Transcription
Mario Linkies, Frank OffSAP Security andAuthorizations
ContentsForeword by Prof. Wolfgang Lassmann15Foreword by Dr. Sachar Paulus171Introduction211.1Background .211.2Contents .231.3How to Read This Book .231.4Acknowledgements .24Part 1 Basic Principles of Risk Managementand IT Security2Risk and Control Management272.1Security Objectives .272.2Company Assets .2.2.1Types of Company Assets .2.2.2Classification of Company Assets .2931322.3Risks .2.3.1Types of Risks .2.3.2Classification of Risks .3334362.4Controls .2.4.1Types of Controls .2.4.2Classification of Controls .3737383Security Strategy3.1Status Quo .413.2Components .3.2.1General Framework .3.2.2Strategy .43444441Contents5
3.2.33.2.43.2.56Methods .Best Practices .Documentation .4546473.3Best Practices of an SAP Security Strategy .3.3.1Procedure .3.3.2Principle of Information Ownership .3.3.3Identity Management .474756614Requirements4.1Legal Requirements .4.1.1Sarbanes-Oxley Act .4.1.2Basel II .4.1.3GoBS .676876794.2Internal Requirements .814.3Summary .825Security Standards5.1International Security Standards .5.1.1International Security Standard ISO 17799 .5.1.2International Security Standard CoBIT .5.1.3COSO—Integrated Framework for Company Risk Management838387905.2Country-Specific Security Standards .5.2.1American Standard NIST Special Publications 800–12 .5.2.2German Security Standard IT Baseline Protection of the BSI .9494966Basic Principles of Technical Security6.1Cryptography .6.1.1Symmetric Encryption Procedure .6.1.2Asymmetric Encryption Procedure .6.1.3Hybrid Encryption Procedure .6.1.4Hash Procedures .6.1.5Digital Signature .6.2Public Key Infrastructure . 1096.3Authentication Procedures .6.3.1User Name and Password .6.3.2Challenge Response .6.3.3Kerberos .6.3.4Secure Token .6.3.5Digital Certificate .6.3.6Biometrics 13113
6.4Basic Principles of Networks .6.4.1OSI Reference Model .6.4.2Important Network Protocols .6.4.3Overview of Firewall Technologies .6.4.4Secure Sockets Layer Encryption .114114117118120Part 2 Security in SAP NetWeaver andApplication Security7SAP Applications and Technology1237.1Global Security Positioning System . 1237.2SAP Applications . 1237.3SAP NetWeaver . 1257.4Security Technologies .7.4.1Authorizations, Risk and Change Management, and Auditing .7.4.2Identity Management .7.4.3Secure Authentication and Single Sign-On (SSO) .7.4.4Technical Security .7.4.5Influencing Factors .8SAP Web Application Server8.1Introduction and Functions . 1358.1.1Overview . 1358.1.2Technical Architecture . 1361271271281291301311358.2Risks and Controls . 1378.3Application Security .8.3.1Technical Authorization Concept for Administrators .8.3.2Authorization Concept for Java Applications .8.3.3Restricting Authorizations for RFC Calls .1451451521578.4Technical Security .8.4.1Introducing a Single Sign-On Authentication Mechanism .8.4.2Connecting the SAP Web AS to a Central LDAP Directory .8.4.3Changing the Default Passwords for Default Users .8.4.4Configuring Security on the SAP Gateway .8.4.5Restricting Operating System Access .8.4.6Configuring Important Security System Parameters .8.4.7Configuring Encrypted Communication Connections(SSL and SNC) .8.4.8Restricting Superfluous Internet Services .8.4.9Secure Network Architecture for Using the SAP Web ASwith the Internet .161161163165165167168170174176Contents7
8.4.108.4.118.4.128Introducing an Application-Level Gateway to Make InternetApplications Secure . 176Introducing Hardening Measures on the OperatingSystem Level . 177Introducing a Quality Assurance Process for SoftwareDevelopment . 1779SAP ERP Central Component1819.1Introduction and Functions . 1819.2Risks and Controls . 1819.3Application Security .9.3.1Authentication .9.3.2Authorizations .9.3.3Other Authorization Concepts .9.3.4Best-Practice Solutions .9.4Technical Security . 22110mySAP ERP Human Capital Management10.1Introduction and Functions . 22318718718820221322310.2Risks and Controls . 22310.3Application Security .10.3.1 HCM Master Data Authorizations .10.3.2 HCM Applicant Authorizations .10.3.3 HCM Personnel Planning Authorizations .10.3.4 HCM Reporting Authorizations .10.3.5 Structural Authorizations .10.3.6 Authorizations for Personnel Development .10.3.7 Tolerated Authorizations .10.3.8 Authorizations for Inspection Procedures .10.3.9 Customized Authorization Checks .10.3.10 Indirect Role Assignment Through theOrganizational Structure .10.3.11 Additional Transactions Relevant to Internal Controls .22923123223323323323423423423523523610.4Technical Security . 23611SAP Industry Solutions11.1Introduction and Functions . 23723711.2Risks and Controls . 23811.3Application Security . 24011.3.1 SAP Max Secure . 24011.3.2 SAP Role Manager . 24111.4Technical Security . 244Contents
12SAP NetWeaver Business Intelligence24512.1Introduction and Functions . 24512.2Risks and Controls . 24712.3Application Security . 24912.3.1 Authorizations . 24912.3.2 Other Concepts . 25412.4Technical Security . 25813SAP NetWeaver Master Data Management 26113.1Introduction and Functions . 26113.2Risks and Controls . 26213.3Application Security . 26613.3.1 Identity Management and Authorizations . 26713.3.2 R
Contents 9 12 SAP NetWeaver Business Intelligence 245 12.1 Introduction and Functions . 245File Size: 504KBPage Count: 60
