Dr. Christoph Wallelectronic Administration and Services
IT-SecurityGovernance and Technology
HERUG, 23.04.2013
2
After computers got started …
IT-Security @ FU Berlin, HERUG 2013
3
… and went beyond their predicted numbers …'I think there is a world market for about five computers' Remark attributed to Thomas J. Watson (Chairman of the Board of IBM), 1943
IT-Security @ FU Berlin, HERUG 2013
4
… to connect people around the globe …
IT-Security @ FU Berlin, HERUG 2013
5
… I had a dream.VtÇ çÉâ Ñ|vàâÜx ã{tà ã|ÄÄ uxfÉ Ä|Å|àÄxáá tÇw yÜxxJim Morrison
IT-Security @ FU Berlin, HERUG 2013
6
But then I woke up…
IT-Security @ FU Berlin, HERUG 2013
7
… to find myself faced with the need for:IT-Security !
IT-Security @ FU Berlin, HERUG 2013
8
Europe needs it
IT-Security @ FU Berlin, HERUG 2013
9
Germany needs it
IT-Security @ FU Berlin, HERUG 2013
10
Comprehensive Offer of Information
Mobile Information
Smart Processes
Secure Data
Sustainable Use of Resources
Content Users
Quality and Flexibility for Information and Processes
The Freie Universität Berlin needs it(IT Strategy )
IT-Security @ FU Berlin, HERUG 2013
11
What is IT-Security?
IT-Security @ FU Berlin, HERUG 2013
12
Fundamental Values of IT-SecurityConfidentiality: information that is confidential must be protected against unauthorized disclosure
Availability: services, IT system functions, data and information must be available to users as required
Integrity: data must be complete and unaltered
IT-Security @ FU Berlin, HERUG 2013
13
Elements of an IT-Security-Management-SystemGovernanceRisk assessment or analysis: A risk analysis provides information on the probability of the occurrence of a damaging event and what negative consequences the damage would have. Security policy: In a security policy the security objectives and general security safeguards are formulated in the sense of the official regulations of a company or a public authority. Detailed security safeguards are contained in a more comprehensive security concept.
TechnicalAuthentication: When a person logs in on a system, the system runs a check in an authentication process to verify the identity of the person. The term is also used when the identity of IT components or applications is tested. Authorisation: Authorisation is the process of checking whether a person, an IT component or an application is authorised to perform a specific action. Data protection: Data protection refers to the protection of personal data against misuse by third parties.Data backup: Data backup involves making copies of existing data to prevent its loss.
IT-Security @ FU Berlin, HERUG 2013
14
Governance:Risk assessment for FU IT-Systems
IT-Security @ FU Berlin, HERUG 2013
15
Governance:Guidelines and Directives“Essentially, procedures or policies are implemented to tell people (administrators, users and operators) how to use products to ensure information security within the organization.”Wikipedia
IT-Security @ FU Berlin, HERUG 2013
16IT-Security @ FU Berlin, HERUG 2013
17
Stakeholders of the IT-Organization
IT-Security @ FU Berlin, HERUG 2013
Central IT ProvidersIT Security Officer
Data Privacy Commissioner
Co-determination council
Faculties / Departments
18IT Sicherheit 2010
Directive for handling security incidents
19IT Sicherheit 2010
Alarm chain
20
Technology:SAP Functionality to support IT-Security- Identity Management
- Event-based onboarding- Authentification
- SSO with User Name/Password- Role based Authorization
- Design of User-Roles- Workflow for role allocation
- Layers of security for Web-Portal-Access to SAP backend- Security Optimazation Self-Service (SOS Report)
- e.g. Segregation of duties- Action log for intrusion detection- Identity Management
- Automatic user deactivation- Backup and Restore SupportIT-Security @ FU Berlin, HERUG 2013
21Identity Management @ FU Berlin, Juni 2011
Identity Management
22Identity Management @ FU Berlin, Juni 2011
User Lifecycle Management Stage 1
modify
23Identity Management @ FU Berlin, Juni 2011
Create/modify (Onboarding & Berechtigung)
