WIXLIB

SAP SecurityHolistic focus to cover the 13 layers of SAP SecurityVictor Garcia RodriguezIBM Security – Associate Partner – CoC Lead for SAP Security & GRCMilano, June 18th 2019

Table of ContentsThe 13 layers of SAP Security by IBM SAP Security: The other side of the Compliance “coin”3 The 13 layers of SAP Security7 Continuous Control Monitoring in SAP Security17 The new wave of Access Management20 Changes in the SAP S/4HANA Authorization Model25 Questions & Answers30

1. SAP SecurityThe other side of the Compliance “coin”

1. SAP Security – The other side of the Compliance “coin”The SAP Security market is split into two big areas: Compliance and IT SecurityRegulatory ComplianceIT Security Audit centric Business centric Risks driven (COSO) Policies and Controls based (COBIT) Driven largely by regulatory requirements Driven by business requirements Sample based Scope is Holistic Scope limited by audit domain Evaluated on a quarterly or annual basisMainly is a Big4 / Audit firms world 4IBM Security Enterprise and extended community (E.g. 3rdparties, suppliers, partners, etc.) Evaluated on a near-real time basisMainly is an IT / Technical companies world

1. SAP Security – The other side of the Compliance “coin”What does it mean? What does people usually think SAP Security is?SAP AuthorizationsSegregation of DutiesSAP RolesSAP Identity ManagementSAP GRC Access ControlSingle Sign-OnSAP Security Parameters5IBM Security

1. SAP Security – The other side of the Compliance “coin”Scope of this session: Technical SAP Security1. GovernanceInternal Control, Internal Audit, Enterprise Risk and Regulation Affairs: Integration and Automation of the Three Lines of Defense2. Access ManagementSegregation of Duties, Identity and Role Management: User Access complying with Regulatory Requirements (E.g. SOX)3. Data PrivacyGDPR (and others): Data Retention and Data Deletion, Data Portability, Data Field Masking, Access Logging to Personal Data4. Business-IT MonitoringContinuous Control Monitoring (CCM): Configurable and Transactional controls // Fraud Scenarios // RPA // Predictive Risk Analytics5. AuthenticationUnified Access to SAP systems: Single Sign-On // Double Factor Authentication (Two-Factor) // Secured Communication6. Application SecurityCustom Source Code: Automated analysis to Identify potential Security Breaches // Optimize Performance using SAP best-practices7. Application ServerSAP Server configuration: Security Parameters of all Clients // Secured Services // Patching Level // OSS Notes8. Database SecuritySAP HANA: Secured access to SAP HANA Views and Schemas // Integration with data lakes // Ensure no open paths to access data9. Data EncryptionData Volume Encryption (HANA) // Usage of SAP Cryptographic Libraries // Secured Socket Layer // Public Key Infrastructure (PKI)10. Network andCommunications11. VulnerabilityAssessment6Securization of RFCs (Remote Function Calls) // Support from SAP // Management of Web connectionsPen TestingOS users (broad privileges) // SAP log analysis and integration with SIEM solution // Integration of antivirus into SAP12. Infrastructure SecurityConfiguration of physical / logical devices: Firewall and Gateways // OS and Applications Logs13. Physical Security andHostingStandard Controls Coverage (SOC reports) // Compliance Level of each Cloud platform // Ad-hoc Security audits // Physical hackingIBM Security

2. The 13 layers of SAP Security by IBMSAP Security requires an holistic focus, analyzing it "as a whole"

2. The 13 layers of SAP Security by IBMImpact of SAP Security on Business: Ponemon Research Report – Key Findings92%65% 4.5M47%59%92% indicated an SAPbreach would be serious,very serious or catastrophic65% said their SAP Systemwas breached at least oncein the past 24 monthsAverage cost to take SAPoffline was 4.5M perincident47% indicated they were“not confident” or had “noconfidence” that they coulddetect an SAP breach withina year59% believe Cloud, SAPHANA, SAP Fiori, IoT allincrease likelihood of anattack8IBM Security

