sap security optimization service
TRANSCRIPT
SCUR202:SAP Security Optimization Service
Larry Justice, SAP America
Matthias Bühl, SAP AG
© SAP AG 2004, SAP TechEd / SCUR202 / 3
Learning Objectives
As a result of this workshop, you will be able to:
Explain how a customer can benefit from the SAP Security Optimization Service
Understand the report of the service
Describe what areas are covered in the SAP Security Optimization Service
The service in detail
How do you get it?
What is it all about?
Why do you need this service?
© SAP AG 2004, SAP TechEd / SCUR202 / 5
What Is it all About ?
SAP Security Optimization is a remote service comparable to SAP EarlyWatch
SAP EarlyWatch proactively analyzes your operating system, database, and entire SAP system to ensure optimal performance and reliability
SAP Security Optimization proactively analyzes security vulnerabilities within an enterprise’s SAP landscape to ensure optimal protection against intrusions
The service is performed remotely within 1 – 2 days
The service is primarily automated but includes some manual checks
The service checks SAP systems and SAP middleware components
Results are prioritized and delivered with recommendations how to resolve identified vulnerabilities
The service should be performed at regular intervals:To verify that actions derived from earlier service runs lead to the desired results
To verify that recent configuration changes did not introduce new security holes
To include the most up-to-date checks
© SAP AG 2004, SAP TechEd / SCUR202 / 6
What Is it all About ?
ReportRate
In order to determine the actual risk the vulnerabilities are ranked using rating logic
The rating is based on the severity and probability of each vulnerability
Implement
The implementation of the recommended security measures can be done by the customer or by experienced security consultants from SAP Consulting
The customer’s SAP landscape is scanned remotely and checked for critical security settings
Only white box checks are executed, no black box checks (“hacking”)
Scan
A report is created containing the identified vulnerabilities
The report is sent to the owner of the analyzed SAP system landscape
The report contains recommendations to eliminate or reduce the vulnerabilities found in the Security Optimization Service
Remote Security CheckOn-Site
Security Consulting
© SAP AG 2004, SAP TechEd / SCUR202 / 7
Current and Future Scope
Available modules
SAP WebASABAP Stack
User ManagementAuthentication ChecksAccess ControlChange ManagementCritical Basis Functionality
Internet Transaction Server
Business Connector
SAProuter
Future developments
SAP Enterprise Portal 6.0
J2EE
XI
Applications (HR, FI, CO, …)
CRM
The service in detail
How do you get it?
What is it all about?
Why do you need this service?
© SAP AG 2004, SAP TechEd / SCUR202 / 9
Example: User management
SU01
OIBBetc.
Tableaccess
MaliciousTransports
CallFunction
The service in detail
How do you get it?
What is it all about?
Why do you need this service?
© SAP AG 2004, SAP TechEd / SCUR202 / 11
The Service in Detail: Questionnaire & Report
The customer will fill out a questionnaire first where all the known “high authorized users” are mentioned.
The target system is scanned and an SDCC and an ST14 download are created.
Then a report in the SAP Service Delivery System is created
R/3 Basis: mostly automated
SAProuter: mostly manual
ITS: 50:50 automated and manual
SAP BC: mostly manual
The questionnaire and the report are stored in the SAP Service Marketplace so that the customer can receive the results.
© SAP AG 2004, SAP TechEd / SCUR202 / 12
The Service in Detail: How Does it Work?
Procedure for authorization checks:
First we find out all SAP_ALL users and mention them at the top of the report
Then we analyze the authorized users for all other checks and REMOVE the SAP_ALL users(This is done in order to increase the overview as a SAP_ALL user would pop up in every further check without any further value)
Finally we remove all users that were mentioned in the questionnaire(This is done because we are only interested in authorized users the customer does NOT know about – we do not want to tell the customer that it was not allowed to have many high authorized users!)