IdM SLcM
HR
FUDIS(FU Account)
Student
Staff
HISBusiness Partner
Student User
User
FacultyUser
Personell Data
ERP
User
SAP Web
User
Role
Rol
e
Role
Role
Studenten
Administration
Department
24Identity Management @ FU Berlin, Juni 2011
Cascading role design
25Identity Management @ FU Berlin, Juni 2011
1) AnforderungIdM role provisioning workflow
26IT-Security @ FU Berlin, HERUG 2013
27
Single Sign On
IT-Security @ FU Berlin, HERUG 2013
28
Security layers for SAP access
DSAG-Technologietage 2013
Web-dispatcher
Web-dispatcher ERP 604
NW 7.3Portal
Trusted relationship
https://elsa.fu-berlin.de URL-Filter
Shibboleth-basedAuthentification
5
2
1
3
SSOZEDAT
URL-Filter
Data Access
Abap-Webdynprodnsname2.elsa.fu-berlin.de
DMZ Internal DomainInternet
ume.logon.security.relax_domain.level = 0
1 url-filtering to restrict access exclusive forelsa-portal traffic
2 Shibboleth-based single sign on3 Smart design of DNS name4 Authorization check
4
5 Certificate-based trusted relationshipbetween portal and backend
29IT-Security @ FU Berlin, HERUG 2013
30
Future Potential: Strong Authentification
IT-Security @ FU Berlin, HERUG 2013
31
Security Audit Log: Configuration (SM19)
IT-Security @ FU Berlin, HERUG 2013
32
Security Audit Log: Analysis (SM20)
IT-Security @ FU Berlin, HERUG 2013
33
The SOS ReportThe SAP Security Optimization Service is a comprehensive support service that identifies security risks for your SAP system and helps you to determine the appropriate measures to protect it from these risks.
The security checks of SAP Security Optimization are performed for the following security aspects:
- Availability: ensuring that a system is operational and functional at any given moment
- Integrity: ensuring that data is valid and cannot be compromised
- Authenticity: ensuring that users are the persons they claim to be
- Confidentiality: ensuring that information is not accessed by unauthorized persons
- Compliance: ensuring that the system security set-up is in accordance with established guidelines
IT-Security @ FU Berlin, HERUG 2013
34
SOS
IT-Security @ FU Berlin, HERUG 2013
35
Risks are pointed out
IT-Security @ FU Berlin, HERUG 2013
36IT-Security @ FU Berlin, HERUG 2013
37
Examples for Authentification Alerts
IT-Security @ FU Berlin, HERUG 2013
38Identity Management @ FU Berlin, Juni 2011
User Lifecycle Management:Deactivation
modify
39Identity Management @ FU Berlin, Juni 2011
Deactivation of Users
IdM SLcM
HR
FUDIS(FU Account)
Students
Staff
Business PartnerStudent User
User
FacultyUser
Personell Data
ERP
User
SAP Web
User
Exmatriculation
40
Business continuity:Backup and restore support
IT-Security @ FU Berlin, HERUG 2013
41
IT-Security-Management-System reloadedGovernanceRisk assessment or analysis: A risk analysis provides information on the probability of the occurrence of a damaging event and what negative consequences the damage would have. Security policy: In a security policy the security objectives and general security safeguards are formulated in the sense of the official regulations of a company or a public authority. Detailed security safeguards are contained in a more comprehensive security concept.
TechnicalAuthentication: When a person logs in on a system, the system runs a check in an authentication process to verify the identity of the person. The term is also used when the identity of IT components or applications is tested. Authorisation: Authorisation is the process of checking whether a person, an IT component or an application is authorised to perform a specific action. Data protection: Data protection refers to the protection of personal data against misuse by third parties.Data backup: Data backup involves making copies of existing data to prevent its loss.
IT-Security @ FU Berlin, HERUG 2013
42
Information policy
IT-Security @ FU Berlin, HERUG 2013
43
Big job to do ?
IT-Security @ FU Berlin, HERUG 2013
Get on with it !
44IT-Security @ FU Berlin, HERUG 2013
Dr. Christoph WallBoltzmannstr. 1814195 BerlinGermany
[email protected]+49 30 838 58000
Top Related