SAP Security Infrastructure SAP BASIS

As indicated previously, SAP systems security often is only seen as the implementation of the authorization/role concept. However, SAP solutions based on open, multitiered client/server and Web-based architecture include many components that can exchange or are used for exchanging data and information with other components, applications, or systems. Each of the elements needed for the communication and exchange of information is a layer of the SAP security infrastructure also known as a security service. Security must be addressed at all these layers. Here is an introduction to each of them; those will be further covered in following sections:

  • The presentation level is represented by all forms of front ends used for accessing SAP systems. This is typically the SAP GUI for Windows although other options are available, such as the SAP GUI for HTML, SAP Enterprise Portals, the SAP GUI Shortcuts, and other front ends that can be programmed with the SAP Automation and other utilities. At the presentation level the main security service is the user authentification.
  • The application level includes the application logic that is run. by the ABAP programs. The role-based and authorization concept is the main security service located at this level.
  • The SAP databases are the containers of all the business information as well as the metadata, data models, and object repository. SAP databases must be protected against unauthorized accesses, which can come from direct or remote accesses. It is very important to recognize and protect the most critical system tables. This is the level of data access protection.
  • The network is the de facto backbone of computing, and there is no business or collaborative application that can work without it. SAP solutions and systems are a complex set of networked servers and applications both inside and outside the companies and as such the network is the enabler that must be protected. Since SAP R/3 release 3.1G the system includes the SNC interface that can be complemented with third-party security products to further enhance and protect the SAP network communications. The network is located at the access security level.
  • Remote communications. The natural openness of the SAP systems and the endless possibilities of communicating and exchanging data between them and other systems require a security analysis from the point of view of external or remote communications mainly on the areas of the RFC and CPIC protocols, which are used in other interfacing techniques such as the BAPIs.
  • Internet. The Internet represents the biggest opportunity and natural marketplace for e-business and at the same time the riskiest place if security measures are not in place. More and more SAP solutions are extensively based on Web technology and they are Internet enabled. Internet security is very extensive and would require a book on its own. In case of SAP systems care, must be taken to use firewalls; protect ITS, SAP WAS, or SAP Enterprise Portal servers; and use SNC and other cryptographic technologies.
  • Operating system. SAP solutions include naturally a large collection of software applications. Access protection to SAP files and directories as well as the operating system commands must be also be in place.
    Security must also address the overall system landscape: development system, quality assurance system, productive system, and any connected complementary system whether belonging to the SAP Business Framework architecture or not. Security also implies the Change and Transport System.

All security aspects on SAP systems components are based on restricting the access to each of the system's layers to authorized users or authorized external systems only. A security infrastructure must also include all the logging and auditing possibilities because these mechanisms are required for monitoring and enforcing the security policy.

What Type of Security Is Standard on SAP Systems?

SAP NetWeaver and the mySAP Business Suite systems include many security features, the majority of which are not often applied in most customer's installations. On one hand, it is easy to think that in order to reach SAP systems you must first leak into the network, the operating system, or the database. And whereas somehow this is true it is also true that if internal threats are considered, then standard security measures will certainly not be enough.

The SAP Basis Middleware (R/3) as well as the SAP Web Application Server includes basic and generic security measures based mostly on passwords for user authentication as well as the authorization concept for user access to business data and transactions. SAP Basis comes with other powerful security features, such as support for Secure Network Communications (SNC), Secure Store and Forward (SSF), and digital signatures and allows the use of external security products, Single Sign-On solutions, smart cards, and many other options to suit the needs of the most exigent businesses and chief security officers.

How Can SAP Security Be Improved?

If you understand the security components and infrastructure, there is a lot you can do to improve SAP systems security without compromising normal users' operation. You can improve security by

  • Designing and implementing a secure systems infrastructure by means of firewalls and setting password policies and parameters
  • Setting the most appropriate values for security-related instance profile parameters
  • Using external security products
  • Establishing a security policy and efficiently communicating it
  • Creating a security checklist that can be periodically tested either manually or automatically so you can evaluate the efficiency of your security policy
  • Enforcing the security policy by means of logging and auditing
  • Monitoring security alerts and locating threats
  • Establishing a procedure for constant update of the security policies

The Multilayer SAP Security Infrastructure

Layers of the SAP security infrastructure must interoperate to form a cohesive security strategy. This interoperation cannot happen unless you understand what each layer is supposed to do. We explore these functions in the following sections.

