laws only allow storing such data for a certain purpose and even then only for a limited amount of time In addition a detailed logging of employee actions might meet the definitions of behavioral control / performance control in the Works Constitution legislation of certain countries. In this case an approval of the works council might be mandatory


46

SAP NetWeaver Security Solutions Encryption of Data at Rest and in Transit

Digital Signatures Via SSF API and Secure Login Library  Digital signatures for legally binding contracts

SAP Business Suite

 Integration with Secure Store and Forward (SSF) API CRM

SRM

SCM

PLM

ERP

SAP NetWeaver Secure Store and Forward (SSF) library SAP CRYPTOLIB or Secure Login Library

 Out of the box support for a set of SAP transactions  Consistent with SAP Single Sign-On mechanisms  Easy and flexible to implement  Generation of X.509 certificates and smart card support  PCI-DSS-compliant encryption


48

Digital Signatures – Step By Step

SAP Client

Supported out-of-the-box for a set of SAP transactions

1

transaction triggers digital signature

Programming/integration necessary in case of:

3

user information is transferred

2

user authenticates and digital certificate is received


 ABAP programming for other transactions not yet supporting SSF 4

application digitally signs documents and stores data

 Integration of Secure Login Library with client actions  Hardware support needed

49

SNC Client Encryption Secure network communications A secure communication channel is using an encryption algorithm to render the transmitted data unreadable during transport and protecting the information passing through the channel  Compliance  Integrity  Confidentiality SAP offers free encryption libraries for the communication between SAP application servers. SAP also provides the encryption between SAP Windows GUI clients and SAP applications servers included in SAP NetWeaver


50

SNC Client and Server Encryption – Overview

Client

SAP NetWeaver Business Client

SAP GUI for Windows

SNC

SAP application server

Business Explorer Browser (BEx Browser)

RFC client

 No hybrid encryption available compared to SAP NetWeaver Single Sign-On

SAP application server

Server


 Encryption between SAP client and application server  Based on SNC and Kerberos

SNC

SNC

 Included in SAP NetWeaver license

 No single sign-on included

51

SAP NetWeaver Security Solutions Secure Software Development Security Standards and Certifications Security Services and Support Offerings

Protecting Your SAP Systems

SAP

Customers

Secure Software Development


Security Services

Security Management


53


SAP

Customers



Security Services

Security Management


54

SAP Product Innovation Lifecycle INVENT

DEFINE

Quality Gate

Planning to Development

DEVELOP

DEPLOY

Quality Gate

Quality Gate

Development to Production

Production to Ramp Up

OPTIMIZE

 Secure software development is embedded in the Product Innovation Lifecycle – We train developers on secure software development – We plan and implement security using product standard requirements – We use state of the art quality assurance methods – We verify in quality gates that requirements are met – We provide fixes via Product Security Response if vulnerabilities are identified – We provide Active Global Support and consulting security services © 2013 SAP AG or an SAP affiliate company. All rights reserved.

55


SAP

Customers



Security Services

Security Management


56

SAP Security Services Overview (1/2) SAP Security Patch Day  SAP security notes second Tuesday every month

SAP Active Global Support security tools and services    

SAP Solution Manager System Recommendations SAP EarlyWatch Alert (EWA) with security section SAP Solution Manager Configuration Validation SAP Security Optimization Service (SOS)

SAP security consulting services


57

SAP Security Services Overview (2/2) SAP Security Training  Secure operation trainings by SAP  Secure development trainings by partners

SAP Security Documentation      

Security notes published on Service Marketplace SAP security guides for every product SAP security recommendations on some patch days Secure programming guides RunSAP end-to-end solution operations Books published by SAP Press


58


SAP

Customers



Security Services

Security Management


59

SAP Security Management for Your Systems Are you ready?  Do you have management support for SAP security?  Do you have defined responsibilities for SAP security?  Do you have a security contact maintained in SMP?  Do you have standards and guidelines for SAP security?  Do you have know how in security operations?  Do you have know how in secure development?  Do you have know how in authorizations and SoD?  Do you monitor compliance with standards and guidelines? SAP Security is more than roles and profiles. Examples: secure system configuration, patch management © 2013 SAP AG or an SAP affiliate company. All rights reserved.

