WIXLIB

SAP Solution ManagerManaging Security with SAP Solution ManagerMay 2015Table of Contents3Security in Three Phases: Build, Setup,Operate7The Role of ITSOM Tools for Security16 Conclusion: The Center of a SecureSystem Landscape 2015 SAP SE or an SAP affiliate company. All rights reserved.17 Additional Information and References

Running a secure system landscape requires more than just secure software.System setup and operation are key to protecting against and detecting attacksto prevent downtime. IT services and operations management (ITSOM) tools playan important role for security, collecting information about a system landscape,providing alert mechanisms, and helping distribute security patches. The SAP Solution Manager application management solution is the ITSOM product ofchoice for SAP software landscapes.and activities and provide them as efficiently aspossible, at the right time and in the right place.This paper introduces the various aspects ofbuilding, setting up, and operating a securesystem landscape and shows how SAP SolutionManager supports these tasks.Running and maintaining secure landscapesrequires a strategy. And with the increasing needto collaborate with customers, partners, andemployees anytime and anywhere, you need astrategy that makes things simpler to use andmanage. A strategy requires an overall plan andwith it a central controlling element that executesthe plan or at least keeps it up-to-date for everyone to refer to. If you fight many small battlesagainst vulnerabilities in a new setup, you maywin some, but you will lose in the long run. Thinkof the well-meant but uncoordinated actionstaken by individual citizens during fires, threats topublic security, or natural disasters: these maybe useful on the spot, but they will never keep anentire infrastructure or social system safe overtime or be able to rebuild it. A central headquarters is necessary to coordinate all the measuresThis paper argues for such a headquarters forIT landscapes in the form of a central solutionfor IT services and operations management –particularly in SAP software landscapes, whichare similar in complexity to the real-world socialsystems and infrastructures mentioned above.With complex systems, security is always a concern, primarily in the areas of monitoring andalerting, the software lifecycle, and softwarelogistics. In large part, security requires knowingwhat is going on and knowing the landscape andits processes, so you can identify issues and fixthem quickly when they first arise – and automate these functions as much as possible.In the following sections, we will examine therole of ITSOM tools, particularly SAP SolutionManager, in software security, along with the process of implementing, configuring, and operatingsecure solution landscapes. 2015 SAP SE or an SAP affiliate company. All rights reserved.2 / 17

Security in Three Phases:Build, Setup, OperateThere are numerous ways to approach and subdivide the extensive topic of software, system,and landscape security.1 This paper will follow thehigh-level process: you need to first build securesoftware, then set up secure systems andsystem landscapes in which this software runs,and finally keep these landscapes secure duringoperations.Within these three phases, we will focus on thoseareas in which ITSOM tools make a strong contribution to securing system landscapes – particularly the many areas supported by SAP SolutionManager.Figure 1: Three Main Phases Helping to Ensure orted by SAP tools and services1. A nother possibility is to structure the topic with security ofdata, channels and interactions, and identities on the firstlevel, as shown in SAP CIO Guide: IT Security in Cloud andMobile Environments. 2015 SAP SE or an SAP affiliate company. All rights reserved.3 / 17

BUILD SECURE SOFTWARESecurity for software systems obviously startswith what developers do. They are the onesresponsible for delivering secure code. They alsodeliver security fixes and prepare interfaces forsecure communications, monitoring, and alerting. Developers need to answer questions suchas these: Is the code well protected againstmanipulations or injections? Are interfacesdesigned for secure use? Are there no credentialshard-coded anywhere? Have the proper interfaces for monitoring, methods for alerting, and soforth been implemented? SAP developers followthe secure software development lifecycle shownin Figure 2.This paper focuses on ITSOM tasks to keep landscapes secure, but the section “Secure Code”will also briefly examine some tools to validatecoding with respect to security.SET UP SECURE SYSTEMSSetting up secure systems, system interactions,and thus system landscapes is the first step insubsequently operating a secure environment.Many tasks that must be performed once duringsetup reoccur, periodically or continuously, in theoperations phase to ensure security, managed byan ITSOM solution. Setup is a highly criticalphase, as missing security tends to be invisible,especially in a yet-unused system landscape. Ifthe configuration is not checked actively, thedetection of security flaws usually happensduring operations – often when some damagehas already been done. Fixing security issuesduring ongoing operations is usually expensiveand often heavily restricted by the risk of breaking business-critical processes in productiveenvironments.Figure 2: Secure Software Development Lifecycle from onseCompliant to ISO 27034-1.1 2015 SAP SE or an SAP affiliate company. All rights reserved.4 / 17

