75094793 SAP Security Day 1 1st Half Anwar

7/28/2019 75094793 SAP Security Day 1 1st Half Anwar

http://slidepdf.com/reader/full/75094793-sap-security-day-1-1st-half-anwar 1/112

Confidential

© Copyright IBM Corporation 2004



IBM Global Services

Confidential

© Copyright IBM Corporation 2004|

Objectives

What is security ?

Security threats & measures to combat threats

Types of security



IBM Global Services

Confidential


A who's who …

Security , Secured System, Threats,Safeguards …



IBM Global Services

Confidential


What is Security ?

Dictionary meaning

Freedom from risk or danger; safety.

In Other Words

The process of ensuring confidentiality,

integrity, and availability of computers,their programs, hardware devices, and

data.



IBM Global Services

Confidential


A secure System and Threat

A secure System

It is a system which does exactly

what we want it to do and nothing

that we don't want it to do even

when someone else tries to make it

behave differently.

Threat

It is an act or event that has the

potential to cause a failure of

security .



IBM Global Services

Confidential


Why I am here … and how do I achieve it ?



IBM Global Services

Confidential


A security Consultant should know

Who could attack the system /

challenge the security of the

system

What

Why

From Whom

What To Secure

Why to Secure i.e.. Importance of the

Data/Article etc.



IBM Global Services

Confidential


Security Achieved By

Keeping Unauthorized Person out of the System

Keeping People out of Places Where They Should Not Be

Safeguarding the Data from Damage or Loss

http://images.google.co.in/imgres?imgurl=http://www.hse.gov.uk/workplacetransport/images/prohibition-unauth-2.gif&imgrefurl=http://www.hse.gov.uk/workplacetransport/safetysigns/prohibitoryunauthorised.htm&h=381&w=380&sz=8&hl=en&start=3&tbnid=m3N9nUi2NbyY5M:&tbnh=123&tbnw=123&prev=/images%3Fq%3Dunauthorised%26svnum%3D10%26hl%3Den%26lr%3D



http://www.swordsandarmor.com/images/Shield-Polished_With_Swords.GIF



IBM Global Services

Confidential


So, Do I understand ? ….. I need to implement some

safeguards to avoid threats and that’s how I achieve

my security goals ?

…. Lets see the big picture



IBM Global Services

Confidential


Threats Safe Guards Goals

1. Tampering

2. Planting

3. Eves- Dropping4. Penetration

5. Authorization Violation

6. O/s Cracking

Access

Control

Firewall

Encryption

Digital

Certificate

Security

Monitor

Anti-Virus

Confidentiality

Integrity

Availability

Obligation

O/S

Hardening

TheBIG

Picture ..



IBM Global Services

Confidential


Security - Under The Microscope ….



IBM Global Services

Confidential


Organizational

Physical

Technical

Organizational Policies

MonitoringTraining

Disaster Plan

Server Facilities

BuildingFire Alarm

Camera

Program Level

O/S Level

N/W security

Database

Patches , O/S Hardening

(Authentication, O/S Hardening, Virus Guard,Spam Blocker)

(Authentication , Firewall , Encryption,

Security Monitor)

(Authentication, Access Control)

Types Of Security



IBM Global Services

Confidential


A known story with an extension

Lets recollect… the Rabbit – Tortoise story again.

Once the Tortoise won the run the Rabbit wants to

congratulate the tortoise and so the rabbit wants to

gift a piece of memento to the tortoise. The Rabbit

needs to carry the memento to the Tortoise’s home.

Our point of focus would be…..

1 . Is the rabbit secured at its own home?

2. Is the tortoise secured at its own home?

3. Is the memento secured ?

4 . The road through which the rabbit needs to go,

is that secured ?



IBM Global Services

Confidential


…Remember

Any computer is not secured

Security can be void if

• The applications are not secured ( consider the

hands by which the rabbit carries the gift totortoise)

• The O/S is not secured (the house of the rabbit or

the tortoise)

• The database and data is not secured ( The

container from where the rabbit takes the piece of

gift)

• The network path is not secured ( the path through

which the rabbit needs to run)

If we co-relate the rabbit and the tortoise to our computer world



IBM Global Services

Confidential


Lets understand these challenges in our

known terms and their safeguards…



IBM Global Services

Confidential


Lets introduce… Program Security



IBM Global Services

Confidential


Computer programs are the first line of defense in computer security,

since programs provide logical controls. Programs, however, aresubject to error, which can affect computer security.

A computer program is correct if

it meets the requirements for which it

was designed.

Correct

A program is complete if

it meets all requirements.

Complete

Finally, a program is exact if

it performs only those operations

specified by requirements.

Exact

http://www.amirsedighi.com:8080/webstart/content/42.jpg



IBM Global Services

Confidential


Application Security – Threat Flow

Identify Security Objectives

Application Overview

Decompose Application

Identify Threats

Identify Vulnerabilities



IBM Global Services

Confidential


Architecture

Te

s

t

D

e

s

i

g

n

Implementation

Application Security

ApplicationSecurity

Path

Traversal

Trojan

Deny Of

Service

Authentication

Error

Virus,

Spy ware

Injection

Attacks

CrossSite

Scripting

Web

Defacement



IBM Global Services

Confidential


My Program is Secured .. But is my O/S secured ?



