Aligning SAP NetWeaver Strategies and Settings with Your ... · PDF file• SAP GRC efforts often focused on application security ... Technical System Landscape: Risks – Install

© 2008 Wellesley Information Services. All rights reserved.

Aligning SAP NetWeaverStrategies and Settings with Your GRC Initiatives

Bhavesh Bhagat

Why Are We Here?

• In this overview presentation, you will hear the following key themes:

SAP and COBIT* framework control objectives and risksCOBIT best control practices and mappingSAP NetWeaver® controls and examples in alignment

• And you’ll gain an understanding and appreciation of how, from a business perspective, SAP NetWeaver security features are to be utilized and approached to achieve sustainable GRC

* Control Objectives for Information and Related Technology – IT Governance Institute1

Why Are We Here? (cont.)

• SAP GRC efforts often focused on application security and process controls …

• Overall security architecture and general controls around SAP NetWeaver are often overlooked for documentation and testing

• The security infrastructure of SAP NetWeaver delivers comprehensive security technologies and controls enablers to protect the heterogeneous environments of the SAP Business Suite

2

What We’ll Cover …

• SAP NetWeaver Platform and Control Framework (COBIT)

• User Administration and Authentication layer• Technical System Landscape layer• Network and Transport Layer Security layer• Connectivity and Interoperability layer• Wrap-up

3

SAP NetWeaver and IT Governance — Why?

Enables mapping of SAP infrastructure goals to business goals and vice versaA view of what SAP NetWeaver does that is understandable to managementClear ownership and responsibilities based on process orientation

i

SAP NetWeaver Infrastructure

SAP ERPApp Logic

Business Processes

Business Objectives

provides

to

for achieving

Shared understanding amongst all stakeholders, based on a common languageFulfillment of the COSO requirements for the IT control environment

4

SAP NetWeaver

Platform(our focus here)

User Administration and AuthenticationTechnical System Landscape

Network and Transport Layer SecurityConnectivity and Interoperability

Components

SAP NetWeaver: Two Distinct Domains

5

SAP NetWeaver Platform and SAP Security Solution Map

• For more information on SAP Solution Maps, please follow this link: http://service.sap.com (requires login credentials to the SAP Service Marketplace)

Our Focus

6

SAP NetWeaver Platform GRC Overview

7

COBIT

ISO 9000

ISO 17799

ITIL

COSO

WHAT HOW

SCOPE OF COVERAGE8

COBIT and Other IT GRC Frameworks

• Organizations will consider and use a variety of IT models, standards, and best practices. These must be understood in order to consider how they can be used together, with COBIT acting as the consolidator (“umbrella”).

COBIT: Value and Limitations for SAP NetWeaver

• COBIT:Has internationally accepted good practices Is management orientedMaps 100 percent to COSOIs a reference, not an “off-the-shelf” cureMaps strongly to all major, related standardsIs maintained by a reputable not-for-profit organization

• Enterprises still need to analyze SAP requirements and customize controls based on COBIT and their:

Value driversRisk profileIT infrastructure, organization, and project portfolio

Governance

COBIT 4

2005

COBIT 3

Management

2000

COBIT 2

Control

1998

COBIT 1

Audit

1996

Evo

lutio

n

9

BUSINESS OBJECTIVES ANDGOVERNANCE OBJECTIVES

Efficiency

ApplicationsInformation

InfrastructurePeopleDELIVER

ANDSUPPORT

MONITORAND

EVALUATE

ACQUIREAND

IMPLEMENT

INFORMATION

SAPSAP NetWeaver & IT RESOURCES

C O B I TF R A M E W O R K

EffectivenessConfidentiality

IntegrityAvailability

Compliance

DS1 Define and manage service levels.

DS2 Manage third-party services.DS3 Manage performance and

capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and

incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical

environment.DS13 Manage operations.

ME1 Monitor and evaluate IT performance.

ME2 Monitor and evaluate internal control.

ME3 Ensure compliance with external requirements.

ME4 Provide IT governance.

PO1 Define a strategic IT plan.PO2 Define the information

architecture.PO3 Determine technological

direction.PO4 Define the IT processes,

organization and relationships.