60

Secure System Configuration SAP NetWeaver AS ABAP Network filtering

SAP GUI for Windows

Password Management

SAP Gateway and SAP Message Server Security

Password Policy Password Hashes Default Passwords

Secure Network Communication (SNC) and HTTPS

Limit Web Enabled Content

ABAP RFC Connectivity

Secure Session Handling from security recommendations discussed later


61

Patch Management and Security Monitoring Evaluate SAP security notes every patch day! Most important notes which can be automatically applied are checked and result is presented Manage SAP security notes for all systems connected to Solution Manager Check security of your systems as onsite, remote or self service via SAP Solution Manager

Verify release information and configuration parameters against targets for all systems connected to Solution Manager

Session SIS103 – Security Control Center by SAP Active Global Support © 2013 SAP AG or an SAP affiliate company. All rights reserved.

62

LM Automation Standalone Automates Security-Related Configuration and Validation Tasks for Your SAP Systems The automation of lifecycle management (LM) activities eases the setup and operation of SAP systems by guiding administrators through configuration and operation tasks  Easy-to-use, light-weight tool – short startup time, small memory footprint  List of configuration tasks provided with the tool LM Automation Standalone 1.0 SP00 – each task available in two flavors – one for ABAP, one for Java application servers: – SSL Validation: validates configuration settings (such as SAP Crypto Graphic library installation) for enabling SSL (HTTPS) – SSL Profile Validation: validates parameter settings for secure sessions – SSL Maintenance: performs configuration and describes required manual tasks, such as SAP Crypto Graphic library installation and profile parameter settings, for enabling SSL (HTTPS)

For more information, see SAP Note 1532674 © 2013 SAP AG or an SAP affiliate company. All rights reserved.

63


SAP

Customers



Security Services

Security Management


64

Secure Custom Development – Secure Design Secure design     

Authentication and identity propagation Secure session handling Communication protocols Authorization concept Logging and audit trace

Resources  SAP security recommendations  SAP security guides

How to verify  Design review, architectural risk analysis


65

Secure Custom Development – Secure Programming Secure programming - avoid security bugs     

Cross-site scripting (XSS) Cross-site request forgery (XSRF) SQL injection Directory traversal ABAP code injection

Resources  SAP Secure Programming Guides  SAP Security Recommendations

How to verify  Source code scanning – automate it!


66

Overview of SAP Code Check Tools (Topic: Source Code Scan) SAP recommends customers and partner to do security code scans (among other measures) for custom developed code (see note 1697494) ABAP Test Cockpit (ATC) Central place for all check tools, exemption handling, result storage

Code Inspector (SCI) Open framework for customers, partners and SAP to develop code related checks

Extended Program Check (SLIN) Extended program check, which analyzes the source code

SAP NetWeaver Application Server, add-on for code vulnerability analysis Code checks for security vulnerabilities. Main focus of the tool is to analyze the data flow and the user input Session SIS261 – Your Way to Secure ABAP Code–Scan, Analyze, and Fix Your Programs © 2013 SAP AG or an SAP affiliate company. All rights reserved.

67

Application Security Testing  Security Testing in terms of dynamic application security testing (DAST) and static application security testing (SAST) are measures to improve code quality and security  Neither DAST nor SAST are a guarantee to find all security issues in an application

DAST

find vulnerabilities in the running application

Manual Application Penetration Testing

Automated Application Vulnerability Scanning


find vulnerabilities analyzing the sources

SAST

Manual Source Code Review

Automated Source Code Analysis

68

Code Vulnerability Analysis Scan, Analyze, and Fix Your Programs Find vulnerabilities in the running application

Manual Application Penetration Testing

Automated Application Vulnerability Scanning

DAST

Find vulnerabilities analyzing the sources

Manual Source Code Review

Automated Source Code Analysis

SAST

SAP NetWeaver Application Server add-on for code vulnerability analysis Finding security issues at design time is easier and less expensive! Session SIS261 – Your Way to Secure ABAP Code – Scan, Analyze, and Fix Your Programs © 2013 SAP AG or an SAP affiliate company. All rights reserved.