IBM Global Services

Confidential


How as operating system is build?

A kernelized operating system is designed in layers.

The innermost layer provides direct access to the

hardware facilities of the computing system and

exports very primitive abstract objects to the next

layer. Lets visualize that ..

Operating systems, structured specifically, for security are

built in a kernelized manner.

G S



IBM Global Services

Confidential


Security of operating systems

OS Kernel

O/s

Hardening

O/S Patch

To avoid threats we

apply different Patches

and Harden our O/S.

IBM Gl b l S i



IBM Global Services

Confidential


The container story …. Database damage

threats

IBM Gl b l S i



IBM Global Services

Confidential


Database Threats

DataOverwrite

Data

Loss

ScrambledData

UnauthorizedChanges

Improper Change/Alteration

of Data

User Conflict

Database

IBM Gl b l S i



IBM Global Services

Confidential


Why to Protect a Data Base – Intelligent Threats

Data Base

inference

Customer Data

Age

Name

Aggregation

No Of Cust.

Unit Price

Total Market Share

IBM Global Ser ices



IBM Global Services

Confidential


Database Vulnerabilities

Basically database security can be broken down into the following key

points of interest.

•Restricting Database Access

Mainly into the network access of the system. Specifically

targeting Internet based databases, since they have been

the most recent targets of attacks.

•Table Access Control

Properly using Table access control will require the

collaboration of both system administrator and

database developer

•Database Connections

Ensure that every connection uses it's own unique user to access the shared data

•Server Security

Server security is the process of limiting actual

access to the database server itself, The basic idea is

this, "You can't access what you can't see".

IBM Global Services



IBM Global Services

Confidential


Database Web-Security

Session security -- ensuring that data is notintercepted as it is broadcast over theInternet or Intranet

• Server security -- ensuring security relating to the

actual data or private HTML files stored on theserver

User-authentication security -- ensuring loginsecurity that prevents unauthorized access to

information

For Web security, you must address three primary areas:

IBM Global Services



IBM Global Services

Confidential


Knock .. Knock … can you save my data?

IBM Global Services



IBM Global Services

Confidential


Some Database Security Measures

Vendor-Specific Security

Server Security Public and Private Key Security

Database Connections

Table Access Control

Dynamic Page Generation

Kerberos User-Authentication Security

Secure Sockets Layer (SSL) and S-HTTP

Session Security

Digital Signatures as Passwords Database

IBM Global Services



IBM Global Services

Confidential


Huh !!

The rabbit is on the way .. but is it secured enough ?

IBM Global Services



IBM Global Services

Confidential


Network Security

Protection of networks and their services from unauthorized modification,

destruction, or disclosure, and provision of assurance that the networkperforms its critical functions correctly and there are no harmful side-

effects. Network security includes data integrity .

IBM Global Services



IBM Global Services

Confidential


Lets identify the rabbit’s dangers on the road ..

IBM Global Services



IBM Global Services

Confidential


The Rabbit’s gift could have been stolen ,

destroyed by any other animal / stranger on the

road …

Let’s see in our network world ….

To safeguard …

1 . The rabbit could hide2. The rabbit could run faster

3 . The rabbit could fool them …… etc

IBM Global Services



IBM Global Services

Confidential


Common security attacks and their countermeasures

Finding a way into the network

• FirewallsExploiting software bugs, buffer

overflows

•Intrusion Detection Systems

Denial of Service

• Ingress filtering, IDS

TCP hijacking

•IPSec

Packet sniffing

• Encryption (SSH, SSL,

HTTPS)Social problems

•Education

IBM Global Services



IBM Global Services

Confidential


Attacks on Different Layers

IP Attacks

ICMP Attacks

Routing Attacks

Session Hijacking

Application Layer Attacks

IBM Global Services



IBM Global Services

Confidential


Visualize … imagine … you realize

IBM Global Services



G oba Se ces

Confidential


Web and Network Security Threats

Network Security Threats

Web Security Threats

IBM Global Services



Confidential


Is there anyone who can save me?

IBM Global Services



Confidential


Network Security Safeguards

Firewall Port Scan Router

Certificate Proxy Spam Blocker

Digital Cert Encryption

Antivirus IDS

Access Control Monitoring

Corporate Network

IBM Global Services



Confidential


SAP world and security

IBM Global Services



Confidential


Different Layer of Security With SAP Application

SAPAPPLICATION

SECURITY

NETWORK

SECURITYWORKSTATION

SECURITY

DATABASE

SECURITYO/S SECURITY

IBM Global Services



Confidential


Security in an integrated system like SAP tries to achieve the following….

Authentication - Only legitimate users should be able to access the system

Authorization - Users should only be able to perform their designated

tasks

Integrity - Data integrity needs to be granted at all time

Privacy - Protection of data against unauthorised access

Obligation - Ensuring liability and legal obligation towardsstakeholders and shareholders including validation



Confidential

© Copyright IBM Corporation 2004

SAP Product Overview

IBM Global Services



Confidential


Objectives

Introduction to SAP

Netweaver – What is ?

