M. Linkies / F. Off

Gebundenes Buch

SAP Security and Authorizations

Risk Management and Compliance with Legal Regulations in the SAP Environment

This book gives technical consultants, IT managers, and authorization administrators an in-depth look at all aspects of IT security in the SAP NetWeaver environment.

An introduction to the overall subject matter helps you get up to speed quickly on topics like risk evaluation, creating control options, designing security measures – and teaches you the appropriate procedures for implementing the supporting processes. The second part of the book is dedicated to the technical implementation of these security measures. This book uses examples to describe the potential risks as well as specific application and system security concepts for individual SAP components and solutions.

Table of contents:
Foreword by Prof. Wolfgang Lassmann ... 15
Foreword by Dr. Sachar Paulus ... 17

1 Introduction ... 21
1.1 Background ... 21
1.2 Contents ... 23
1.3 How to Read This Book ... 23
1.4 Acknowledgements ... 24

Part 1 Basic Principles of Risk Management and IT Security

2 Risk and Control Management ... 27
2.1 Security Objectives ... 27
2.2 Company Assets ... 29
2.2.1 Types of Company Assets ... 31
2.2.2 Classification of Company Assets ... 32
2.3 Risks ... 33
2.3.1 Types of Risks ... 34
2.3.2 Classification of Risks ... 36
2.4 Controls ... 37
2.4.1 Types of Controls ... 37
2.4.2 Classification of Controls ... 38

3 Security Strategy ... 41
3.1 Status Quo ... 41
3.2 Components ... 43
3.2.1 General Framework ... 44
3.2.2 Strategy ... 44
3.2.3 Methods ... 45
3.2.4 Best Practices ... 46
3.2.5 Documentation ... 47
3.3 Best Practices of an SAP Security Strategy ... 47
3.3.1 Procedure ... 47
3.3.2 Principle of Information Ownership ... 56
3.3.3 Identity Management ... 61

4 Requirements ... 67
4.1 Legal Requirements ... 67
4.1.1 Sarbanes-Oxley Act ... 68
4.1.2 Basel II ... 76
4.1.3 GoBS ... 79
4.2 Internal Requirements ... 81
4.3 Summary ... 82

5 Security Standards 83
5.1 International Security Standards ... 83
5.1.1 International Security Standard ISO 17799 ... 83
5.1.2 International Security Standard CoBIT ... 87
5.1.3 COSO-Integrated Framework for Company Risk Management ... 90
5.2 Country-Specific Security Standards ... 94
5.2.1 American Standard NIST Special Publications 800–12 ... 94
5.2.2 German Security Standard IT Baseline Protection of the BSI ... 96

6 Basic Principles of Technical Security ... 101
6.1 Cryptography ... 101
6.1.1 Symmetric Encryption Procedure ... 102
6.1.2 Asymmetric Encryption Procedure ... 103
6.1.3 Hybrid Encryption Procedure ... 104
6.1.4 Hash Procedures ... 106
6.1.5 Digital Signature ... 107
6.2 Public Key Infrastructure ... 109
6.3 Authentication Procedures ... 111
6.3.1 User Name and Password ... 111
6.3.2 Challenge Response ... 111
6.3.3 Kerberos ... 112
6.3.4 Secure Token ... 113
6.3.5 Digital Certificate ... 113
6.3.6 Biometrics ... 113
6.4 Basic Principles of Networks ... 114
6.4.1 OSI Reference Model ... 114
6.4.2 Important Network Protocols ... 117
6.4.3 Overview of Firewall Technologies ... 118
6.4.4 Secure Sockets Layer Encryption ... 120

Part 2 Security in SAP NetWeaver and Application Security

7 SAP Applications and Technology ... 123
7.1 Global Security Positioning System ... 123
7.2 SAP Applications ... 123
7.3 SAP NetWeaver ... 125
7.4 Security Technologies ... 127
7.4.1 Authorizations, Risk and Change Management, and Auditing ... 127
7.4.2 Identity Management ... 128
7.4.3 Secure Authentication and Single Sign-On (SSO) ... 129
7.4.4 Technical Security ... 130
7.4.5 Influencing Factors ... 131

