As indicated previously, SAP systems security often is only seen as the implementation of the authorization/role concept. However, SAP solutions based on open, multitiered client/server and Web-based architecture include many components that can exchange or are used for exchanging data and information with other components, applications, or systems. Each of the elements needed for the communication and exchange of information is a layer of the SAP security infrastructure also known as a security service. Security must be addressed at all these layers. Here is an introduction to each of them; those will be further covered in following sections:
All security aspects on SAP systems components are based on restricting the access to each of the system's layers to authorized users or authorized external systems only. A security infrastructure must also include all the logging and auditing possibilities because these mechanisms are required for monitoring and enforcing the security policy.
What Type of Security Is Standard on SAP Systems?
SAP NetWeaver and the mySAP Business Suite systems include many security features, the majority of which are not often applied in most customer's installations. On one hand, it is easy to think that in order to reach SAP systems you must first leak into the network, the operating system, or the database. And whereas somehow this is true it is also true that if internal threats are considered, then standard security measures will certainly not be enough.
The SAP Basis Middleware (R/3) as well as the SAP Web Application Server includes basic and generic security measures based mostly on passwords for user authentication as well as the authorization concept for user access to business data and transactions. SAP Basis comes with other powerful security features, such as support for Secure Network Communications (SNC), Secure Store and Forward (SSF), and digital signatures and allows the use of external security products, Single Sign-On solutions, smart cards, and many other options to suit the needs of the most exigent businesses and chief security officers.
How Can SAP Security Be Improved?
If you understand the security components and infrastructure, there is a lot you can do to improve SAP systems security without compromising normal users' operation. You can improve security by
The Multilayer SAP Security Infrastructure
Layers of the SAP security infrastructure must interoperate to form a cohesive security strategy. This interoperation cannot happen unless you understand what each layer is supposed to do. We explore these functions in the following sections.
Security at the Presentation Level
Presentation-level security addresses all forms of front ends used for accessing SAP systems. This is typically the SAP GUI, though other options are available, such as the SAP GUI for HTML, SAP GUI for Java, the SAP GUI shortcuts, the SAP Enterprise Portal, and other front ends or logon programs that can be programmed with SAP Automation and other utilities. The primary security service at the presentation level is User Authentication. When security fails at this level it is typically because
As a result you see unauthorized users logging in with privileged user accounts, many unsuccessful logon attempts, or users using other persons' accounts. Once I was starting a security analysis for a customer and he gave me access to a PC. I asked him for a username and password to enter the SAP systems (they had many systems) and he went out a few minutes to ask someone else for a username.
When he came back I had successfully logged into every SAP system using the well-known privileged user and password. I said, "What SAP instance do you want me to stop?" It is mainly the job of the Basis administrators and User administrators together with the IT department and the security manager to define a clear authentication policy, to set in place all the standard SAP security measures, and if needed to add any advanced measures to protect the system at the presentation level.
Security at this level addresses the application logic that is run by the ABAP programs. Here the main security service is the User Authorization concept, which grants or denies access to business objects and transactions based upon a user's authorization profiles. When security fails at this level it is typically because
As a result you see unintentional transaction executions by unauthorized users, performance problems, display or modification of confidential information by unauthorized users, or even deletion of important data. Several times it happened to me that a user that was not supposed to have such an authorization had unintentionally deleted or changed parts of the number range table (NRIV) and due to the legal implications of this we had to make a point-in-time recovery of the whole system.
It is the Application administrators' job to define which users have access to what data and transactions. These definitions must later be technically implemented by the User and Authorization administrators. It is also very important that every developer follows a programming methodology that includes security checks.
Security at the Database Level
The SAP systems databases are the container for all the business information as well as the metadata, data models, and object repository. These databases must be protected against unauthorized accesses. At this level security services must grant access protection to SAP systems data. When security fails at this level it is typically because
As a result you see modifications at the database level that compromise systems integrity and consistency, uncontrolled access to confidential information below the application level, or systems unavailability. In one of my customer installations the operator (who additionally did not understand very good English) started a tablespace reorganization instead of adding a new data file to a tablespace. The system was stopped for some hours. It is the job of the Database administrators together with the OS system managers and the Basis administrators to take appropriate security measures at this level. Some of the measures are changing the passwords of privileged DB users, protecting SAPDBA with expert mode, restricting external remote access to read-only mode, auditing critical tables, setting correctly the S_TABU_DIS authorization object.
Operating System-Level Security
Security services must guarantee access protection to SAP files and directories as well as the operating system commands and programs. At this level security services are provided by the operating system features themselves. When security fails at this level it is typically because
As a result you see deletion of important system and application files, software malfunctions, or system unavailability. I have seen a system operator deleting critical system files like the database files by mistake that were fully unprotected. A restore and recovery was necessary in order to have the system up and running again. It is the job of the Operating System manager to implement security measures at the operating system and to monitor the main log files of the audit system. Measures include implementing a security password policy at user level, taking care not to create unnecessary users or services, monitoring SETUID programs, setting ACLs (Access Control Lists) in critical files and directories, and protecting external commands from being executed from SAP.