Netweaver Stack – Introduction

Netweaver breakdown

SOA

IBM Global Services



Confidential


SAP Product Introduction - History

The 1970s: A Real-Time Vision

In 1972, five former IBM employees -- Dietmar Hopp, Hans-Werner Hector, Hasso

Plattner, Klaus Tschira, and Claus Wellenreuther -- launch a company called Systems,

Applications, and Products

Their vision: to develop standard application software for real-time business processing.

One year later, the first financial accounting software "R/1 system” is complete."

"R" stands for real-time data processing.

By the end of the decade, intensive examination of SAP's IBM database and dialog

control system leads to the birth of SAP R/2.

IBM Global Services



Confidential


… continued

The 1980s: Rapid Growth

The SAP R/2 system attains the high level of stability

Keeping in mind its multinational customers, SAP designs SAP R/2 to handle different

languages and currencies.

With the founding of subsidiaries in Denmark, Sweden, Italy, and the United States,

SAP's international expansion takes a leap forward.

IBM Global Services



Confidential


… continued

The 1990s: A New Approach to Software and Solutions

SAP R/3 is unleashed on the market.

The client-server concept, uniform appearance of graphical interfaces, consistent use of

relational databases, and the ability to run on computers from different vendors meets

with overwhelming approval.

With SAP R/3, SAP ushers in a new generation of enterprise software -- from mainframe

computing to the three-tier architecture of database, application, and user interface.

IBM Global Services



Confidential


… continued

The 2000s: Innovation for the New Millennium

With the Internet, the user becomes the focus of software applications. SAP developsmySAP Workplace and paves the way for the idea of an enterprise portal and role-specific access to information.

By 2005,

12 million users work each day with SAP solutions 100,600 installations worldwide

more than 1,500 partners

over 25 industry-specific business solutions

more than 33,200 customers in 120 countries

SAP Netweaver developed based on Services-Oriented Architecture (SOA)

Companies can integrate people, information, and processes within the company andbeyond.

IBM Global Services



Confidential


What is SOA ?

IBM Global Services



Confidential


SOA

Software architecture that defines the use of loosely coupled software services to

support the requirements of business processes and software users

Resources on a network in an SOA environment are made available as independent

services that can be accessed without knowledge of their underlying platform

implementation

SOA-based systems can therefore be independent of development technologies and

platforms (such as Java, .NET etc)

IBM Global Services



Confidential


Now let us take a look at some technical & operational challenges facing a

distributed system …

IBM Global Services



Confidential


SAP NetWeaver

IBM Global Services



Confidential


How to address the integration challenge ?

IBM Global Services



Confidential


SAP NetWeaver

SAP NetWeaver integrates various different technological concepts and previous

platforms in a single solution

It is an open technology platform which offers a comprehensive set of technologies that

are natively integrated

IBM Global Services



Confidential


NetWeaver – People Integration

Multi-Channel Access

Portal Collaboration

People Integration brings together the right functionality and the right

information to the right people

IBM Global Services



Confidential


NetWeaver – People Integration – Portal – Sample View

IBM Global Services



Confidential


NetWeaver – People Integration -- Portal

The portal is the Web front-end component for SAP NetWeaver

It is a personalized, interactive gateway, providing employees, partners, suppliers and customers with asingle point of access.

The key capabilities of the portal within SAP NetWeaver are as follows:

Heterogeneous information integration Administrator & EUS

User management & Security support

Personalization

Ready-to-deploy business packages

Delegated administration



IBM Global Services



Confidential


NetWeaver – People Integration – Multi-Channel Access



With multi-channel access, you can connect to enterprise systems through voice, mobile,

or radio-frequency technology

Multi-channel access is delivered through Mobile Infrastructure

The key elements of SAP NetWeaver’s multi-channel access capabilities are

SAP NetWeaver Mobile,

SAP Auto-ID Infrastructure

SAP NetWeaver Voice, Message Interfaces (SMS, Fax, Email) and

Web-based GUI

IBM Global Services



Confidential


NetWeaver – People Integration – Multi-Channel Access

NetWeaver Mobile comprises of various technical architectures used for enabling end-to-

end mobile business solutions targeting specific user roles and device platforms

SAP Auto-ID Infrastructure connects RFID data directly from auto-ID data-capture

sources, such as RFID readers, and integrates high-volume data directly into enterprise

applications in real-time

SAP NetWeaver provides standardized interfaces to link 3rd party communication

management applications with business applications. It enables the integration of fax, sms

or email

Web-based GUI enables end-users to gain access to their enterprise business via a

Browser or Java User Interface

SAP NetWeaver Voice makes business processes accessible by any telephone, any time.

Users can interact with SAP backend systems using speech recognition or touch tones. It

is currently not part of a standard SAP NetWeaver shipment.

IBM Global Services



Confidential


NetWeaver – People Integration – Collaboration

The collaboration capabilities delivered with SAP NetWeaver, are designed to enableindividuals, teams, and interest groups to work together closely towards a common goal.

The comprehensive set of collaboration tools and services allows users to share

relevant information, communicate online in real-time, plan with the help of a unified

calendar, and provide a single point of access to documents and resources.



