SAP Security Optimization Service

SCUR202:SAP Security Optimization Service

Larry Justice, SAP America

Matthias Bühl, SAP AG

© SAP AG 2004, SAP TechEd / SCUR202 / 3

Learning Objectives

As a result of this workshop, you will be able to:

Explain how a customer can benefit from the SAP Security Optimization Service

Understand the report of the service

Describe what areas are covered in the SAP Security Optimization Service

The service in detail

How do you get it?

What is it all about?

Why do you need this service?


What Is it all About ?

SAP Security Optimization is a remote service comparable to SAP EarlyWatch

SAP EarlyWatch proactively analyzes your operating system, database, and entire SAP system to ensure optimal performance and reliability

SAP Security Optimization proactively analyzes security vulnerabilities within an enterprise’s SAP landscape to ensure optimal protection against intrusions

The service is performed remotely within 1 – 2 days

The service is primarily automated but includes some manual checks

The service checks SAP systems and SAP middleware components

Results are prioritized and delivered with recommendations how to resolve identified vulnerabilities

The service should be performed at regular intervals:To verify that actions derived from earlier service runs lead to the desired results

To verify that recent configuration changes did not introduce new security holes

To include the most up-to-date checks


What Is it all About ?

ReportRate

In order to determine the actual risk the vulnerabilities are ranked using rating logic

The rating is based on the severity and probability of each vulnerability

Implement

The implementation of the recommended security measures can be done by the customer or by experienced security consultants from SAP Consulting

The customer’s SAP landscape is scanned remotely and checked for critical security settings

Only white box checks are executed, no black box checks (“hacking”)

Scan

A report is created containing the identified vulnerabilities

The report is sent to the owner of the analyzed SAP system landscape

The report contains recommendations to eliminate or reduce the vulnerabilities found in the Security Optimization Service

Remote Security CheckOn-Site

Security Consulting


Current and Future Scope

Available modules

SAP WebASABAP Stack

User ManagementAuthentication ChecksAccess ControlChange ManagementCritical Basis Functionality

Internet Transaction Server

Business Connector

SAProuter

Future developments

SAP Enterprise Portal 6.0

J2EE

XI

Applications (HR, FI, CO, …)

CRM


How do you get it?




Example: User management

SU01

OIBBetc.

Tableaccess

MaliciousTransports

CallFunction


How do you get it?




The Service in Detail: Questionnaire & Report

The customer will fill out a questionnaire first where all the known “high authorized users” are mentioned.

The target system is scanned and an SDCC and an ST14 download are created.

Then a report in the SAP Service Delivery System is created

R/3 Basis: mostly automated

SAProuter: mostly manual

ITS: 50:50 automated and manual

SAP BC: mostly manual

The questionnaire and the report are stored in the SAP Service Marketplace so that the customer can receive the results.


The Service in Detail: How Does it Work?

Procedure for authorization checks:

First we find out all SAP_ALL users and mention them at the top of the report

Then we analyze the authorized users for all other checks and REMOVE the SAP_ALL users(This is done in order to increase the overview as a SAP_ALL user would pop up in every further check without any further value)

Finally we remove all users that were mentioned in the questionnaire(This is done because we are only interested in authorized users the customer does NOT know about – we do not want to tell the customer that it was not allowed to have many high authorized users!)


How is the Rating Done?

The risk is calculated as a function of the severity and the pro-bablity of a security incident

Proba-bility3 HIGH2 MED1 LOW0 NONE

0 LOW0 LOW0 LOW0 LOW0 Very LOW

3 MED2 MED1 LOW0 LOW1 LOW

6 HIGH4 MED2 MED0 LOW2 MED

9 HIGH6 HIGH3 MED0 LOW3 HIGH

RiskSeverity


The Service in Detail: Questionnaire

This questionnaire is filled out by the customerto prepare the service.

The questionnaire contains about 25 questions.

It is not necessary that all questions are answered. This is dependent on the organizational structure of the customer.


Customer Report: Action items

The Action Items on top of the report gives a good overview on the complete system status.

The Action Items are created automatically of all checks rated with high risk. The list can be individually adapted.

We use the red traffic light as “high risk” and the yellow traffic light as “medium risk”.

“Green” results are normally skipped in order to reduce the size of the report.

.

.

.


The Service in Detail: Customer Report

The report is divided into chapters by sub topics.

Examples are:

Password Checks

Basis Administration Checks

Batch Input Checks

Change Control Checks

…


Customer Report: Example of an Authorization Check

Info for authorization checks:

“Unexpected” users with this authorization.

The number of unex-pected users.

A recommendation how to handle this situation.

All checked authorization objects.

Every customer should be able to implement the results of the report (additional consulting is possible)

.

.

.


How do you get it?




How Can I get it?

The service can be ordered via the “SAP Service Catalog”

The Service Catalog can be found in the SAP Service Marketplace: www.service.sap.com SAP Support Portal Maintenance & Services Service Catalog

Select “SAP Solution Management Optimization”


Demo

SAP TV


Summary

Enterprise IT landscapes are increasingly vulnerable to security breaches due to more open and complex landscapes

The SAP Security Optimization Service is a remote service to check your SAP system landscape for critical security settings to minimize your risk


Further Information

Public Web:www.sap.com

SAP Developer Network: www.sdn.sap.com SAP NetWeaver PlatformSecurity

SAP Customer Services Network: www.sap.com/services/

Related Workshops/Lectures at SAP TechEd 2004SCUR101, Security Basics , Lecture

SCUR102, User Management and Authorizations: Overview , Lecture

SCUR351, User Management and Authorizations: The Details , Hands-on

Related SAP Education Training Opportunitieshttp://www.sap.com/education/

ADM960, Security in SAP System Environment

Consulting ContactMatthias Bühl, Project Leader SAP Security Optimization Service email: [email protected] or [email protected]


SAP Developer Network

Look for SAP TechEd ’04 presentations and videos on the SAP Developer Network.

Coming in December.

http://www.sdn.sap.com/


Q&A

Questions?


Please complete your session evaluation.

Be courteous — deposit your trash, and do not take the handouts for the following session.

Feedback

Thank You !


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Copyright 2004 SAP AG. All Rights Reserved

SAP Security Optimization Service

Documents

Transcript of SAP Security Optimization Service