8 SAP Web Application Server ... 135
8.1 Introduction and Functions ... 135
8.1.1 Overview ... 135
8.1.2 Technical Architecture ... 136
8.2 Risks and Controls ... 137
8.3 Application Security ... 145
8.3.1 Technical Authorization Concept for Administrators ... 145
8.3.2 Authorization Concept for Java Applications ... 152
8.3.3 Restricting Authorizations for RFC Calls ... 157
8.4 Technical Security ... 161
8.4.1 Introducing a Single Sign-On Authentication Mechanism ... 161
8.4.2 Connecting the SAP Web AS to a Central LDAP Directory ... 163
8.4.3 Changing the Default Passwords for Default Users ... 165
8.4.4 Configuring Security on the SAP Gateway ... 165
8.4.5 Restricting Operating System Access ... 167
8.4.6 Configuring Important Security System Parameters ... 168
8.4.7 Configuring Encrypted Communication Connections (SSL and SNC) ... 170
8.4.8 Restricting Superfluous Internet Services ... 174
8.4.9 Secure Network Architecture for Using the SAP Web AS with the Internet ... 176
8.4.10 Introducing an Application-Level Gateway to Make Internet Applications Secure ... 176
8.4.11 Introducing Hardening Measures on the Operating System Level ... 177
8.4.12 Introducing a Quality Assurance Process for Software Development ... 177

9 SAP ERP Central Component ... 181
9.1 Introduction and Functions ... 181
9.2 Risks and Controls ... 181
9.3 Application Security ... 187
9.3.1 Authentication ... 187
9.3.2 Authorizations ... 188
9.3.3 Other Authorization Concepts ... 202
9.3.4 Best-Practice Solutions ... 213
9.4 Technical Security ... 221

10 mySAP ERP Human Capital Management ... 223
10.1 Introduction and Functions ... 223
10.2 Risks and Controls ... 223
10.3 Application Security ... 229
10.3.1 HCM Master Data Authorizations ... 231
10.3.2 HCM Applicant Authorizations ... 232
10.3.3 HCM Personnel Planning Authorizations ... 233
10.3.4 HCM Reporting Authorizations ... 233
10.3.5 Structural Authorizations ... 233
10.3.6 Authorizations for Personnel Development ... 234
10.3.7 Tolerated Authorizations ... 234
10.3.8 Authorizations for Inspection Procedures ... 234
10.3.9 Customized Authorization Checks ... 235
10.3.10 Indirect Role Assignment Through the Organizational Structure ... 235
10.3.11 Additional Transactions Relevant to Internal Controls ... 236
10.4 Technical Security ... 236

11 SAP Industry Solutions ... 237
11.1 Introduction and Functions ... 237
11.2 Risks and Controls ... 238
11.3 Application Security ... 240
11.3.1 SAP Max Secure ... 240
11.3.2 SAP Role Manager ... 241
11.4 Technical Security ... 244

12 SAP NetWeaver Business Intelligence ... 245
12.1 Introduction and Functions ... 245
12.2 Risks and Controls ... 247
12.3 Application Security ... 249
12.3.1 Authorizations ... 249
12.3.2 Other Concepts ... 254
12.4 Technical Security ... 258

13 SAP NetWeaver Master Data Management ... 261
13.1 Introduction and Functions ... 261
13.2 Risks and Controls ... 262
13.3 Application Security ... 266
13.3.1 Identity Management and Authorizations ... 267
13.3.2 Revision Security ... 272
13.4 Technical Security ... 273
13.4.1 Communications Security ... 273
13.4.2 Important Additional GSPS Components ... 274

14 mySAP Customer Relationship Management ... 275
14.1 Introduction and Functions ... 275
14.2 Risks and Controls ... 275
14.3 Application Security ... 277
14.4 Technical Security ... 284
14.4.1 Technical Protection of the Mobile Application ... 285
14.4.2 Additional Important GSPS Components ... 285

15 mySAP Supplier Relationship Management ... 287
15.1 Introduction and Functions ... 287
15.2 Risks and Controls ... 288
15.3 Application Security ... 289
15.3.1 Important Authorizations ... 289
15.3.2 Rules-Based Security Checks Using Business Partner Attributes ... 297
15.3.3 User Management ... 300
15.4 Technical Security ... 301

16 mySAP Supply Chain Management ... 303
16.1 Introduction and Functions ... 303
16.2 Risks and Controls ... 303
16.3 Application Security ... 304
16.3.1 Authorizations for the iPPE Workbench ... 304
16.3.2 Authorizations for Supply Chain Planning ... 305
16.3.3 Authorizations for Event Management ... 305
16.4 Technical Security ... 306