IBM Global Services



Confidential


NetWeaver – Information Integration

Master Data Management

Business Intelligence Knowledge Management

Information Integration makes both structured and unstructured

information available in the enterprise in a consistent and accessible

manner

Users demand ubiquitous access to information wherever it resides. That

information must be served in a consistent manner and its integrity

guaranteed

IBM Global Services



Confidential


NetWeaver – Information Integration – Business Intelligence

Business Intelligence in NetWeaver is composed of the following parts:

Data warehousing, which forms the application-neutral foundation for BusinessIntelligence. SAP BW supports the complete data warehousing process, from dataintegration, data transformation, consolidation and cleansing to data provision for analysis.

A business intelligence platform that serves as the technological infrastructure tosupport information access and comprehensive analytics.

Business intelligence suite that transforms data into insightful information and servesa wide variety of users for decision-making.



IBM Global Services

NetWeaver Information Integration Knowledge



Confidential


NetWeaver – Information Integration – Knowledge

Management

Knowledge Management (KM) is the umbrella term for the management of unstructured information –

that is, all kinds of documents

The Knowledge Management (KM) capabilities of SAP NetWeaver turn unstructured information into

organizational knowledge – an essential function in this age of global e-business

The business challenge is to transform unstructured information into organizational knowledge by

structuring and classifying it in such a way that it becomes assessable and relevant to the

enterprise's knowledge workers

There is an urgent need to create a central point of access within the enterprise to manage

information and translate it into knowledge for success



IBM Global Services

NetWeaver Information Integration Master Data



Confidential


NetWeaver – Information Integration – Master Data

Management

Today, companies operating within heterogeneous IT landscapes are commonplace, and the demand

for streamlining communication within such an environment is great.

SAP Master Data Management (SAP MDM) - a key capability of SAP NetWeaver - enablesinformation integrity across the business network. It enables companies to store, augment, andconsolidate master data, while ensuring consistent distribution to all applications and systems withinthe IT landscape.

It leverages existing IT investments in business-critical data, delivering vastly reduced data

maintenance costs through effective data management.

By ensuring cross-system data consistency, SAP MDM accelerates the execution of businessprocesses, greatly improves decision-making and helps companies maintain their competitiveadvantage.



IBM Global Services



Confidential


NetWeaver – Process Integration

Process Integration enables business processes to run seamlessly acrossheterogeneous IT landscapes.

Integration broker -- This capability enables XML/SOAP-based communication

between application components from various sources and vendors. It also enables you

to define software components, interfaces, mappings, and content-based routing rules.

This capability is delivered through SAP Exchange Infrastructure (XI)

Business process management -- With business process management, you can

model and drive processes in a dynamic IT environment. It allows you to combine

underlying applications into adaptive, end-to-end processes spanning the entire value

chain.

Integration Broker Business Process Management

IBM Global Services



Confidential


NetWeaver – Process Integration -- XI

SAP NetWeaver Exchange Infrastructure:

Provides a technical infrastructure for XML-based message exchange in order to

connect SAP components with each other, as well as with non-SAP components

Delivers business-process and integration knowledge to the customer, in the form of

SAP’s predefined integration scenarios

Provides an integrated toolset for building new integration scenarios by defining and

maintaining all integration-relevant information ("shared collaboration knowledge")


IBM Global Services

NetWeaver Process Integration Business Process



Confidential


NetWeaver – Process Integration – Business Process

Management

BPM has three focuses to cater:

Collaboration Tasks, which is part of the Enterprise Portal Framework, to enable individuals to createlight-weight ad hoc process to optimize their day-to-day tasks and add transparency to what they aredoing in relation to their colleagues. This is what delivers the people empowerment .

SAP Business workflow, embedded within the SAP Web Application Server, which is used toautomate the business processes taking place within an SAP component and integrate the SAPusers with the business processes. This is what delivers the workflow empowerment within the

mySAP components.

Cross-Component BPM, which is part of SAP Exchange Infrastructure, drives and controls complexbusiness processes across business applications and enterprise boundaries This delivers the total Business Process Empowerment in a heterogeneous system landscape.


IBM Global Services



Confidential


NetWeaver – Application Platform

The application platform of SAP NetWeaver is the SAP Web Application Server

It provides a complete infrastructure to develop, deploy and run platform-independent, robust and scalable Web Services and business applications.

To allow this flexibility, different technologies have been established

Java 2 Platform Enterprise Edition (J2EE)

ABAP

DB and OS Abstraction

DB and OS Abstraction

J2EE ABAP

IBM Global Services



Confidential


NetWeaver – Application Platform – SAP WAS

SAP Web Application Server (SAP Web

AS) is the application platform of SAP

NetWeaver, i.e. it provides the complete

infrastructure to develop, deploy and run all

SAP NetWeaver applications. The major key capability of SAP Web AS is the full

support for both the proven ABAP

technology and the innovative open source

internet-driven technologies Java, Java 2

Enterprise Edition (J2EE) and Web

Services.

IBM Global Services



Confidential


NetWeaver – Application Platform – ABAP

ABAP is the SAP® Web Application Server programming language for business

applications

It contains all characteristics of an object-oriented programming language and at thesame time provides the benefits of a 4GL language: Many functions that are located

in libraries in other languages are contained as language elements, which make it

easier to check statistics and is beneficial for program performance.

IBM Global Services



Confidential


NetWeaver – Application Platform – DB & OS Abstraction

Using the SAP Web Application Server , you can develop applications regardless of the

underlying OS. Using OpenSQL, you can develop applications that run immediately ona given set of databases. With Web Dynpro you can develop user interfaces that run on

a given set of web browsers.