Networks are the de facto backbones of computing. There is no business or collaborative application that can work without one. SAP systems based on a client/server architecture are no exception. With release 3.1G SAP Basis (R/3), SAP systems included the SNC interface (Secure Network Connections), which can and in most cases should be complemented with third-party security products to further protect network communications. When security fails at this level it is typically because
As a result you see users or programs trying to log on to unauthorized systems like hackers, users logging on to the wrong servers, unbalanced system loads, or even sniffing. One example of security violations in the network environment is when end users log on directly to the database server when this has an administrative instance. Another one I have seen many times is when the rlogin service is completely unprotected and users have logged on through the network and stopped the wrong servers.
It is the Network administrators' responsibility to design and implement a security network topology that takes into consideration an automatic monitoring and intrusion detection system.
Transport System-Level Security
SAP has provided the TMS (Transport Management System) as an environment for coordinated customizing and team development that protects the modification of objects and settings across a SAP landscape. Unfortunately the TMS is a facet of the SAP enterprise that is often undersecured.
When security fails at this level it is typically because
As a result you see software failures, transport of copied programs without security checks, or problems when upgrading your system. It is the task of the Basis administrator together with users in charge of customizing and developers to properly set the system to basic security standards and to define a security policy that makes sure that there is some type of filtering and monitoring within the transport system.
Secure Network Communications (SNC)
SAP's standard Secure Network Communications provides protection for the communication links between the distributed components of a SAP system. SNC is built on the SAP WAS kernel based on standard GSS API V2 and allows you to increase the level of your SAP security via external security products (e.g., Single Sign-On, smartcard authentication, and encrypted communications). SNC can raise your system to high security standards because it can cover several layers such as the presentation (authentication and Single Sign-On) layer, the remote communications layer, the network layer, and even the Internet layer.
Remote Communications-Level Security
The natural openness of the SAP systems and the endless possibilities of communicating with and exchanging data between SAP and other systems require stringent security analysis from the point of view of external or remote communications mainly in the areas of the RFC and CPIC protocols, which are used in other interfacing techniques such as ALE or BAPIs.
When security fails at this level it is typically because
As a result you see unexpected connections or program executions from other systems, software failures, or access to confidential information. It is the job of Basis administrators together with Network administrators and developers to implement standard security measures to avoid leaving holes at the remote communication level. Some standard measures are as follows: do not create more RFC destinations than those necessary, include AUTHORITY-CHECK within the programs that can be remotely called, protect table RFCDES, use standard interface techniques, provide periodic monitoring of the gateway server, and ensure that the secinfo file exits.
Document Transfer-Level Security
SAP security services must guarantee the integrity, confidentiality, and authenticity of any type of business documents such as electronic files, mail messages, and others. At this level SAP provides Secure Store and Forward (SSF) mechanisms, which include digital signatures and digital envelopes based on public key technology. And these mechanisms can be deployed using external security services like digital certificates and digital envelopes. When security fails at this level it is typically because
As a result you see documents intercepted by unauthorized persons or access to confidential information. It is the job of the Basis administrators and expert security consultants with the help of the legal department to define and implement secure mechanisms like encryption methods for protecting the secure transfer of documents.
Introduction to SSF (Secure Store and Forward)
SAP's standard Secure Store and Forward provides the required support to protect SAP systems data and documents as independent data units. You can use the SSF functions to "wrap" SAP systems data in secure formats before the data are transmitted over insecure communications links. These secure formats are based on public and private keys using cryptographic algorithms. While SAP provides a Security Library (SAPSECULIB) as a software solution for digital signatures as well as standard support for SSF in certain application modules such as PDM or ArchiveLink, a high degree of protection is achieved only when private keys are secured using hardware devices such as smart cards.
Despite the fact that the communication infrastructure might be well protected, it is also necessary to protect the private keys that are used in digital signatures and envelopes because if this information is intercepted, the cryptographical strategy will be useless. This includes SAP components such as the application servers when these act as the senders of the messages and therefore hold the private keys. In addition to the risk that exists in case the private key falls into the wrong hands, it must also be considered that criminals can be interested in sabotaging the communications and could modify the public keys repository for the partners with whom the company system communicates.
Protecting Private Keys
There are two main ways for storing and protecting private keys:
If this method of protecting private keys is selected, companies should develop a communication campaign so that users are informed of the importance of not sharing or letting others use their smart cards.
From the point of view of the server and in order to improve performance, the recommendation is the use of a crypto box instead of a smart card.