KEEP LANDSCAPES SECUREIn the operations phase, powerful ITSOM toolsbecome mission critical. This holds true for manyoperations tasks, which play important rolesin keeping the operated landscape secure. Aninitially secure configuration is important, butyou also need to ensure that changes to thisconfiguration are deployed in a structured andmonitored way. And security fixes alone will notbe very useful if you do not know where to applythem or what their possible impact might be.These, among many other things, are recurringtasks for ITSOM – the central management ofinformation pointing to possible vulnerabilitiesand attacks, as well as the coordination androuting of the corresponding fixes and defensivemeasures.From the security perspective, timing is a criticalfactor, because the elapsed time between when anew threat or vulnerability occurs and when it isfixed defines the likeliness of damage. The easeand speed of fixing security issues is thereforecrucial, and the security of a system landscaperises with the speed at which fixes can bedeployed to the entire landscape.The speed at which threats and vulnerabilitiescan be fixed increases with a number of factors,some of which are: Homogeneity of the landscape Completeness and consistence of informationabout the landscape Consistency of the fixing method(s) Completeness and quality of information aboutchanges to the landscape Continuity of security maintenanceOn the business side of the equation, time is alsoa critical factor. Security breaches and subsequent service downtime often cost organizationsmillions in lost revenue. Preventive network andsystems security management can avoid theselosses and make the difference in whether abusiness is profitable or not.These effects are boosted by today’s trendtoward the cloud, combining cloud and onpremise landscapes, and providing more andmore solutions for remote and mobile access.Many of the same mechanisms apply acrossthese deployment scenarios, so we will not differentiate between them here.Security requires knowing what is going onand knowing the landscape and its processes,so you can identify issues and fix them quicklywhen they first arise. 2015 SAP SE or an SAP affiliate company. All rights reserved.5 / 17

SECURE OPERATIONS MAP FROM SAPSAP provides a Secure Operations Mapthat covers the three phases mentioned aboveand serves as a reference (see the final section ofthis paper) to match the capabilities of ITSOMtools to the requirements for a secure system.Phase 1 – secure build – maps to “secure code”in Figure 3. Phases 2 and 3 – secure setup andsecure operation – are named the same inFigure 3. Phase 3 also covers the contribution ofITSOM tools to infrastructure security. “Securitycompliance” in Figure 3 applies to all phases andis typically not the focus of ITSOM tools.The following section will introduce SAP SolutionManager as a comprehensive ITSOM tool andmap some of its features to tasks in this SecureOperations Map.Figure 3: Secure Operations Map from SAPSecurity gencyconceptSecure operationUsers andauthorizationsAuthenticationand singlesign-onSupportsecuritySecurityreview andmonitoringSecure setupSecure codeInfrastructure curity maintenanceof SAP codeNetwork securityData securityCustom codesecurityOperating systemand databasesecurityFront-end security 2015 SAP SE or an SAP affiliate company. All rights reserved.6 / 17

The Role of ITSOM Tools for SecurityWe can define ITSOM tools covering the tasks ofthe three phases of security as follows: ITSOMtools are any products and services that help tomonitor an IT landscape and all services thereinand to detect any abnormal behavior. Theyalso include any products that improve controlover the IT infrastructure (asset management,change management, and configuration management), over processes (job scheduling and workflow management), and over service workflows(service and support desk, service-level management, and business service management).SAP Solution Manager is SAP’s well-recognizedoffering for ITSOM. With respect to security, it isaccompanied by a set of services offered in theSAP Service and Support portfolio, which areoften based on or controlled by SAP SolutionManager. In the following discussion, the tasks ofthe secure operations map in Figure 3 aremapped to the capabilities of SAP SolutionManager.Setting up secure systems, system interactions, andthus system landscapes is the first step in subsequentlyoperating a secure environment. 2015 SAP SE or an SAP affiliate company. All rights reserved.7 / 17