With MCOD (multiple components in one database), SAP provides the option to deploy

several independent SAP components in one database without compromising flexibility.

With SAP DB, SAP has its own DB platform offering. SAP DB is an enterprise open

source database designed for easy and simple administration and providing very low

total costs of ownership.

IBM Global Services



Confidential


NetWeaver – Application Platform – Composite Application Framework

Composites aim at enabling efficient development of new

applications that are easily adopted by customers, and allow

flexibility in backend connectivity

The key characteristics of composite applications are:

- Model-driven architecture

- Reuse of existing assets

- Loose coupling to backend systems

- Adaptive user-centric process flow and user interfaces

Among the main features that SAP CAF provides are:

- Support for the three layers of a composite application

(services, user interfaces, and processes)

- Patterns and templates at all three levels to increase

development efficiency and application homogeneity

- Model- and code-generation-based methods using tools thatstore models in a proprietary metamodel repository

C o m p o s

i t e A p p l i c a t i o n F r a m e w o r k ( C

A F )

IBM Global Services



Confidential


Questions ?



Confidential© Copyright IBM Corporation 2004

Introduction to SAP ProductSecurity

IBM Global Services



Confidential


Objectives

Why security & implications ?

What types of security ? NetWeaver Security

IBM Global Services



Confidential


Perfect Security ?

There is no perfect security

Needs to evolve with changing technologies & associated risks

Risk to a security attack can be minimized

IBM Global Services



Confidential


Why is Security necessary ?

With the increasing use of distributed systems and the Internet for managing business

data, the demands on security are also on the rise.

When using a distributed system, you need to be sure that your data and processes

support your business needs without allowing unauthorized access to critical

information.

User errors, negligence, or attempted manipulation on your system should not result inloss of information or processing time.

These demands on security apply likewise to the SAP NetWeaver platform.

IBM Global Services



Confidential


What to protect ?

There are various aspects to consider while considering the answer to the above

In the SAP environment, we should be able to reduce the risk of a security attack in the

entire NetWeaver stack

Broadly, we are looking at reducing security risks to the following NetWeaver layers:

People Integration

Process Integration

Information Integration

Application Platform

IBM Global Services



Confidential


People Integration – Security Risks ?



People Integration brings together the right functionality and the right informationto the right people. This module of the NetWeaver stack aims at providing

seamless user experience, boundless collaboration functionality, and pervasive

access.

This functionality of this module of the NetWeaver stack is further broken down

into:

Portal InfrastructureCollaboration


We will investigate the security aspects to be considered for the above sub-

components in forth coming slides.

IBM Global Services

S



Confidential


NetWeaver – Portal Security

The SAP NetWeaver Portal offers users a single point of access to all applications, information, andservices needed to accomplish their daily tasks. Links to back-end and legacy applications, self-

service applications, company intranet services, and Internet services are all readily available in the

user’s portal. Because the borders between company intranets and the Internet are blurring,

comprehensive security is vital to protect the company’s business.

Below are the aspects to consider while aiming to secure enterprise portal:

- User administration & Authentication

- Authorizations

- Network & Communication Security

- Data Storage Security

- Operating System Security

IBM Global Services

P t l S it U Ad i i t ti & A th ti ti



Confidential


Portal Security - User Administration & Authentication

This section covers:

User Management

Authentication

Integration Into Single Sign-On Environments

IBM Global Services



Confidential


User Management

The SAP NetWeaver Portal uses the User Management Engine (UME) for user

management.

The UME can be configured to work with user management data from multiple data

sources, for example, an LDAP directory, database of the SAP NetWeaver Application

Server (AS) Java, or ABAP system.

The UME is integrated as a service of the Java AS.

IBM Global Services

U M t E i (UME)



Confidential


User Management Engine (UME)

What is the User Management Engine ?

IBM Global Services

U M t E i (UME)



Confidential


User Management Engine (UME)

The User Management Engine (UME) provides a centralized user management for all Java

applications. It can be configured to work with user management data from multiple data sources. It is

seamlessly integrated in the SAP NetWeaver Application Server (AS) Java as its default user store

and can be administrated using the administration tools of the AS Java.

In the figure, user data is stored in one or more data sources. Each type of data source has its own

persistence adapter. The persistence manager consults the persistence adapters when creating,reading, writing, and searching user management data. The application programming interface (API)

is a layer on top of the persistence manager.

In the persistence manager, you configure which data is written to or read from which data source, so

that the applications using the API do not have to know any details about where user management

data is stored.

IBM Global Services

P t l S it A th ti ti



Confidential


Portal Security - Authentication

Authentication provides a way of verifying the user’s identity before he or she is granted

access to the portal.

Several authentication mechanisms exist, some detailed below:

- Basic authentication (Userid & Password)

- Client Certificates

- Single Sign-on

- Single Sign-On with Logon Tickets

- Single Sign-On with User-id & Password

IBM Global Services

P t l S it A th ti ti B i A th ti ti



Confidential


Portal Security – Authentication – Basic Authentication

Basic Authentication is an HTTP standard method to use for authentication, whereby the

user provides a user ID and password for authentication.