69

Stay Informed and Report Issues Security-related news from SAP (patches, whitepapers, etc.)  Subscribe to the SAP Support Portal Newsletter: Spotlight News, My SAP HotNews, My SAP Security Notes  Maintain a security contact in SAP Service Marketplace who get ad-hoc SAP Product Security Notifications – Send out for very important security-related news

Reporting product security issues  Create a customer ticket in the support system  If you do not have SAP support send an email to [email protected] – Please use PGP for email encryption – Public PGP key is linked at https://service.sap.com/securitynotes


70

Security Response @ SAP You have found a Security Vulnerability in a SAP product?

 What to do?  Open a customer message How does SAP provide a fix when a security vulnerability was found?

 SAP releases all fixes to security vulnerabilities together on the monthly security patch day (the 2nd. Tuesday of every month)

You want to keep yourself up-to-date about security response practices in general?

 Goto the SAP Service Marketplace for    

spotlight news check of the security notes released on the Security Patch Days subscription to the SAP support portal newsletter maintenance of a security contact in your organization

You will find all links and more information on security response using quick link ‘securitynotes’ on the SAP Service Marketplace © 2013 SAP AG or an SAP affiliate company. All rights reserved.

71

Security Topics in SAP Education Courses Curricula

Topic

Course ID

Authorizations AS ABAP

ADM940

Authorizations AS Java, Portal

ADM200, EP200 ADM800

Authorizations BW

BW365


ADM920

Security Auditing

ADM950

Technical Security (RFC, SSL, SNC, …)

ADM960

 SAP System Administration – User and Security  SAP Governance, Risk & Compliance

Certification SAP Certified Technology Professional – Security with SAP NetWeaver 7.0 The Security Consultant Certification test:  Verifies the participant’s profound knowledge in the area of SAP NetWeaver™ Security  Proves that the candidate has an advanced understanding of this topic and is able to apply these skills in consulting projects, providing implementation guidance

 Booking code: P_ADM_SEC_70 © 2013 SAP AG or an SAP affiliate company. All rights reserved.

72

Common Criteria Certification for Information Technology Security Evaluation (ISO 15408) Accepted in most of the major global markets Permits to compare between independent security evaluations Encompasses all processes involved in the production and delivery of an IT product, and a thorough examination of its security features A vendor can choose the scope of evaluation out of seven evaluation assurance levels (EALs). EAL 7 EAL 6 EAL 4 is the highest, internationally accepted level EAL 5 EAL 4 EAL 3 EAL 2 EAL 1 Functionally tested

Structurally tested

Methodically tested and checked


Methodically designed, tested and reviewed

Semiformally designed, and tested

Semiformally verified, designed, and tested

Formally verified, designed, and tested

73

Common Criteria Certified SAP Products https://service.sap.com/commoncriteria Australia Canada US

The SAP NetWeaver Application Server forms the security foundation for most SAP implementations

Austria France

UK Turkey

Markets where the Common Criteria Certificate is accepted

Singapore

Certified products

The Netherlands

 SAP NetWeaver Application Server Java 7.02 SP03: EAL 4+ (certified in 2011)

Pakistan

Spain

 SAP NetWeaver Application Server ABAP 7.02 SP08: EAL 4+ (Certificate received in February 2012)

Czech Republic

Malaysia

Germany

Finland Italy Greece

Hungary

Israel

Sweden

Denmark

Japan India

Norway

Rep. Of Korea New Zealand


74

SAP NetWeaver Single Sign-On Single Sign-On / Password Manager

Session SIS200 – SAP NetWeaver Single Sign-On Overview and Latest News (Lecture 1hr.) Session SIS265 – Single Sign-On for the ABAP World using SAP NetWeaver Single Sign-On (H/O 2hr.)

Compliant Identity Management and Single Sign-On Compliant Identity Management and Single Sign-On

Compliance and Governance

Authentication and Single Sign-On

Identity Management

SAP GRC Access Control

SAP NetWeaver Single SignOn


SAP offers a complete suite of compliance, governance, identity management, and single sign-on solutions


76

Compliant Identity Management and Single Sign-On Single sign-on SAP GUI for Windows, SAP GUI for Java, Web applications Integration capabilities Microsoft Active Directory Server Microsoft Certificate Store Advanced SNC encryption Strong encryption of communication Enterprise Single Sign-On for legacy systems Support of additional authentication methods Smart cards Radius


77

SAP NetWeaver Identity Management and Single Sign-On SAP NetWeaver Identity Management and Single Sign-On SAP NetWeaver Identity Management

