Excerpt from SIM200 SAP Security Services Run SAP Methodology SAP Security Standard Frank Buchholz Fritz Bauspiess Active Global Support – Security Services October 2009
SIM200_RunSAP
Dec 12, 2015
SIM200_RunSAP
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Excerpt from SIM200
SAP Security ServicesRun SAP MethodologySAP Security Standard
Frank BuchholzFritz BauspiessActive Global Support – Security ServicesOctober 2009
© SAP AG 2009. All rights reserved. / Page 2
Disclaimer
The information in this presentation is confidential and proprietary to SAP and may not bedisclosed without the permission of SAP. This presentation is not subject to your licenseagreement or any other service or subscription agreement with SAP. SAP has no obligation topursue any course of business outlined in this document or any related presentation, or todevelop or release any functionality mentioned therein. This document, or any relatedpresentation and SAP's strategy and possible future developments, products and or platformsdirections and functionality are all subject to change and may be changed by SAP at any timefor any reason without notice. The information on this document is not a commitment, promiseor legal obligation to deliver any material, code or functionality. This document is providedwithout a warranty of any kind, either express or implied, including but not limited to, the impliedwarranties of merchantability, fitness for a particular purpose, or non-infringement. Thisdocument is for informational purposes and may not be incorporated into a contract. SAPassumes no responsibility for errors or omissions in this document, except if such damageswere caused by SAP intentionally or grossly negligent.
All forward-looking statements are subject to various risks and uncertainties that could causeactual results to differ materially from expectations. Readers are cautioned not to place unduereliance on these forward-looking statements, which speak only as of their dates, and theyshould not be relied upon in making purchasing decisions.
© SAP AG 2009. All rights reserved. / Page 3
Security StandardIntroduce the reader to activities being important for the secure operation of SAP solutionsThe focus on activities (instead of technologies) shall help to pragmatically answer thequestion
“I am in charge of operations … what shall I do to manage security?”
The activities are grouped according to the main areas of the Security Solution Map asfollows:
Security Solution Map Area Topic Activity
Where possible, activities are assigned to typical security and administrative roles
MethodologyProvide hands-on help for each activity that has been introduced in the standard, for eachRun SAP phase
Run SAP MethodologySAP Security Standard
© SAP AG 2009. All rights reserved. / Page 4
Run SAP MethodologySAP Security Standard
Assessment &Scoping
OperationalRequirements
Analysis
GovernanceModel for
Operations
Scope Definition
TechnicalRequirements and
Architecture
Project Setup
Operations &Optimization
End User Support
SAP TechnicalOperations
ChangeManagement
TechnicalInfrastructureManagement
SAP ApplicationManagement
Business ProcessOperations
DesignOperations
End User SupportConcept
SAP TechnicalOperations
Concept
ChangeManagement
Concept
TechnicalInfrastructure
Design
SAP ApplicationManagement
Concept
Business ProcessOperations
Concept
SetupOperations
End User SupportImplementation
SAP TechnicalOperations
Implementation
ChangeManagement
Implementation
TechnicalInfrastructure
Implementation
SAP ApplicationManagement
Implementation
Business ProcessOperations
Implementation
Handover intoProduction
Knowledge Transferand Certification
Final Testing
Transition intoProduction
Handover and Sign-Off
© SAP AG 2009. All rights reserved. / Page 5
Run SAPRelated E2E Solution Operation Standards
End User Support
SAP TechnicalOperations
ChangeManagement
SAP ApplicationManagement
Business ProcessOperations
Operations &Optimization
DesignOperations
SetupOperations
Handover intoProductionIncident Management
Change Control ManagementTest ManagementUpgrade
Solution DocumentationRemote SupportabilityRoot Cause AnalysisSOA Readiness
Business Process & Interface Monitoring and Exception HandlingData Volume ManagementJob Scheduling ManagementTransactional Consistency & Data Integrity
System AdministrationSystem MonitoringSecurity
TechnicalInfrastructureManagement
Assessment &Scoping
OperationalRequirements
Analysis
GovernanceModel for
Operations
Scope Definition
TechnicalRequirements and
Architecture
Project Setup
© SAP AG 2009. All rights reserved. / Page 6
Run SAP MethodologyRoadmap for SAP Security Standard
https://service.sap.com/RunSAP
© SAP AG 2009. All rights reserved. / Page 7
2.6 SAP Technical Operations Concept
2.6.3 SecurityImplementation Methodology: Security Design
3.6 SAP Technical Operations Implementation
3.6.3 SecurityImplementation Methodology: Security Setup
5.6 SAP Technical Operations
5.6.3 SecurityImplementation Methodology: Security Operations
SAP Standard for Security
Run SAP MethodologyRoadmap for SAP Security Standard
© SAP AG 2009. All rights reserved. / Page 8
RunSAP @ Solution ManagerTransaction RMMAIN
Available with Software Component ST-ICORelease 150_700 Support Package 21
© SAP AG 2009. All rights reserved. / Page 9
The 10 secure operation tracks of the Secure Operations Mapcover the following topics:
1. Audit: Ensure and verify the compliance of a company’s IT infrastructureand operation with internal and external guidelines
2. Outsourcing: Ensure secure operation in IT outsourcing scenarios
3. Emergency Concept: Prepare for and react to emergency situations