SAP J2EE Engine uses Basic Authentication for applications that are set up to use

basic or form authentication.

When using basic authentication, the user’s information is passed to the server over the

HTTP connection in a header variable as a base-64 encoded string.

When using form-based authentication, the information is passed in the URL as an URL

parameter.

Since the above is not very secure, the user of SSL to secure is recommended which

then converts a HTTP request to HTTPS.

IBM Global Services

Portal Security Authentication Client Certificates



Confidential


Portal Security – Authentication - Client Certificates

In addition to using SSL for encrypting connections, you can use SSL and X.509 client

certificates for authenticating client or user access requests to the J2EE Engine.

When using client certificates, authentication takes places transparently for the user with

the underlying SSL security protocol. Therefore, you can use authentication with client

certificates to integrate the J2EE Engine in a Single Sign-On environment.

Users need to receive their client certificates from a Certification Authority (CA) as partof a public-key infrastructure (PKI). If you do not have an established PKI then you can

use a Trust Center Service to obtain certificates.

IBM Global Services

Portal Security Authentication Single Sign On (SSO)



Confidential


Portal Security – Authentication – Single Sign-On (SSO)

SSO is a key feature of the SAP NetWeaver Portal that eases user interaction with the

many component systems available to the user in a portal environment. Once the user isauthenticated to the portal, he or she can use the portal to access external applications.

With SSO in the portal, the user can access different systems and applications without

having to repeatedly enter his or her user information for authentication.

The portal SSO mechanism is available in the following variants depending on security

requirements and the supported external applications:

- SSO with logon tickets

- SSO with user ID and password

Both variants eliminate the need for repeated logons to individual applications after the

initial authentication at the portal. Whereas SSO with logon tickets is based on a secureticketing mechanism, SSO with user ID and password forwards the user’s logon data

(user ID and password) to the systems that a user wants to call.

IBM Global Services

Portal Security Authentication Single Sign On (SSO)



Confidential


Portal Security – Authentication – Single Sign-On (SSO)

Single Sign-On With Login Tickets

Logon tickets represent the user credentials. The portal server issues a logon ticket to a user after

successful initial authentication

The logon ticket itself is stored as a cookie on the client and is sent with each request of that client.

It can then be used by external applications such as SAP systems to authenticate the portal user tothose external applications without any further user logons being required.

Logon tickets contain information about the authenticated user. They do not contain any passwords.

Specifically, logon tickets contain the following items:

- Portal user ID and one mapped user ID for external applications

- Authentication scheme

- Validity period

- Information identifying the issuing system

- Digital signature

When using logon tickets, one system must be the ticket-issuing system. This can either be the portal

or another system.

IBM Global Services

Portal Security Authentication Single Sign On



Confidential


Portal Security – Authentication – Single Sign-On

Single Sign-On With Userid & Password

The Single Sign-On (SSO) mechanism with user name and password provides an alternative for

applications that cannot accept and verify logon tickets.

With this SSO mechanism the portal server uses user mapping information provided by users or

administrators to give the portal user access to external systems. ]

The portal components connect to the external system with the user’s credentials.

Since the system sends the user's logon ID and password across the network, use a secure protocol

such as Secure Sockets Layer (SSL) for sending data.

IBM Global Services

Portal Security Authorization




|

Portal Security - Authorization

Authorizations define which objects users can access and which actions they can

perform. The portal has an authorization concept that is implemented using the followingconcepts:

Permissions

Security Zones

UME Actions

AuthRequirement property

Portal permissions define portal user access rights to portal objects in the PCD and are based onaccess control list (ACL) methodology.

Security Zones Control which portal components and portal services users can launch and are

defined in the development phase.

UME Actions the User Management Engine (UME) equivalent of portal permissions. The UMEverifies that users have the appropriate UME actions assigned to them before granting them access

to UME iViews and functions.

AuthRequirement property This is a master iView property used in EP 5.0 that defines which users

are authorized to access a master iView or Java iViews derived from a master iView.

IBM Global Services

Portal Security Authentication Portal Roles




|

Portal Security – Authentication – Portal Roles

In the SAP NetWeaver Portal, roles are only indirectly linked to authorization.

Portal roles group together the portal content required by users with a certain role in the

company. In addition, the role structure defines the navigation structure that a user sees

in the portal.

Users and groups assigned to a role inherit the permissions of the role. By default this is

end user permission.

IBM Global Services

Portal Security Network & Communication Security




|

Portal Security – Network & Communication Security

The portal is dependent on the NetWeaver Application Server for Java for network

communication.

SAP systems are implemented as client-server frameworks built in three levels:

database server level, application server level and the presentation level (front ends).

The servers are the most vulnerable part of the network infrastructure and special care

should be taken to protect them from unauthorized access

IBM Global Services

Collaboration Security




|

Collaboration Security

SAP Collaboration allows access to company-internal personal data, information, and

documents that may not be equally accessible to all portal users. Settings for data

security prevent unauthorized access and data manipulation.

Collaboration uses the user management and user authentication mechanisms in the

SAP NetWeaver platform, in particular those in the SAP Web Application Server (Java).

Therefore, the security recommendations and guidelines for user management and

authentication apply as described in the SAP Web Application Server security guide.