Security at the Presentation Level

Presentation-level security addresses all forms of front ends used for accessing SAP systems. This is typically the SAP GUI, though other options are available, such as the SAP GUI for HTML, SAP GUI for Java, the SAP GUI shortcuts, the SAP Enterprise Portal, and other front ends or logon programs that can be programmed with SAP Automation and other utilities. The primary security service at the presentation level is User Authentication. When security fails at this level it is typically because

  • The security policy is weak, not well communicated or enforced, or not existing at all.
  • The profile parameters that enforce basic security measures are not sot.
  • You have not changed the passwords of standard users.
  • Basic protection measures at the workstation are not taken.
  • You have not implemented advanced security methods such as SNC, Single Sign-On, client certificates that allows encryption, or smart login devices.
  • Security auditing and monitoring is scarce.

As a result you see unauthorized users logging in with privileged user accounts, many unsuccessful logon attempts, or users using other persons' accounts. Once I was starting a security analysis for a customer and he gave me access to a PC. I asked him for a username and password to enter the SAP systems (they had many systems) and he went out a few minutes to ask someone else for a username.

When he came back I had successfully logged into every SAP system using the well-known privileged user and password. I said, "What SAP instance do you want me to stop?" It is mainly the job of the Basis administrators and User administrators together with the IT department and the security manager to define a clear authentication policy, to set in place all the standard SAP security measures, and if needed to add any advanced measures to protect the system at the presentation level.

Application-Level Security

Security at this level addresses the application logic that is run by the ABAP programs. Here the main security service is the User Authorization concept, which grants or denies access to business objects and transactions based upon a user's authorization profiles. When security fails at this level it is typically because

  • The authorization system has been poorly implemented.
  • Critical authorizations have not been defined.
  • Local development did not include appropriate authority checks.
  • Administration of authorizations and profiles are not properly distributed and protected.
  • The user and authorization information system is rarely used.

As a result you see unintentional transaction executions by unauthorized users, performance problems, display or modification of confidential information by unauthorized users, or even deletion of important data. Several times it happened to me that a user that was not supposed to have such an authorization had unintentionally deleted or changed parts of the number range table (NRIV) and due to the legal implications of this we had to make a point-in-time recovery of the whole system.

It is the Application administrators' job to define which users have access to what data and transactions. These definitions must later be technically implemented by the User and Authorization administrators. It is also very important that every developer follows a programming methodology that includes security checks.

Security at the Database Level

The SAP systems databases are the container for all the business information as well as the metadata, data models, and object repository. These databases must be protected against unauthorized accesses. At this level security services must grant access protection to SAP systems data. When security fails at this level it is typically because

  • Standard passwords have not been changed.
  • Access to the operating system is not properly protected.
  • Remote access to the database is not secure.
  • Auditing has not been activated on critical tables.
  • The authorization system at SAP level is poorly implemented.

As a result you see modifications at the database level that compromise systems integrity and consistency, uncontrolled access to confidential information below the application level, or systems unavailability. In one of my customer installations the operator (who additionally did not understand very good English) started a tablespace reorganization instead of adding a new data file to a tablespace. The system was stopped for some hours. It is the job of the Database administrators together with the OS system managers and the Basis administrators to take appropriate security measures at this level. Some of the measures are changing the passwords of privileged DB users, protecting SAPDBA with expert mode, restricting external remote access to read-only mode, auditing critical tables, setting correctly the S_TABU_DIS authorization object.

Operating System-Level Security

Security services must guarantee access protection to SAP files and directories as well as the operating system commands and programs. At this level security services are provided by the operating system features themselves. When security fails at this level it is typically because

  • Permissions on files and directories are not properly set.
  • The password and user policy at the OS level is static and widely known.
  • Logging and monitoring is scarce.

As a result you see deletion of important system and application files, software malfunctions, or system unavailability. I have seen a system operator deleting critical system files like the database files by mistake that were fully unprotected. A restore and recovery was necessary in order to have the system up and running again. It is the job of the Operating System manager to implement security measures at the operating system and to monitor the main log files of the audit system. Measures include implementing a security password policy at user level, taking care not to create unnecessary users or services, monitoring SETUID programs, setting ACLs (Access Control Lists) in critical files and directories, and protecting external commands from being executed from SAP.

Network-Level Security

Networks are the de facto backbones of computing. There is no business or collaborative application that can work without one. SAP systems based on a client/server architecture are no exception. With release 3.1G SAP Basis (R/3), SAP systems included the SNC interface (Secure Network Connections), which can and in most cases should be complemented with third-party security products to further protect network communications. When security fails at this level it is typically because

  • There are too many unprotected network services.
  • Network topology is poorly designed.
  • There is little or no network monitoring.
  • Routers, filters, or firewalls are not correctly configured.
  • SAP router configuration is not properly set.
  • There is no automatic intrusion detection system.
  • Data are not traveling in encrypted form.