17 SAP Strategic Enterprise Management ... 307
17.1 Introduction and Functions ... 307
17.2 Risks and Controls ... 308
17.3 Application Security ... 309
17.4 Technical Security ... 309

18 SAP Solution Manager ... 311
18.1 Introduction and Functions ... 311
18.2 Risks and Controls ... 314
18.3 Application Security ... 316
18.4 Technical Security ... 318
18.4.1 System Monitoring Function ... 318
18.4.2 RFC Communication Security ... 319
18.4.3 Important Additional GSPS Components ... 319

19 SAP Enterprise Portal ... 321
19.1 Introduction and Functions ... 321
19.1.1 Technical architecture ... 322
19.1.2 Description of the User Management Engine ... 324
19.2 Risks and Controls ... 328
19.3 Application Security ... 335
19.3.1 Structure and Design of Portal Roles ... 335
19.3.2 Delegated User Administration for Portal Roles by Involving the Information Owners ... 341
19.3.3 Synchronization of Portal Roles with the ABAP Roles of SAP Backend Applications ... 344
19.3.4 Change Management Process for New Portal Content ... 350
19.4 Technical Security ... 352
19.4.1 Connecting SAP EP to a Central LDAP Directory or SAP System ... 352
19.4.2 Implementation of a Single Sign-On Mechanism Based on a One-Factor Authentication ... 354
19.4.3 Implementation of a Single Sign-On Mechanism Based on an Integrated Authentication ... 357
19.4.4 Implementation of a Single Sign-On Mechanism Based on Person-Related Certificates ... 359
19.4.5 Configuration for Anonymous Access ... 361
19.4.6 Secure Initial Configuration ... 362
19.4.7 Definition and Implementation of Security Zones ... 363
19.4.8 Secure Network Architecture ... 365
19.4.9 Introducing an Application-Level Gateway to Make Portal Applications Secure ... 368
19.4.10 Configuration of Encrypted Communication Channels ... 371
19.4.11 Implementation of a Virus Scan for Avoiding a Virus Infection ... 373

20 SAP Exchange Infrastructure ... 375
20.1 Introduction and Functions ... 375
20.2 Risks and Controls ... 379
20.3 Application Security ... 384
20.3.1 Authorizations for the Integration Builder ... 384
20.3.2 Passwords and Authorizations for Technical Service Users ... 385
20.4 Technical Security ... 387
20.4.1 Definition of Technical Service Users for Communication Channels at Runtime ... 387
20.4.2 Setting Up Encryption for Communication Channels ... 388
20.4.3 Digital Signature for XML-Based Messages ... 394
20.4.4 Encryption of XML-Based Messages ... 399
20.4.5 Network-Side Security for Integration Scenarios ... 399
20.4.6 Audit of the Integration Builder and the SAP XI Communication ... 401
20.4.7 Securing the File Adapter at Operating-System Level ... 404

21 SAP Partner Connectivity Kit ... 405
21.1 Introduction and Functions ... 405
21.2 Risks and Controls ... 406
21.3 Application Security ... 409
21.4 Technical Security ... 410
21.4.1 Separate Technical Service User for Every Connected Partner System ... 410
21.4.2 Setting Up Encryption for Communication Channels ... 410
21.4.3 Digital Signature for XML-Based Messages ... 410
21.4.4 Network-Side Security for Integration Scenarios ... 410
21.4.5 Audit of the Message Exchange ... 410
21.4.6 Securing the File Adapter at Operating-System Level ... 411

22 SAP Mobile Infrastructure ... 413
22.1 Introduction and Functionality ... 413
22.2 Risks and Controls ... 415
22.3 Application Security ... 419
22.3.1 Authorization Concept for SAP MI Applications ... 419
22.3.2 Authorization Concept for Administration ... 422
22.3.3 Restricting the Authorizations of the RFC User to Backend Applications ... 423
22.4 Technical Security ... 424
22.4.1 Setting Up Encrypted Communications Connections ... 424
22.4.2 Securing the Synchronization Communication ... 425
22.4.3 Deactivating Superfluous Services on the SAP MI Server ... 427
22.4.4 Secure Network Architecture ... 427
22.4.5 Monitoring ... 428