© SAP AG 2004, SAP TechEd / SCUR202 / 13
How is the Rating Done?
The risk is calculated as a function of the severity and the pro-bablity of a security incident
Proba-bility3 HIGH2 MED1 LOW0 NONE
0 LOW0 LOW0 LOW0 LOW0 Very LOW
3 MED2 MED1 LOW0 LOW1 LOW
6 HIGH4 MED2 MED0 LOW2 MED
9 HIGH6 HIGH3 MED0 LOW3 HIGH
RiskSeverity
© SAP AG 2004, SAP TechEd / SCUR202 / 14
The Service in Detail: Questionnaire
This questionnaire is filled out by the customerto prepare the service.
The questionnaire contains about 25 questions.
It is not necessary that all questions are answered. This is dependent on the organizational structure of the customer.
© SAP AG 2004, SAP TechEd / SCUR202 / 15
Customer Report: Action items
The Action Items on top of the report gives a good overview on the complete system status.
The Action Items are created automatically of all checks rated with high risk. The list can be individually adapted.
We use the red traffic light as “high risk” and the yellow traffic light as “medium risk”.
“Green” results are normally skipped in order to reduce the size of the report.
.
.
.
© SAP AG 2004, SAP TechEd / SCUR202 / 16
The Service in Detail: Customer Report
The report is divided into chapters by sub topics.
Examples are:
Password Checks
Basis Administration Checks
Batch Input Checks
Change Control Checks
…
© SAP AG 2004, SAP TechEd / SCUR202 / 17
Customer Report: Example of an Authorization Check
Info for authorization checks:
“Unexpected” users with this authorization.
The number of unex-pected users.
A recommendation how to handle this situation.
All checked authorization objects.
Every customer should be able to implement the results of the report (additional consulting is possible)
.
.
.
The service in detail
How do you get it?
What is it all about?
Why do you need this service?
© SAP AG 2004, SAP TechEd / SCUR202 / 19
How Can I get it?
The service can be ordered via the “SAP Service Catalog”
The Service Catalog can be found in the SAP Service Marketplace: www.service.sap.com SAP Support Portal Maintenance & Services Service Catalog
Select “SAP Solution Management Optimization”
© SAP AG 2004, SAP TechEd / SCUR202 / 20
Demo
SAP TV
© SAP AG 2004, SAP TechEd / SCUR202 / 21
Summary
Enterprise IT landscapes are increasingly vulnerable to security breaches due to more open and complex landscapes
The SAP Security Optimization Service is a remote service to check your SAP system landscape for critical security settings to minimize your risk
© SAP AG 2004, SAP TechEd / SCUR202 / 22
Further Information
Public Web:www.sap.com
SAP Developer Network: www.sdn.sap.com SAP NetWeaver PlatformSecurity
SAP Customer Services Network: www.sap.com/services/
Related Workshops/Lectures at SAP TechEd 2004SCUR101, Security Basics , Lecture
SCUR102, User Management and Authorizations: Overview , Lecture
SCUR351, User Management and Authorizations: The Details , Hands-on
Related SAP Education Training Opportunitieshttp://www.sap.com/education/
ADM960, Security in SAP System Environment
Consulting ContactMatthias Bühl, Project Leader SAP Security Optimization Service email: [email protected] or [email protected]
© SAP AG 2004, SAP TechEd / SCUR202 / 23
SAP Developer Network
Look for SAP TechEd ’04 presentations and videos on the SAP Developer Network.
Coming in December.
http://www.sdn.sap.com/
© SAP AG 2004, SAP TechEd / SCUR202 / 24
Q&A
Questions?
© SAP AG 2004, SAP TechEd / SCUR202 / 25
Please complete your session evaluation.
Be courteous — deposit your trash, and do not take the handouts for the following session.
Feedback
Thank You !
© SAP AG 2004, SAP TechEd / SCUR202 / 26
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
Copyright 2004 SAP AG. All Rights Reserved