As a result you see users or programs trying to log on to unauthorized systems like hackers, users logging on to the wrong servers, unbalanced system loads, or even sniffing. One example of security violations in the network environment is when end users log on directly to the database server when this has an administrative instance. Another one I have seen many times is when the rlogin service is completely unprotected and users have logged on through the network and stopped the wrong servers.

It is the Network administrators' responsibility to design and implement a security network topology that takes into consideration an automatic monitoring and intrusion detection system.

Transport System-Level Security

SAP has provided the TMS (Transport Management System) as an environment for coordinated customizing and team development that protects the modification of objects and settings across a SAP landscape. Unfortunately the TMS is a facet of the SAP enterprise that is often undersecured.

When security fails at this level it is typically because

  • System landscape settings are not properly configured.
  • Repairs are freely allowed.
  • There are no filters that control which objects are being transported.
  • Authorizations are not completely implemented.
  • Transport monitoring is not a periodic task.

As a result you see software failures, transport of copied programs without security checks, or problems when upgrading your system. It is the task of the Basis administrator together with users in charge of customizing and developers to properly set the system to basic security standards and to define a security policy that makes sure that there is some type of filtering and monitoring within the transport system.

Secure Network Communications (SNC)

SAP's standard Secure Network Communications provides protection for the communication links between the distributed components of a SAP system. SNC is built on the SAP WAS kernel based on standard GSS API V2 and allows you to increase the level of your SAP security via external security products (e.g., Single Sign-On, smartcard authentication, and encrypted communications). SNC can raise your system to high security standards because it can cover several layers such as the presentation (authentication and Single Sign-On) layer, the remote communications layer, the network layer, and even the Internet layer.

Remote Communications-Level Security

The natural openness of the SAP systems and the endless possibilities of communicating with and exchanging data between SAP and other systems require stringent security analysis from the point of view of external or remote communications mainly in the areas of the RFC and CPIC protocols, which are used in other interfacing techniques such as ALE or BAPIs.

When security fails at this level it is typically because

  • The authorization system is poorly implemented for remote communications.
  • RFC communications include the passwords in their definitions.
  • There is scarce monitoring at the gateways.
  • OS and network security is also weak.
  • No encryption software has been used.

As a result you see unexpected connections or program executions from other systems, software failures, or access to confidential information. It is the job of Basis administrators together with Network administrators and developers to implement standard security measures to avoid leaving holes at the remote communication level. Some standard measures are as follows: do not create more RFC destinations than those necessary, include AUTHORITY-CHECK within the programs that can be remotely called, protect table RFCDES, use standard interface techniques, provide periodic monitoring of the gateway server, and ensure that the secinfo file exits.

Document Transfer-Level Security

SAP security services must guarantee the integrity, confidentiality, and authenticity of any type of business documents such as electronic files, mail messages, and others. At this level SAP provides Secure Store and Forward (SSF) mechanisms, which include digital signatures and digital envelopes based on public key technology. And these mechanisms can be deployed using external security services like digital certificates and digital envelopes. When security fails at this level it is typically because

  • Certificates and encryption are not used/implemented.
  • Private keys are not properly protected.
  • There is scarce tracing and monitoring.

As a result you see documents intercepted by unauthorized persons or access to confidential information. It is the job of the Basis administrators and expert security consultants with the help of the legal department to define and implement secure mechanisms like encryption methods for protecting the secure transfer of documents.

Introduction to SSF (Secure Store and Forward)

SAP's standard Secure Store and Forward provides the required support to protect SAP systems data and documents as independent data units. You can use the SSF functions to "wrap" SAP systems data in secure formats before the data are transmitted over insecure communications links. These secure formats are based on public and private keys using cryptographic algorithms. While SAP provides a Security Library (SAPSECULIB) as a software solution for digital signatures as well as standard support for SSF in certain application modules such as PDM or ArchiveLink, a high degree of protection is achieved only when private keys are secured using hardware devices such as smart cards.

Despite the fact that the communication infrastructure might be well protected, it is also necessary to protect the private keys that are used in digital signatures and envelopes because if this information is intercepted, the cryptographical strategy will be useless. This includes SAP components such as the application servers when these act as the senders of the messages and therefore hold the private keys. In addition to the risk that exists in case the private key falls into the wrong hands, it must also be considered that criminals can be interested in sabotaging the communications and could modify the public keys repository for the partners with whom the company system communicates.

Protecting Private Keys

There are two main ways for storing and protecting private keys:

  • Via hardware. The best solution for protecting SAP users' private keys is the use of an individual smart card for every user. With this there is no way to reveal the private key that the smart card holds. Additionally users must be identified in their smart cards using biometric means (such as a fingerprint, the eyeprint, etc.) or by the use of a secret number such as a PIN, a password, a question that only the user knows, and so on. Users are responsible for securing their cards.