Collaboration uses the permissions concept provided by the SAP Web Application

Server (Java). Therefore, the security recommendations and guidelines for permissions

apply as described in the SAP Web Application Server (Java) security guide.

This permissions concept is based on roles that are valid throughout the portal, whichare assigned to the users.

IBM Global Services

Multi-Channel Access Security




|

Multi-Channel Access Security

With multi-channel access, you can connect to enterprise systems through voice,

mobile, or radio-frequency technology.

Multi-channel access is delivered through Mobile Infrastructure.

The mobile device is threatened by the following potential dangers:

- Loss of the device

- Theft

- Unauthorized use by an unauthorized person

- Data manipulation in the file system

Authentication & Authorization procedures are discussed in the next few slides

IBM Global Services

Mobile Infrastructure – Authentication




|


The user management of the SAP MI Client Component manages user IDs and local

logon passwords. The local logon password is used for local user authentication. It is

stored in coded form on the mobile device, and not in plain text. The number of possible

failed attempts can be restricted.

A second password, called the synchronization password, is used for synchronization

with the SAP MI Server Component (SAP NetWeaver AS).

You can change the passwords on the client side at any time. The data can, however,

only be synchronized successfully if the user ID and synchronization password for the

client have counterparts on the server. Users can change both passwords with the SAP

MI Client Component

IBM Global Services





|

Mobile Infrastructure Authentication

Authentication Using System Logon (Bypassing Local SAP MI Logon)

For mobile devices with only one user you can configure the device in such a way that the user does

not have to logon with the local logon password. The start page of the SAP MI Client Component

appears immediately as soon as the mobile device is started. Where this is the case, the user must be

able to identify him- or herself on the operating system.

Where this is the case, the user must be able to identify him- or herself on the operating system.

The authentication on the operating system is not technically linked to the SAP MI Client Component. It

is a conceptual, organizational prerequisite for working with the SAP MI Client Component.

When the user synchronizes with the SAP MI Server Component he or she has to use the

synchronization password. You cannot use this bypass option in conjunction with the handling option

local for the synchronization password. This results in a configuration conflict.

IBM Global Services

Mobile Infrastructure - Authentication




|

Mobile Infrastructure Authentication

Authentication with Single Sign-On

You can configure the SAP MI Client Component to support single sign-on (SSO) if the

device is available with an online connection.

The SSO technology is based on the SAP logon tickets.

The mobile device receives the SAP logon ticket from a system that issues tickets, such

as SAP Enterprise Portal.

The mobile device can then be verified at the SAP MI Server Component with the SAP

logon ticket without the user having to enter an additional password

IBM Global Services

Mobile Infrastructure - Authorization




|

Mobile Infrastructure Authorization

The security recommendations and guidelines for authorizations described in the SAP

NetWeaver Application Server Security Guide also apply, therefore, to SAP MI.

The authorization concept of the SAP NetWeaver AS is based on the assignment of

authorizations to users on the basis of roles. Use the profile generator (transaction

PFCG) for role maintenance on SAP NetWeaver AS ABAP and the user administration

console from the User Management Engine on SAP NetWeaver AS Java.

Access to data and applications on the SAP MI Client Component is controlled by user-

specific data filtering based on the SAP authorization concept.

IBM Global Services

Mobile Infrastructure – Securing the Communication Channel




|

Mobile Infrastructure Securing the Communication Channel

There are 2 communication paths to secure:

- From the SAP MI Client Component to the SAP NetWeaver AS ABAP and vice versa

Protocols include HTTP,SSL or HTTPS

Data transferred includes application data, control data for SAP Mobile Infrastructure,

synchronization password

Data requiring particular protection includes synchronization password, as it is copied from

the mobile device to the SAP NetWeaver AS ABAP with each HTTP request. Use of SSL or

HTTPS is recommended

- From SAP NetWeaver AS ABAP to back-end system and vice versa

Protocols include RFC

Data type includes application data

IBM Global Services

Information Integration- Security Risks ?




|

Information Integration Security Risks ?

Information Integration makes both structured and unstructured information

available in the enterprise in a consistent and accessible manner.

Users demand ubiquitous access to information wherever it resides. That

information must be served in a consistent manner and its integrity

guaranteed.

Security risk revolve around ensuring the integrity of data

IBM Global Services

Business Information Warehouse Security




|

Business Information Warehouse Security

Why Is Security Necessary?

SAP NetWeaver BI serves to integrate, transform, and consolidate data fromall areas of an enterprise in order to provide this for analysis, interpretation anddistribution. This includes confidential corporate data, for example, personaldata from Personnel Administration. Decisions are made in all enterprise areasand target-oriented actions are determined on the basis of this data. For this

reason, security when accessing data and the ability to guarantee dataintegrity is of great importance.

The following examples show the dangers to which BI can be exposed:

- Attacks from the Internet or Intranet when using BEx Web functionality and Web

Services

- Infringement of data protection guidelines through unauthorized access to personaldata

IBM Global Services

BI Security - Authentication




|

BI Security Authentication

The authentication process enables the identity of a user to be checked before this user gains accessto BI or BI data. SAP NetWeaver supports various authentication mechanisms.