2. The 13 layers of SAP Security by IBMIBM point of view of SAP Security1. GovernanceSAP GRCProcess ControlSAP IdentityManagement2. Access ManagementIBM IAM3. Data PrivacyIBM GDPR4. Business-IT MonitoringIBMCloud5. AuthenticationSAP Single Sign-On6. Application SecurityIBM DAS7. Application Server8. Database Security9. Data Encryption11. VulnerabilityAssessmentSAP GRCProcess ControlSAP HANADataVolumeEncryptionIBM Security3rd Party productControls, Policies & Procedures for IT / rtual ForgeCode Profiler for HANASAP HANA XS .security.Store APISAP RouterOnapsisSecurity PlatformSAP Authenticator (2-factor)SAP Web DispatcherSAP Data CustodianControls AutomationITGC, HANA, NetWeaverKerberos, SAML / X.509, SPNEGOKernel: Update& PatchingTransports: TMS, TP,RFCs and AuthorisationsSAP HANA Usersand PermissionsCommon Cryptographic LibraryAuthorisationModelVirtual Forge Code Profiler for ABAPPatching: Upgrades,SPs and OSS NotesSAP HANA ViewsAuthorisationsSLT ReplicatorETLs / APIConfiguration of SSL/TLSSAP NAC (Network Access Control)SAP ETD (Enterprise Threat Detection)OnapsisSecurity PlatformRole Profiling &RemediationSAP ILM (Information Lifecycle Management)SAP Code Inspector / Vulnerability AnalyzerSecuringClientsHDB UserStoreSub-competencySAP ETDEnterprise Threat DetectionFirewallSOC-1: ICFRGreenlightAVMUI Logging / MaskingSAP Solution ManagerSecuring RFCsIBM X-ForceRedERPMaestroSAP BIS BusinessIntegrated ScreeningSAP productSAP GRCRisk ManagementSAP SNC (Secure Network Communication)Configuration of SystemProfile & Parameters12. Infrastructure Security13. Physical Security andHostingSAP GRCAccess ControlSAP RAL (Access Log)10. Network andCommunications9Greenlight Regulation ManagementCyber Governance SolutionSecurity LayersGatewaysSAP / Application LevelSOC-2 / SOC-3: Security, Availability, Processing Integrity and ConfidentialityOS Usersroot, broad privilegesSNC ACLAccess Control ListsDB PatchingSystem PKI SFSSSSL IntegrationVSI SAPAntivirus IntegrationLogsOS and ApplicationsAd-hoc Security Audits

2. The 13 layers of SAP Security by IBMLayer 5 – Authentication: Single Sign-On (On-Premise and Cloud) and Two Factor Authentication 10Implementation of SAP Single Sign-On solutionsBased on On-Premise and Cloud solutions (using SAP Cloud Platform Identity Authentication Service, IAS)Out-of-the-box integration with all applications supporting SAML 2.0Different authentication options:̶Basic authentication: User ID / e-mail, and password̶Reuse of Windows Domain logon: Use of Kerberos token for Single Sign-On̶Two Factor Authentication: Second factor on mobile device̶Delegated Logon: Social IdPs (Google, Facebook) or Corporate IdPs (IBM w3 Id)IBM Security

2. The 13 layers of SAP Security by IBMLayer 6 – Application Security: Based on Code Inspector and Code Vulnerability Analyzer (CVA) 11Implementation of Code Scanning platforms based on the integration of SAP Code Inspector and SAP Code VulnerabilityAnalyzer (CVA) for the enablement of an ABAP Test Cockpit, that allows the execution of remote code analysis from a centralinstance to detect performance and security issues over custom source code.This approach can be implemented on-premise for the customer, or provided as a service, from a central IBM instance.The usage of a central instance only requires a NetWeaver 7.51 system, with RFCs with the target systemsIBM Security

2. The 13 layers of SAP Security by IBMLayer 7 – Application Server: How does it affect the new S/4 architecture to SAP Security?User InterfaceHTML 5WebDynpro(SAP Fiori / UI5)Fiori-LikeO-Data Services – RESTful APIsApplication ServerABAP 7.50SAP GatewayBOPFNetWeaverServer12IBM Security