    If this method of protecting private keys is selected, companies should develop a communication campaign so that users are informed of the importance of not sharing or letting others use their smart cards.

    From the point of view of the server and in order to improve performance, the recommendation is the use of a crypto box instead of a smart card.

  • Via software. The software solution is not as safe as when specific hardware is used. If a file holding the keys is used, then it is very important to protect this file from unauthorized accesses.

Protecting Public Keys

If the security products use an address book for holding the public keys just in the case of the private keys, then the files must be protected from unauthorized access or modifications. An alternative is to use certificates that are issued by a trusted Certification Authority (CA) to grant the authenticity of those certificates. There are several countries that have regulated the use of cryptography and digital signatures. However, these rules or laws frequently generate a big amount of controversy and even change. Some countries already accept the digital signatures as a valid proof of obligation and therefore digital signatures can be used for secure business.

Internet-Level Security

A critical component is what I call the "Internet level," which addresses the interactions that take place between a SAP system and browsers, Web servers, SAP Web Application Server, ITS, SAP EP, firewalls, and so on When security fails at this level it is typically because

  • Secure protocols are not properly set.
  • Encryption and certificates are not used.
  • Remote debugging of ITS is not disabled.
  • Service files are not protected.
  • Firewalls and authentication might not be properly configured.
  • Security measures at Web servers are weak.
  • Monitoring is scarce.

As a result you see many types of attacks on Web servers that might make systems unavailable or compromise critical information. There are thousands of Internet security incidents and break-ins reported; some of them make the CNN headlines. There are dozens of books and hundreds of Web sites covering security, hacking, and protection software. It is the job of the Basis administrator, Network administrator, and Web administrator to set in place a system design for implementing the best security measures that protect against attacks to the SAP systems that are tightly connected to the Internet. A comprehensive security strategy limits access at each of these security layers to only authorized users and/or authorized external systems.

It also accounts for the overall system landscape: development systems, quality assurance system, productive system, and the transport system that operates between them as well as any connected complementary systems whether they belong to the SAP NetWeaver infrastructure architecture or not. You want to be sure that certain protective procedures are set in place to guard against insecure programs or Trojan horses that may travel from one system to another.

Logging and Auditing

Last but not least, a security infrastructure must include robust logging and auditing capabilities; the mechanisms you will need to monitor and enforce your security policies. Logging and monitoring address the efficiency of the security measures and the capacities of the system for detecting weaknesses, vulnerabilities, and any other security problem. There are logging and auditing facilities in the SAP security infrastructure at every level. These facilities are implemented mainly in the Security Audit Log, the Audit Info System (AIS), the security alerts within CCMS, and the Users and Authorization Info System (SUIM). These tools are complemented by other logging facilities such as those available at operating system level, database auditing statements, network and Internet monitoring and management, and others.

The difficulty for monitoring the whole SAP security infrastructure is that there is no single tool for doing that automatically although the evolution of the CCMS and the AIS tools make us think that it might happen. You can find extensive information and checklists for auditing security in the diverse SAP Security Guides at the SAP Service Marketplace.

SAP Trust Center Services

The focus of the SAP Trust Center Service is to provide global one-step authentication and digital signature technology for enabling collaborative business scenarios. The trust infrastructure relies on already existing business relationships between SAP and its customers. The SAP Trust Center provides more trust than any other existing trust center because these do not typically rely on existing business relationships. This service provides a smooth migration from password-based authentication to certificate-based authentication.

The Trust Center Service works with the customer's internal Portal to distribute digital certificates—called SAP Passports—to individual users. The SAP Passport is based on the X.509 certificate standard and enables data to be encrypted and transmitted safely over intranets and open Internet connections. SAP customers using the Trust Center Services can be sure that only authorized partners and employees are accessing information and conducting business in Marketplaces.

If SAP users wish to apply for a SAP Passport when they log on to their Portal, their UID and password is used. The Portal Server transfers the user as well as the company's identity to the Web browser of the user. The Web browser then automatically generates an asymmetric public/private key pair. After receiving and verifying the certificate request containing the user's and the company's identity and the public key from the Web browser, the Portal Server approves the certificate request with its digital signature. The Web browser then sends the approved certificate request to the SAP Trust Center Service. The SAP Trust Center Service verifies the certificate request against the agreed naming convention. Then the Trust Center Service Certification Authority (CA) creates a X.509 certificate and transfers the certificate back to the Web browser. The SAP Passport is now ready for use.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status