Some of the authentication mechanisms include:

- Single Sign-On (SSO)

- Client Certificates

- SAP Logon Tickets

Single sign-on implies that once a user is authenticated with a username & password, the user then

has access to other SAP systems that are in the landscape

As an alternative to user authentication using a user ID and passwords, users using Internetapplications via the Internet Transaction Server (ITS) can also provide X.509 client certificates. Inthis case, user authentication is performed on the Web Server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid inaccordance with the authorization concept in the SAP system.

BI supports SAP logon tickets. To make Single Sign-On available for several systems, users canissue an SAP logon ticket after they have logged on to the SAP system. The ticket can then besubmitted to other systems (SAP or external systems) as an authentication token. The user does notneed to enter a user ID or password for authentication but can access the system directly after thesystem has checked the logon ticket.

IBM Global Services

BI Security - Authorization




|

y

An authorization allows a user to perform a certain activity on a certain object

in the BI System. There are two different concepts for this depending on therole and tasks of the user:

Standard Authorizations

-

These authorizations are required by all users that are working in the DataWarehousing Workbench to model or load data, and also by users that work in the

planning workbench or the Analysis Process Designer and those that work with the

Reporting Agent or the BEx Broadcaster or define queries.

Analysis Authorizations.

- All users that want to display transaction data from authorization-relevant

characteristics in a query require analysis authorizations for these characteristics.

IBM Global Services

Knowledge Management (KM) Security




|

g g ( ) y

The KM security aspects deal with preventing illegal access to documents and settingsand prevent them being manipulated illegally.

Security in KM is achieved by implementing one or more of the following measures:- Roles

- ACL’s

- Security Zones

Roles are of 3 types:

- Content Manager – allows users to structure & manage content

- System Administrator – allows user to perform KM administration

- Content Administrator – allows user to perform KM specific content administration

IBM Global Services

Knowledge Management (KM) Security




|

g g ( ) y

Restricting access permissions only by using the role concept or worksets is notsufficient. The use ACLs is recommended.

- Access permissions on the root nodes of security-relevant repositories should be restrictedimmediately after the installation or after configuring new repository managers in order to preventdocuments being read illegally by users hacking or guessing document URLs.

- Change the ACLs for subordinate folders if different permissions apply for these folders.

Security zones

- Security zones restrict unauthorized direct access to KM content

- For initial KM content, the required permissions in the security zones are already assignedduring installation of SAP NetWeaver.

IBM Global Services

KM Security - Communication Channel Security




|

y y

Various channels of communication and technologies are used between thecomponents and data sources in Knowledge Management.

The following technologies are used for communication:

- HTTP/HTTPS

- WebDAV

-

ICE- JDBC on OpenSQL

- Operation-system-dependent and database-specific technologies

IBM Global Services

Process Integration – Security Risks ?




|

g y

Why Is Security Necessary?

As the central infrastructure for exchanging business documents, PI has to make surethat the involved processes can be executed in a secure manner. Particular securityrequirements have to be considered if business partners communicate over the Internet.

XML messages may contain confidential business data. In order to protect them againsteavesdropping and unauthorized access, the communication lines as well as the storage

locations of XML messages need to be made secure.

In addition to the business data exchanged using PI, the various components of PI needto communicate with each other on a technical level in order to keep the infrastructurerunning. Security requirements apply to these technical communications as well,because confidential information such as user names and passwords may have to besent or stored, or both.

IBM Global Services

PI Security - Communication




|

y

The components of a process integration (PI) landscape communicate with each other

for different purposes like configuration, administration, monitoring, or the actual

messaging.

The primary purpose of a PI landscape is to enable business partners and applications

to exchange XML messages (business documents). This includes business

communication between business systems, Integration Servers or Adapter Engines.

In addition to proper messaging, technical communication between various PI tools and

runtime components is required.

Two different technical protocols are used for these communications: HTTP and RFC.

IBM Global Services

PI Security - Authentication




|

y

Session-based single sign-on is supported for the dialog users of the PI tools.

A dialog user has to log on only once for all PI tools, provided that the same browser

session is used for each tool access, and that the tools are started from the same SAP

NetWeaver Application Server Java.

Single sign-on is also supported by the Runtime Workbench where access to other PIcomponents is required (for example, for component monitoring).

IBM Global Services

PI Security – Message Level Security




|

Message-level security allows you to digitally sign or encrypt documents exchanged between

systems or business partners. It improves communication-level security by adding security features

that are particularly important for inter-enterprise communication. Message-level security isrecommended and sometimes a prerequisite for inter-enterprise communication.

Certificate Store

- Message-level security processing is generally done in SAP NetWeaver Application Server Java

(AS-Java). If the Integration Server executes security processing, a Web service is called in theJ2EE Engine. Therefore, the certificates as well as the certification authority (CA) certificates to

be used must be entered into the keystore of the J2EE Engine that executes the security

handling at runtime.

Archiving Secured Messages

- For non-repudiation purposes, signed messages are stored in a dedicated archive, the non-

repudiation archive. It contains data to prove the validity of the signature. The following data isstored:

The raw message

The security policy as configured in the Integration Directory

The sender certificate

IBM Global Services



Questions ?

75094793 SAP Security Day 1 1st Half Anwar

Documents

Transcript of 75094793 SAP Security Day 1 1st Half Anwar