PO5 Manage the IT investment.PO6 Communicate management

aims and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.

AI1 Identify automated solutions.AI2 Acquire and maintain

application software.AI3 Acquire and maintain

technology infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions

and changes.

PLANAND

ORGANIZE

Reliability

COBIT Framework

10




11

User Management

12

User Management: Overview

• COBIT control domainsIdentification, Authentication, and AccessUser Account ManagementManagement Review of User AccountsSecurity of Online Access to DataSegregation of Duties

13

User Management: Risks

• Potential User-Related Risks:Potential unauthorized and possibly undetected user accessIneffective authentication and access mechanismsInconsistency in user data in a multiple-system environmentDilution of password control due to multiple logins across multiple systemsInadequate administration of the lifecycle of user accountsUsers are unaware of the security rules with which they need to complyAccess to data not granted on a need-to-know basisNo appropriate segregation of duties based on job profilesNo appropriate segregation among production, test, and development environments

14

User Management: Risks/Segregation of Duties

• RiskLikelihood that a misstatement of the company’s annual or interim financial statements that is more than inconsequential will not be prevented or detectedA significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data (also internal reporting) reliably, in accordance with generally accepted accounting principlesConflict of Segregation of Duties (SOD) results in Significant Deficiency

15

T ip

User Management: Risks/Segregation of Duties (cont.)

• RiskLikelihood that a misstatement of the company’s annual or interim financial statements that is more than inconsequential will not be prevented or detectedA significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data (also internal reporting) reliably, in accordance with generally accepted accounting principlesConflict of Segregation of Duties (SOD) results in Significant Deficiency

16

T ip

Note that in this and following slides, a traffic light graphic will serve as an indicator of the level of risk from an Audit point of view.

User Management: Reference Control Practices

• Reference Control PracticesCOBIT Reference DS 5.2COBIT Reference DS 5.4COBIT Reference DS 5.5

Access rights are reviewed periodically to confirm they are still as granted and that they correspond to the user’s and the organization’s requirements on a “need to know basis”

COBIT Reference DS 5.3COBIT Reference DS 5.2-2, PO 4.10

17

User Management: SAP Controls

• Authorization to access SAP systems is controlled through roles and authorization rights, using the PFCGtransaction

• Authentication through Password control, Logon Ticket, and X.509 Certificate

• Audit Information System (AIS) provides all relevant information for monitoring users, passwords, authorizations, authentications, and security user comparisons (report RSUSR008_009_NEW aids in researching SOD)

18

User Management: SAP Controls (cont.)

• Explicit features such as creation of a third-party or temporary user with expiry dates and Password Management

• Relevant data is captured and can be reviewed using transaction RSUSR200 with appropriate filters

• Maintaining critical combinations for SOD conflict• Review reports to identify users who have authorization

to critical combinations resulting in SOD conflict


• Password controls in accordance with policy can be effectively implemented through SAP configuration settings

20


• SAP Controls (SAP GRC Access Control Report and Monitoring recommended)

Tip

2121

Risk Identification & Remediation

• Rapid, cost efficient cleanup

Enterprise Role Management

• Enforce SOD at Design time

Compliant User Provisioning

• Prevent SOD at run time

Super User Privilege Management

• Close Critical audit issue with temporary emergency access

Periodic Access Review and Audit

• Focus on remaining challenges during future audits


• Report (RSUSR008_009_NEW) — Review Users with Critical Authorizations

22

User Management

23

Example:

R/3

BW

EBP

APO

CUA ADMIN

24

1.2 User Management: Central User Access Administration (CUA)

Manage User Security centrally and DISTRIBUTE across systems from one place

Central User Administration: Central Identification and Access Rights Management• Risks – User Management risks MULTIPLIED across

platforms• Reference Control Practices (COBIT Reference DS 5.9-9)• SAP Controls

Administration of SAP systems’ landscapes from a single central system using CUA and distribution from there to other SAP systemsCentral assignment of user authorization rights in various applicationsIdentification of logical systems through configuration controlsCentralized locking or deletion of users