Protecting Public Keys
If the security products use an address book for holding the public keys just in the case of the private keys, then the files must be protected from unauthorized access or modifications. An alternative is to use certificates that are issued by a trusted Certification Authority (CA) to grant the authenticity of those certificates. There are several countries that have regulated the use of cryptography and digital signatures. However, these rules or laws frequently generate a big amount of controversy and even change. Some countries already accept the digital signatures as a valid proof of obligation and therefore digital signatures can be used for secure business.
A critical component is what I call the "Internet level," which addresses the interactions that take place between a SAP system and browsers, Web servers, SAP Web Application Server, ITS, SAP EP, firewalls, and so on When security fails at this level it is typically because
As a result you see many types of attacks on Web servers that might make systems unavailable or compromise critical information. There are thousands of Internet security incidents and break-ins reported; some of them make the CNN headlines. There are dozens of books and hundreds of Web sites covering security, hacking, and protection software. It is the job of the Basis administrator, Network administrator, and Web administrator to set in place a system design for implementing the best security measures that protect against attacks to the SAP systems that are tightly connected to the Internet. A comprehensive security strategy limits access at each of these security layers to only authorized users and/or authorized external systems.
It also accounts for the overall system landscape: development systems, quality assurance system, productive system, and the transport system that operates between them as well as any connected complementary systems whether they belong to the SAP NetWeaver infrastructure architecture or not. You want to be sure that certain protective procedures are set in place to guard against insecure programs or Trojan horses that may travel from one system to another.
Logging and Auditing
Last but not least, a security infrastructure must include robust logging and auditing capabilities; the mechanisms you will need to monitor and enforce your security policies. Logging and monitoring address the efficiency of the security measures and the capacities of the system for detecting weaknesses, vulnerabilities, and any other security problem. There are logging and auditing facilities in the SAP security infrastructure at every level. These facilities are implemented mainly in the Security Audit Log, the Audit Info System (AIS), the security alerts within CCMS, and the Users and Authorization Info System (SUIM). These tools are complemented by other logging facilities such as those available at operating system level, database auditing statements, network and Internet monitoring and management, and others.
The difficulty for monitoring the whole SAP security infrastructure is that there is no single tool for doing that automatically although the evolution of the CCMS and the AIS tools make us think that it might happen. You can find extensive information and checklists for auditing security in the diverse SAP Security Guides at the SAP Service Marketplace.
SAP Trust Center Services
The focus of the SAP Trust Center Service is to provide global one-step authentication and digital signature technology for enabling collaborative business scenarios. The trust infrastructure relies on already existing business relationships between SAP and its customers. The SAP Trust Center provides more trust than any other existing trust center because these do not typically rely on existing business relationships. This service provides a smooth migration from password-based authentication to certificate-based authentication.
The Trust Center Service works with the customer's internal Portal to distribute digital certificates—called SAP Passports—to individual users. The SAP Passport is based on the X.509 certificate standard and enables data to be encrypted and transmitted safely over intranets and open Internet connections. SAP customers using the Trust Center Services can be sure that only authorized partners and employees are accessing information and conducting business in Marketplaces.
If SAP users wish to apply for a SAP Passport when they log on to their Portal, their UID and password is used. The Portal Server transfers the user as well as the company's identity to the Web browser of the user. The Web browser then automatically generates an asymmetric public/private key pair. After receiving and verifying the certificate request containing the user's and the company's identity and the public key from the Web browser, the Portal Server approves the certificate request with its digital signature. The Web browser then sends the approved certificate request to the SAP Trust Center Service. The SAP Trust Center Service verifies the certificate request against the agreed naming convention. Then the Trust Center Service Certification Authority (CA) creates a X.509 certificate and transfers the certificate back to the Web browser. The SAP Passport is now ready for use.
SAP BASIS Related Interview Questions
|SAP CRM Interview Questions||SAP HR Interview Questions|
|SAP ABAP Interview Questions||SAP HANA Interview Questions|
|SAP Crystal Reports Interview Questions||SAP SOLMAN Interview Questions|
|SAP Security Interview Questions||SAP BPC Interview Questions|
|SAP Netweaver Interview Questions||SAP UI5 Interview Questions|
|SAP Smart Forms Interview Questions|
Sap Basis Tutorial
Sap: From Sap R/3 To Sap Netweaver
The Architecture Of The Sap Web Application Server
Sap Netweaver: An Overview
Using Sap Systems
Upgrading To Sap R/3 Enterprise: The First Step Into Sap Netweaver
The Change And Transport System
Development Options With Sap Solutions: Abap Engine
User Management And Security In Sap Environments
Web Application Server System Management
Performance And Troubleshooting With Sap Solutions
Sap For It Managers: Implementation, Planning, Operation, And Support Of Sap Systems
All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd
Wisdomjobs.com is one of the best job search sites in India.