User and role management Provisioning to SAP systems and Non-SAP Identity Center Virtual Directory Server Identity Services Integration with SAP GRC Access Control


SAP NetWeaver

SAP NetWeaver Single Sign-On

SNC Client Encryption

Identity federation Single sign-on to SAP GUI, SAP and non-SAP web-based applications (Kerberos, X.509, SAML) Digital signatures Re-authentication Advanced encryption of SAP GUI for Windows communication Strong authentication (Radius, smart cards) RSA Certification

Basic encryption of the communication path for SAP Windows clients and SAP application servers (No single sign-on)

Coming with version 2.0: SPNEGO for ABAP (Kerberos support for web-based access to ABAP) FIPS 140-2 certification for Crypto Library

78

SAP NetWeaver Single Sign-On and Solution Components SAP NetWeaver Single Sign-On

Partner API

SAP NetWeaver

Secure Login

 Single sign-on for Web-based and Web service-based applications  Standard-based single sign-on for SAP GUI (Kerberos, X.509)  Digital signature for integrity and re-authentication for critical applications

Enterprise Single Sign-On

 Enterprise Single Sign-On (E-SSO) for legacy systems (ftp, databases, terminal, telnet)  Secured and automated login via user and password

Identity Federation

 Web based and Web service-based authentication  Single sign-on and identity federation via SAML 2.0  Cross company domain single sign-on

Web Access Management

 Endorsed Business Solution (EBS) with CA SiteMinder product  Policy-based authentication and authorization to Web applications  XACML-based and policy-enforced access

SNC Client Encryption

 Basic encryption between SAP Windows clients and SAP application servers  No single sign-on


79

EBS CA SiteMinder

®

Web Access Management

CA: – CA SiteMinder –

Endorsed Business Solution with 

Dynamic authorization (SAP NetWeaver Java and non-SAP)



Dynamic authentication (SAP NetWeaver Java and non-SAP)



Social networking authentication (Facebook, Google, etc.)



Cross application and cross domain session management



Support for sign-on to heterogeneous applications from mobile platforms via browsers and native apps



User to application security for a heterogeneous app environment



No client deployed to desktop ®

The essential difference: CA SiteMinder delivers the above capabilities for SAP and non-SAP application environments, to create a common web access management layer for customers in a heterogeneous environment © 2013 SAP AG or an SAP affiliate company. All rights reserved.

80

What is Enterprise Single Sign-On?

jack_jones

Web: Form

Primary Authentication

E-SSO Monitor

Web: Basic

E-SSO

Terminal Emulator

jack_jones

Local Management Console © 2013 SAP AG or an SAP affiliate company. All rights reserved.

Java application

Windows application 81

Secure Login – Solution Architecture R

SAP Frontend NWBC

Secure Login Client Secure Login Lib

Browser Key Store R

SAP GUI

SLWC (Applet)

PSE Service Client System

HTTP(S)

DIAG, SNC

Java Stack

SAP or Java Crypto Library Backend System Backend System SAP Backend System

R

ABAP Stack

Secure Login Library


Web Browser

Secure Login Server

Backend System Authentication Server (e.g. Backend System SAP User Management)

Config Data NetWeaver CE 7.2

82

SAP NetWeaver Single Sign-On Identity Federation

Session SIS264 – Security Assertion Markup Language 2.0 – Single Sign-On and Identity Federation

Why Identity Federation? Company A

Company B

Different companies

One business process ERP

Separated IT infrastructure

Cloud © 2013 SAP AG or an SAP affiliate company. All rights reserved.

ERP

Datacenter A

CRM

CRM

SCM

SCM

…

Datacenter B

… … 84

Identity Federation – Solution  Each company maintains only its own identities

Company A

Company B

 A company can trust the identities of another organization  Employees of the company A can get access to shared information of company B  SAP Business Suite will be enabled for SAML (Service Provider)

 Identity Provider and Service Provider are based on the open SAML standard © 2013 SAP AG or an SAP affiliate company. All rights reserved.