25

T ip

User Management Engine

26

1.3 UME: Portal Management

• RiskIf the Enterprise Portal is used as the leading system without proper distribution of roles to back-end systems, there will be an absence of controlInconsistencies can occur in decentralized user maintenance over a heterogeneous system landscape

27

1.3 UME: User Management Engine

• Reference Control Practices (COBIT Reference DS 5.9)

• SAP ControlsUsing SAP’s UME with LDAP directory, we can minimize the need for separate user administration for SAP and non-SAP systemsUser profile distribution to the SAP and non-SAP systems using LDAP directoryLDAP directory can be used as a primary store and distribution point for central user data

28

T ip

1.3 UME: User Management Engine (cont.)

• SAP Controls (cont.)UME logging and tracing information is contained in a file that consists of important security events, such as successful and failed user logons, creation or modification of users, and groups and roles. A complete list of events logged is maintained in the UME Visual Administrator.

T ip

29

Single Sign-On

30

1.4 SSO (Single Sign-On)

• Control DomainIdentification, Authentication, and Access

• RisksIf there are a number of systems where users have different user IDs and passwords, the possibility of writing down these passwords and compromising access security cannot be ignoredDifficulty in administration due to different procedures for each system to roll out, reset, and change new/existing passwords can result in high administration cost, effort, and inconsistencies

31

1.4 SSO (Single Sign-On) (cont.)

32

• Reference Control Practices (COBIT Reference DS 5.2)

• SAP ControlsCreation of role and user master record using PFCG transactionAuthentication through Password control, Logon Ticket, and X.509 CertificateAuthorization to access SAP systems controlled through roles and authorization rights, based on the user’s job profileAudit Information System (AIS) provides all relevant information for monitoring users, passwords, authorizations, authentications, and security user comparisons (report RSUSR008_009_NEW aids in researching SOD)

33

1.4 SSO (Single Sign-On) (cont.)

T ip




34

35

Technical System Landscape

2. Technical System Landscape: Overview

• Control domainsData Classification SchemeCompliance with External RequirementsInstall and Accredit Systems and Manage ChangesManage Data

36

2. Technical System Landscape: Risks – Data Classification Scheme and External Compliance

• RisksLack of controls over information disclosure compromising legal, statutory, regulatory, and contractual requirementsLack of Decision Support data integrity affects decision makingIncreased costs of protecting un-classified dataExternal requirements are not adhered to by the organization; this could lead to litigation and penalties Loss of confidence by stakeholders like shareholders, government and tax authorities, creditors, and bankers

37

2. Technical System Landscape: Risks – Install and Accredit Systems, Manage Changes and Data

38

• RisksUnauthorized transactions NOT relied upon by Financial AuditorsReduced integrity and reliability of system processes and system outputsNon-reliance for any changes moved into production, in the absence of a documented change management systemErrors introduced into systems due to changes will not be prevented or detectedAccidental or intentional destruction of source documentationAppropriate user Segregation of Duties and approvals will not be maintainedSensitive information will not be protectedInability to retrieve stored/archived data when neededConsistency with back-up strategies and data recoverability will not be maintained

2. Technical System Landscape: Reference Control Practices• Reference Control Practices

Data Classification – COBIT Reference PO 2.3Compliance with External Regulation – COBIT Reference PO 8.1Install and Accredit Systems and Manage Changes – COBIT Reference AI 5.10 and COBIT Reference AI 6.3Manage Data – COBIT Reference DS 11.26 and DS 11.19

39

2. Technical System Landscape

• SAP ControlsBuilt-in Control Principles of the SAP Architecture like Inherent Controls, Configurable Controls, Security Controls, and Reporting Controls help meet the basic business process controls

SAP Governance, Risk, and ComplianceFinancial Compliance Trade Management Environment Regulations

Access Control Global Trade Management(GTM)

EH&SEmission Mgt (xEM)

Process Control

Enterprise Risk Management

40

T ip

2. Technical System Landscape: Data Classification Scheme

• SAP Control – Configuration for Sensitive Fields for Dual ControlT ip

2. Technical System Landscape: Install and Accredit Systems and Manage Changes • SAP Controls

System monitoring and controlThe Computing Center Management System (CCMS) ensures reliability and integrity of systems and outputs. CCMS monitors:

The IT environment and its components as well as processes at OS levelConfiguration of the network environmentPerformance and log files

Change and Transport System (CTS)

42

2. Technical System Landscape: Manage Data

• SAP ControlsSecure Store and Forward (SSF), Secure Socket Layer (SSL), Secure Network Communication (SNC)Data Archiving (DART – Data Archiving Retention Tool)I-A-R-P-R (Initiate-Authorize-Record-Process-Report) Controls can be configured in SAPUtilizes Roles and Authorizations concept for Segregation of Duties (SOD)

43

T ip

2. Technical System Landscape: Manage Data (cont.)

• SAP Controls (cont.)Document Management System can be used to electronically store physical documents and link to SAP documents

T i p

The integration of Document Management in many SAP System applications, and its functions for interfaces to external systems, means that you have many different ways of processing documents. Because of this deep integration, Document Management is one of the central functions within Logistics.

44

2. Technical System Landscape: Manage Data (cont.)

• SAP Controls (cont.)Scheduling and planning of database backup can be done using tools such as SAPDBA, as well as transaction DB13Table logging can be activated so that all changes made to tables can be reviewedWorkflow can be used for approvals/releaseUsing transaction SM36, background jobs can be scheduled to run at predetermined timesProvides interfacing technologies such as ALE (Application Link Enabling), EDI (Electronic Data Interchange), and XI (Exchange Infrastructure), which help in ensuring data integrity between systems

45

T ip




46

47

Network and Transport Layer Security

3. Network and Transport Layer Security – Overview

• SAP Control ObjectiveNetwork Infrastructure is extremely important in protecting your system, as it needs to support the communications necessary for business needs without allowing unauthorized accessTransport layer security provides end-to-end connection between communicating partners; the data transfer is not only protected against eavesdropping by using encryption, but the communication partners can be authenticated as well

• Control domainsSecurity LevelsRemote Operations

48

3. Network and Transport Layer Security: Reference Control Practices and Risks• Security Levels – COBIT Reference PO 2.4• Remote Operations – COBIT Reference DS 13.8• Risks

Poor accountability for data integrity, availability, securitySecurity levels are not retained during technological, organizational, and environmental changesRemote operations and external connections to remote sites are not clearly defined or not properly authorized by appropriate management or properly implementedPoor safeguards towards external connection security and servicesLack of reliable support for remote sites or locations of the organization’s IT operations

49

3. Network and Transport Layer Security: SAP ControlsSecurity Levels• SAP Controls

SAP Web Dispatcher filters HTTP- (unsecured Internet connection) and HTTPS- (secured Internet connection) based user requests and provides load balancing. SAP recommends using security zones (DMZ) to establish a secure network infrastructure to optimize security and enhance protection.

50

T ip

3. Network and Transport Layer Security: SAP Controls Security Levels (cont.)• SAP Controls (cont.)

SAP supports SSL (Secure Socket Layer) technology for authentication of communication, data integrity, and privacySAP supports IPSEC (Internet Protocol Security) to allow secure transmission over the InternetSecure session handling can be ensured by enabling the Web server to issue cookies that are valid for a restricted time period, thus limiting damages even if the cookie is compromised in any way

51

T ip

3. Network and Transport Layer Security: SAP ControlsRemote Operations• Example:

In case of Incident Management there could be a need for remote SAP Support using remote log-in software — in such cases, security could be enhanced by the use of encryption methods such as SNC and configuration of SAProuter

52

3. Network and Transport Layer Security: SAP Controls Remote Operations (cont.)• SAP Controls

SAProuter leveraging Secure Network Communication (SNC) allows you to strengthen your firewall host against unwanted external connectionsSNC enables application-level, end-to-end security of all communication that takes place between two SNC-protected systemsThe SAP Cryptographic Library is available to customers for enabling SNC connections between system componentsDigital signature security mechanism

53

Tip




54

Connectivity and Interoperability

55

4. Connectivity and Interoperability – Overview

• SAP Control ObjectiveTo enable internal or external IT systems (SAP or non-SAP) to communicate with each other securely