2. The 13 layers of SAP Security by IBMLayer 8 – Data Base Security: SAP HANAAny AppsSAP Business SuiteAny App Serverand BW ABAP App ServerSQLMDXRJSONOpen ConnectivitySAP HANA PlatformApp Server UI Integration Services Web ServerProcessing EngineOLTP OLAP Search Text Analysis Predictive Events Spatial Rules Planning CalculatorsDatabase ServicesPredictive Analysis Libraries Data Models & Stored ProceduresApplication Libraries and Data ModelsData Virtualization Replication ETL/SLT Mobile Synch StreamingIntegration ServicesOn-Premise Hybrid Cloud Platform Enterprise CloudDeployment13IBM SecurityUnified AdministrationLife-cycle ManagementSecuritySupports any DeviceApplication DevelopmentProcess OrchestrationExtended Application Services

2. The 13 layers of SAP Security by IBMLayer 8 – Data Base Security: SAP HANA Companies are migrating their "crown jewels" to the SAP HANA platform. This includes: Enterprise-Critical and Financial data Executive data including plans for M&A, divestitures, executive hires, etc. Regulated data including personally identifiable information (PII) of customers, vendors, andemployees Data that resided in multiple systems now exists in only one repository Customers are leveraging SAP HANA’s data compatibility features and by integrating streamingdata, Hadoop, and data from many other sources Security layers removed Security now resides at the HANA layer, not the application layer The challenge from a security viewpoint is that users and applications now have direct accessto the database Database security represents the last line of defense for enterprise data Incorrect authorizations assigned to users and roles Elevated privileges could allow direct changes to tables, views, and stored procedures Unauthorized access more prevalent now than ever SAP HANA is a key focus area for targeted and insider attacks SAP HANA is now an “in scope” system from an internal and external audit standpoint14IBM Security

2. The 13 layers of SAP Security by IBMLayer 11 – Vulnerability Assessment: SAP Enterprise Threat Detection (ETD) – Security BreachesSAP ETDSAP LandscapeEnterprise Threat DetectionExtractorJSON / REST RequestSAPHANALogABAP Rules / PatternsLogSmart DataStreamingPush data to HANA Exposes a REST service to receive log data Normalize, Pseudonymize and Enrich Log DataPush their Log dataSchedule the Data TransferUsage of deltas to minimizeABAP systems have a log extractorSAP HANA Evaluate & Analyze Generate Alert Data Vulnerabilities (Security Notes)Critical authorization assignmentsUser manipulations/morphingCritical changes to usersBrute force attacksSuspicious logonsUnusual communication & downloadsSecurity configuration changesCross-landscape communicationAccess to critical resourcesData manipulationDebugging in productive systemsDenial of ServiceAuthentication token attackUser InterfaceNon-SAPLog 15IBM Security Dashboard: Alert & KPIsBrowsing & AnalysisPattern Creation & ConfigurationScheduling & Monitoring

2. The 13 layers of SAP Security by IBMLayer 11 – Vulnerability Assessment: SAP Enterprise Threat Detection (ETD) – Security BreachesForensic Lab Apply filters to the normalized Log datastored in the SAP HANA database. The set of filters user in the investigation isknown as “path” The system allows visualize (in many ways)the filtered data to look for standout values Applying predefined heuristic rules(modifiable), can generate attack detectionpatterns from paths Based on defined thresholds, the system willshow the alerts If the alert shows consistency to be true,then data can be un-pseudonymized toresolve user identity16IBM Security

3. CCM in Technical SAP SecurityCCM principle can also be applied to SAP Security

3. CCM in Technical SAP SecurityThis concept can also be applied to the Technical SAP SecuritySAP Process ControlSAP BISCCMAdvanced CCMSAP Enterprise ThreatDetection1 single automatic control“n” automatic controls combinedAdvanced CCMSAP HANADB and Sidecar that replicates SAP tablesSecurity Dashboard(SAP Analytics Cloud / SAP Digital Boardroom)SAPCustomerHANA powered18IBM Security