Identity Federation Identity Provider

SP

ERP

SP SP

Datacenter A

Identity Provider

SP

ERP

CRM

SP

CRM

SCM

SP

SCM

Datacenter B

85

Identity Provider – Web Browser-Based Single Sign-On  Landscape consists out of an Identity Provider and systems enabled via Service Providers (SAML)

SAP NetWeaver ABAP

SAP NetWeaver Java

Service Provider

Identity Provider

User Account

User Account

 Web users trying to access a system will be redirected to the Identity Provider

SAP NetWeaver Java Service Provider log on/log off

 Once a user is authenticated by the Identity Provider, the user can access all systems (via Service Provider) without re-authentication

 Web Browser-based single sign-on is user-centric © 2013 SAP AG or an SAP affiliate company. All rights reserved.

SAML token

User Account

NON SAP Service Provider User Account

86


Session SIS105 – SAP NetWeaver Identity Management 7.2 – New Features and Functions (Lecture 1hr.) Session SIS106 – CUA Replacement with SAP NetWeaver Identity Management Using Best Practices (Lecture 1hr.) Session SIS203 – SAP NetWeaver Identity Management 7.2 Mobility REST UI5 (Lecture 1hr.) Session SIS262 – Introducing SAP NetWeaver Identity Management Developer Studio (H/O 2hr.) Session SIS263 – Advanced features of SAP NW IdM Context Based Role Assignments (H/O 2hr.)


e.g. on-boarding

Compliance checks through GRC

SAP Business Suite Integration

SAP Access Control (GRC)

Identity virtualization and identity as service


Identity mgmt. monitoring & audit Rule-based assignment of business roles


Password management

Approval workflows Central Identity Store

Provisioning to SAP and non-SAP systems

88

Architecture of SAP NetWeaver Identity Management 7.2 External repositories LDAP

Active Dir

etc

ABAP

SAP HR

etc

SiteMinder

WebServices App specific

R

HTTP/S

External applications

Java

R

LDAP/WebServices

AS Java Web Dynpro

Java VM VDS

User Interface R ID Mgmt UI abstraction JMX

MMC

DSE Dispatcher (VB) (VB)

Management Console

Event Agent

R

Runtime (VB)

LDAP

AS Java

<>

Soon to be Eclipse

Runtime (Java)

VDS

dB protocol

R

Virtual Directory Server Stored procedures

Logs

Identity Center © 2013 SAP AG or an SAP affiliate company. All rights reserved.

Audit

IdS

IC database Either: MS-SQL, Oracle-DB, soon IBM-DB2 89

Compliant Identity Management with SAP GRC Access Control

Session SIS205 – Strategies for closing the gap between access control and identity management processes

Compliant Identity Management



1

User

1. Request for • • • • © 2013 SAP AG or an SAP affiliate company. All rights reserved.

Role Privileges User account … 91




2

Approver 1

User

2. Request sent for approval to • • • • • © 2013 SAP AG or an SAP affiliate company. All rights reserved.

Manager Delegate Role owner Application owner … 92




2

3

Approver 1

User

3. Approval granted from • • • • • © 2013 SAP AG or an SAP affiliate company. All rights reserved.




SAP GRC Access Control 4

2

3

Approver 1

User

4. Send for risk analysis to • • • • • © 2013 SAP AG or an SAP affiliate company. All rights reserved.





2

3

5

Compliance Team

Approver 1

User

5. Risk analysis and remediation • • • • • © 2013 SAP AG or an SAP affiliate company. All rights reserved.

Reject Approve Mitigate Modify request … 95




2

6

3

5

Compliance Team

Approver 6

1

User

6. Provision to • Business applications • non-SAP systems • …

And send approval mail to User © 2013 SAP AG or an SAP affiliate company. All rights reserved.

96




2

6

3

5

Compliance Team

Approver 6

1

User

Result: Compliant Identity Management


97

What Is the Role of SAP GRC Access Control vs. SAP NetWeaver Identity Management? SAP GRC Access Control Access Risk Identification

Define and understand access risks

Access Analysis and Response

Analyze and mitigate access risks

Access Reviews

Periodic reviews of assignments, risk violations, and controls

Centralized, Compliant Role Repository

Define and manage compliant roles

Compliant identity management for the entire system landscape

SAP NetWeaver Identity Management Centralized user management

Centralized management of identity information across multiple data source.