23 Database Server ... 431
23.1 Introduction and Functions ... 431
23.2 Risks and Controls ... 431
23.3 Application Security ... 434
23.4 Technical Security ... 435
23.4.1 Changing Default Passwords ... 435
23.4.2 Removing Unnecessary Database Users ... 438
23.4.3 Limiting Database Access ... 438
23.4.4 Design and Implementation of a Database Backup Concept ... 439
23.4.5 Design and Implementation of an Upgrade Concept ... 440

24 SAP Web Dispatcher ... 441
24.1 Introduction and Functions ... 441
24.2 Risks and Controls ... 441
24.3 Application Security ... 443
24.4 Technical Security ... 443
24.4.1 Use of SAP Web Dispatcher as a Reverse Proxy ... 443
24.4.2 Configuration of SAP Web Dispatcher as a URL Filter ... 445
24.4.3 SSL Configuration ... 447
24.4.4 Monitoring ... 449

25 SAProuter ... 451
25.1 Introduction and Functions ... 451
25.2 Risks and Controls ... 451
25.3 Application Security ... 452
25.4 Technical Security ... 452

26 SAP Internet Transaction Server ... 455
26.1 Introduction and Functions ... 455
26.2 Risks and Controls ... 457
26.3 Application Security ... 460
26.3.1 Defining Access Rights for Service Files ... 460
26.3.2 Administration Concept ... 461
26.4 Technical Security ... 462
26.4.1 Installing a DMZ Network Segmentation ... 462
26.4.2 Encrypting Communications Connections ... 463
26.4.3 Setting Up a Certificate-Based Authentication Process ... 466
26.4.4 Setting Up a Pluggable Authentication Service ... 467

27 SAP GUI ... 471
27.1 Introduction and Functions ... 471
27.2 Risks and Controls ... 471
27.3 Application Security ... 474
27.3.1 Types of Signatures ... 474
27.3.2 Supported Electronic Document Formats ... 476
27.3.3 Technical Implementation of the SSF Functions ... 476
27.3.4 Saving Digitally Signed Documents ... 479
27.3.5 Installing the SSF Functions ... 480
27.4 Technical Security ... 481
27.4.1 SSO for the WebGUI by Integration into the OS Authentication Process ... 481
27.4.2 SSO for the WebGUI by Using Digital Certificates ... 481
27.4.3 Restricting Access to an SAP Web AS Using SAProuter ... 483

28 Web Browser ... 485
28.1 Introduction and Functions ... 485
28.2 Risks and Controls ... 486
28.3 Application Security ... 487
28.4 Technical Security ... 487
28.4.1 Anti-Virus Software and Its Update for the Desktop PC ... 487
28.4.2 Using a Personal Firewall on the Desktop PC ... 488
28.4.3 Security Settings for the Web Browser ... 488

29 Mobile Devices ... 491
29.1 Introduction and Functions ... 491
29.2 Risks and Controls ... 491
29.3 Application Security ... 494
29.4 Technical Security ... 495
29.4.1 Using Mobile Devices with Authentication Mechanism ... 495
29.4.2 Implementing an Encryption Method for Storage Media ... 496
29.4.3 Implementing Anti-Virus Protection ... 496
29.4.4 Installing a Personal Firewall ... 496
29.4.5 Implementing a Backup Concept ... 497
29.4.6 Setting Up Access Rights for Important System Files ... 497
29.4.7 Fostering a User's Security Awareness ... 497

The Authors 499
Index 501

Mario Linkies works as a consultant whose primary focus is IT security, in particular, providing comprehensive strategic consulting with regard to risk and control management, authorization concepts, change management, data protection, and legal compliance. Mario has over 15 years' experience in the areas of SAP and security. As the Director of the Security Department for both SAP Systems Integration (SAP SI) and SAP Global Focus Group Risk Management & IT Security at SAP Consulting, he provides internal SAP consulting services, supports national and international clients in different industries, and continuously fosters awareness for security topics in numerous initiatives. Mario is one of the initiators of the SAP Global Security Alliance.

Dr. Frank Off is Assistant Director of SAP Global Focus Group Risk Management & IT Security at SAP Consulting. The focus group is a virtual global consulting group that sets the directives for best-practices solutions within the SAP consulting organization. His consulting activities focus on the definition and implementation of a comprehensive SAP security strategy. Dr. Off's responsibilities also include designing technical solutions for identity and access management and trust management, and finding secure authentication solutions based on SAP NetWeaver and partner products.

• Verlag: Galileo Press
• Englisch
• ISBN-13: 9781592290628
• ISBN-10: 1592290620
• Artikelnr.: 21442394