4. Secure Process and People Collaboration: Maintain security ofprocess and people collaboration by security capabilities ofautomated business processes or document exchanges
5. User and Authorization Management: Manage IT users, their authorizations and authentication
6. Administration Concept: Securely administer all aspects of solution operations
7. Network, System, Database and Workstation Security: Establish and maintain the security of all infrastructure and basecomponents
8. Secure Application Lifecycle: Securely develop and maintain the code base of standard and custom business applications
9. Secure Configuration: Establish and maintain a secure configuration of standard and custom business applications
10. Secure Support: Resolve software incidents in a secure manner
Run SAP MethodologySAP Security Standard
© SAP AG 2009. All rights reserved. / Page 10
RunSAP v3Secure Operations Area
ComplianceAudit
Identify relevant regulatory requirementsDefine logs and traces to be collected (consider data protection laws, put limits on productionenvironment, define clipping levels etc)Restrict access to log data and logging facilitiesAnalyze logs with appropriate tools (Audit Information System, Security Audit Log, SUIM, SolMan, etc)Review infrastructure settings and communication interfaces (firewall, dispatcher and reverse proxy,OS, RFC destinations, ALE, ICF, WS, etc)Review users and authorizations (spot checks, GRC access control, etc)Perform Security Assessments (penetration-tests, vulnerability scanning)
OutsourcingIdentify implications with respect to regulatory requirements and relevant standards (SAS70)Definition of roles and responsibilities (e.g. basis administration by the outsourcing partner, applicationadministration by the company itself)
Emergency ConceptDefine incidents, impact, processes and responsibilitiesManage/maintain emergency users for relevant systemsBackup and recovery concept (which targets availability; details are explained in another standard)
© SAP AG 2009. All rights reserved. / Page 11
RunSAP v3Secure Operations Topics
Secure CollaborationSecure Process and People Collaboration
Maintain and operate Public Key Infrastructure, users and authorizations, message-levelsecurity and Anti-Virus softwareMonitor and review security settingsEnforce security policiesMonitor and review activity logs
Identity and Access ManagementUser and Authorization Management
Define and implement processes for the proper creation, modification and removal ofusers and authorizations (led by HCM)Check replication and synchronization among user stores (LDAP, CUA, etc)Manage certificates (maintenance of key stores, revocation lists, certification requests,etc)
Administration ConceptDefine appropriate roles and authorizations for all administration topics (securityadministrator, IT administrator, data custodian, auditor, etc.)
© SAP AG 2009. All rights reserved. / Page 12
RunSAP v3Secure Operations Topics
Infrastructure SecurityNetwork, System, Database and Workstation Security
Operating Systems: Verify OS hardening, update and test systems, maintain and performanti-virus checks, ensure integrity of critical system files and configurations, keep userbase up-to-dateDatabases: Restrict use of database, propriatery database tools and database specificfunctions, log and analyze database security events, avoid database usage bypassing theSAP DB abstraction layerNetwork: Maintain an appropriate network topology and domain concept, limit networkservices and protocols, configure secure SAP network communication (RFC, SSO, SNC,SSL, …)Workstations: Manage secure software distribution and configuration, monitor usage oflicenses and installations of unauthorized software, maintain secure communicationchannels.
© SAP AG 2009. All rights reserved. / Page 13
RunSAP v3Secure Operations Topics
Software Lifecycle SecuritySecure Application Lifecycle
Patch and hotfix management for SAP and related server and client softwareSetup and maintain the transport management system for ABAP and Java (protecttransport directory)Introduce security in the SW development process, provide guidelines etc.Develop test concept for in-house and 3rd party development
Secure ConfigurationMaintain security configuration settings and changesPeriodically review security relevant configuration settings of all systems and installedsoftware components. Configuration Validation, Security Optimization Self Service andSecurity Optimization (Remote) Service are available to support this.
Secure SupportDefine requirements for support connections and select accordingly (NetViewer,automated opening of remote connections etc.)Manage support user accounts and authorizations (password policies, validity period etc.)Allow reproduction of errors on development and test systems (TDMS)Develop guidelines for message handling (interaction employee and support etc.)
© SAP AG 2009. All rights reserved. / Page 14
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained hereinmay be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries,eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+,POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex,MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or othercountries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries.Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only.National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only,without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construedas constituting an additional warrant.
Copyright 2009 SAP AGAll Rights Reserved