• Control DomainsCounterparty TrustDefinition of Interfaces

• Reference Control Practices Counterparty Trust – COBIT Reference DS 5.13Definition of Interfaces – COBIT Reference AI 2.8

56

4. Connectivity and Interoperability: Risks

• RisksAuthenticity of business partners cannot be determined for data interchangePotential and costly amendments to interface designs to cover security and controls exposuresInconsistency of data and loss of data integrity

57

4. Connectivity and Interoperability: SAP Controls Counterparty Trust• SAP Controls

Public Key Technology: Many applications in SAP rely on the use of public-key technology to establish the trust infrastructure that is necessary for successful business relationshipsSecure Store and Forward (SSF): SAP supports the use of an external security product using the SSF mechanisms. By using SSF, applications can support the use of digital signatures and document encryption in their processing.

58

T ip

4. Connectivity and Interoperability: SAP Controls Counterparty Trust (cont.)• SAP Controls (cont.)

Trust Manager: Enables the PSE (Public Security Environment) and certificate maintenance functions, such as key pair generation, creating certificate requests to be signed by a Certification Authority (CA), and maintaining the list of trusted CAs that the server acceptsSAP is a CA (Certification Authority) and supports client certificates, which are based on the X.509 format — an Internet standard

59

T ip

4. Connectivity and Interoperability: SAP Controls Definition of Interfaces• SAP Control Example:

Different users accessing systems using various channels are secured through the use of technologies such as SSL, SNC, SAML, SSF, and other independent authentication mechanisms

60

4. Connectivity and Interoperability: SAP Controls Definition of Interfaces (cont.)• SAP Controls

SAP supports SAML (Security Assertions Markup Language), which is an industry standard ratified by OASIS (Organization for Advancement Structured Information Sciences)WS-Security (Web Service) provides quality of protection through message integrity, message confidentiality, and single message authentication Remote Function Call (RFC) interface — enables remote data calls between SAP Systems, or between an SAP System and a non-SAP system

61

T ip

4. Connectivity and Interoperability: SAP Controls Definition of Interfaces (cont.)• SAP Controls (cont.)

SAP Connectors allow the integration of different applications and technologies with SAP Systems via open standards (Java, Business, Marketplace, and .NET connectors)Application Link Enabling (ALE) business processes are integrated processes across distributed systems and use specific SAP-defined formats to transfer data between the systemsBecause ALE relies heavily on transactional RFC, all security issues that apply to RFC also apply automatically to ALE

62

T ip




63

COBIT

• COBIT is a copyright of Information Systems Audit and Control Foundation (ISACF), USA

• COBIT: Control Objective for Information and Related Technology

• The abbreviations for COBIT controls domains indicated under the heading “Best Control Practices” are:

PO – Planning and OrganizationAI – Acquisition and ImplementationDS – Delivery and Support ME – Monitor and Evaluate

64

Resources

• Details about IT general controls related to enterprise systems

www.ISACA.org• COBIT information direct from source

www.ITGI.org• SAP NetWeaver Platform info

www.sap.com/platform/netweaver/index.epx• SAP SDN for technical SAP NetWeaver details

www.sdn.sap.com/irj/sdn• SAP NetWeaver Security Standard support

www.sap.com/platform/netweaver/standardssupport/security.epx

65

66

7 Key Points to Take Home

• Unless your SAP NetWeaver Infrastructure is secure, everything else is at risk …

• Do not use SAP_ALL, and never ignore Change Control Board for SAP NetWeaver changes

• Do not ignore SAP NetWeaver SLAs and their overall impacts on business drivers

• Do not neglect security management processes and user provisioning workflow

• SAP NetWeaver Security Management and Architecture design is not a one-time event

• Do not ignore non-SAP “components” of the SAP NetWeaver platform

• Do map to industry standards and ensure multiple translations of your mappings

67

Thank You for Your Time and Attention — Your Turn!

How to contact me:Bhavesh Bhagat

[email protected]

www.EnCrisp.com

Documents

Aligning SAP NetWeaver Strategies and Settings with Your ... · PDF file• SAP GRC efforts often focused on application security ... Technical System Landscape: Risks – Install