Integration and synchronization of system authorization data

Manage user privileges centrally

Single Sign On

Automates and simplifies integration with Enterprise SSO and Web SSO

Federated Identity

Simplifies integration with standardsupported Identity Federation


98

SAP GRC Access Control 10.0 - Architecture optional

Front-End Client SAP CR Adapter * Adobe Flash Player Web Browser

http

SAP GUI 7.10

http

GRC Portal Content

DIAG

AC, PC & RM

optional

RFC

(Software Component: GRCFND_A)

optional SAP NW JAVA 7.02

RFC

Adobe Document Services

optional Content Lifecycle Management (CLM)

SAP ERP (4.6C – 7.1)

SAP NetWeaver Identity Management Solutions (SAP or Non-SAP)

(Plug-in: GRCPINW)

(Plug-in: GRCPIERP)

optional

SAP GRC 10.0

Adapter

* SAP Crystal Reports Adapter and Active Component Framework – needed for viewing GRC embedded SAP Crystal Reports © 2013 SAP AG or an SAP affiliate company. All rights reserved.

NW Function Modules

HR Function Modules PC Automated Ctrls

AS ABAP 7.02 Web services

SAP NW BW 7.02 GRC BI Content

RFC

optional

SAP NW Portal 7.02

Non-SAP Business Applications 99

Compliant Identity Management Example Customer Scenario

Create User Assign Roles Calculate Entitlements Compliance Check Remediation Based on Position

Approve Assignments

Create User Assign Roles Yes

New Hire / Change Position

Create User Assign Roles No

HR Application

Identity Management


Line Manager

Create User Assign Privileges Heterogeneous Landscape

 Reduce TCO by simplifying assignment of roles and privileges to users, triggered by HR events  Reduce risk through compliance checks and remediation  Automate manual processes through integration © 2013 SAP AG or an SAP affiliate company. All rights reserved.

100

Moving Security to the next Level Planned Features and Developments Centralized SAP Attack Monitoring Infrastructure UCONN

Planned enhancement - Architecture Draft for Centralized SAP Attack Monitoring Infrastructure*

Logs of Non SAP NetWeaver Alerts from SAP SolMan Logs of Database Logs of Infrastructure

Logs Network IDS

Connectivity , Filtering, Extraction

Logs of SAP NetWeaver

Aggregation, Normalization

SAP Attack Monitoring Infrastructure

Attack Pattern Updates by SAP

Desktop Frontend Mobile Frontend

Information Back Channel to SAP

API to other SIEM tools

* Limited analysis possibilities on local SAP NetWeaver Systems have to be discussed © 2013 SAP AG or an SAP affiliate company. All rights reserved.

102

Summary – Key Take-Away SAP NetWeaver TODAY is the favored technology platform for SAP customers integrating heterogeneous landscapes Significant investments into security for networked solutions, identity management, SSO and integrated security management offering will allow customers to implement secure business processes

The support for SAML 2.0 for Identity Federation provides international standards support and heterogeneity mandatory for composite business applications and networked solutions SAP leads in the industry by helping our customers to thrive in today`s business networks This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement


103

Further Information

SAP Public Web SAP NetWeaver Security space on SCN: http://scn.sap.com/community/security SAP NetWeaver Identity Management space on SCN: http://scn.sap.com/community/netweaver-idm SAP NetWeaver Single Sign-On space on SCN: http://scn.sap.com/community/netweaver-sso SDN NetWeaver Security Forum: http://scn.sap.com/community/security/content?filterID=content~objecttype~objecttype[thread] SAP Online Help for SAP NetWeaver Identity Management: http://help.sap.com/content/documentation/netweaver/docu_nw_idm_design.htm SAP Security Recommendations “Secure Configuration SAP NetWeaver Application Server ABAP”: http://scn.sap.com/docs/DOC-17149


104

SAP TechEd Virtual Hands-on Workshops and SAP TechEd Online Continue your SAP TechEd education after the event! SAP TechEd Virtual Hands-on Workshops

SAP TechEd Online

 Access hands-on workshops post-event  Available January – March 2014  Complementary with your SAP TechEd registration

 Access replays of keynotes, Demo Jam, SAP TechEd LIVE interviews, select lecture sessions, and more!  View content only available online

http://saptechedhandson.sap.com/


http://sapteched.com/online

105

Feedback Please complete your session evaluation for SIS100.

Thanks for attending this SAP TechEd session

© 2013 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.


107

SIS100 - Overview About Product Security, IDM and SSO

Recommend Documents