Best Practices for Securing SAP BusinessObjects BI Deployment
 

Best Practices for Securing SAP BusinessObjects BI Deployment

on

  • 5,483 views

Topics will include encryption, secure channel communication, firewalls, and authentication. With Greg Wcislo. ...

Topics will include encryption, secure channel communication, firewalls, and authentication. With Greg Wcislo.
These slides were presented at SAP TechEd 2012. Learn more about upcoming conferences and technical training, please visit www.sapteched.com

Statistics

Views

Total Views
5,483
Views on SlideShare
5,483
Embed Views
0

Actions

Likes
1
Downloads
167
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Best Practices for Securing SAP BusinessObjects BI Deployment Best Practices for Securing SAP BusinessObjects BI Deployment Presentation Transcript

    • AP300Best Practices for Securing SAPBusinessObjects BI DeploymentGreg Wcislo, Senior Product Manager, BI Platform, October, 2012
    • DisclaimerThis presentation outlines our general product direction and should not be relied on in making apurchase decision. This presentation is not subject to your license agreement or any other agreementwith SAP. SAP has no obligation to pursue any course of business outlined in this presentation or todevelop or release any functionality mentioned in this presentation. This presentation and SAPsstrategy and possible future developments are subject to change and may be changed by SAP at anytime for any reason without notice. This document is provided without a warranty of any kind, eitherexpress or implied, including but not limited to, the implied warranties of merchantability, fitness for aparticular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in thisdocument, except if such damages were caused by SAP intentionally or grossly negligent.© 2012 SAP AG. All rights reserved. 2
    • About security… The world is a dangerous place. SAP and other big software vendors, do get their share of attention from the security community:© 2012 SAP AG. All rights reserved. 3
    • Security is all about risk management Assume that NOTHING can be 100% guaranteed secure unless you destroy it© 2012 SAP AG. All rights reserved. 4
    • But we can still make it difficultIn this presentation we will go over how to lock down the BI system, following general securityconcepts of confidentiality, integrity and availability© 2012 SAP AG. All rights reserved. 5
    • High level view of a typical workflow Clients Business Intelligence Suite Web Application Server CMS Repository Database Central Management Server Processing File Repository Server Servers Data Relational SAP BW OLAP DB© 2012 SAP AG. All rights reserved. 6
    • Web application deploymentMinimize attack surfaceYou may see a few web applications in your default deployment, only keep what you need. AdminTools – designed for running advanced direct queries against the BI repository BOE – contains the CMC, OpenDocument, BI Portal functionality Dswsbobje – web services – used by Crystal Reports for Enterprise designer, Dashboard designer, and your custom applications. BusinessProcessBI – An SDK not for used for core functionality. Clientapi – contains Crystal Reports ActiveX controls for custom application development.© 2012 SAP AG. All rights reserved. 7
    • Run with minimum privilegesThe service the Server Intelligence Agent (SIA) requires the following rights: Act as Part of Operating System Logon As a Service Read/Write to HKEY_LOCAL_MACHINESOFTWARESAP BusinessObjectsSuite XI 4.0 Read/Write to Install DirectoryNote, if you are using Active Directory – SIA service account does NOT need to be member of local machineAdministrators. User guides used to refer to this need, which was incorrect and has been updated.© 2012 SAP AG. All rights reserved. 8
    • Web application deployment – secure the logonSecure the communication channelAssuming users are logging on with passwords, to prevent man in the middle attacks, configure yourapplication server for SSL. Communication with Identity provider can be secured: Browser Web Application CMS Identity Provider Server Logons to CMS are always encrypted if using 4.x client. To force encryption, use –fips on SIA command line. This will prevent 3.x clients from connecting.© 2012 SAP AG. All rights reserved. 9
    • Traffic - To encrypt or not to encrypt?The answer is really a question of risk & performance.Securing the browser to application server communication is not all there is to it.  Communication between the CMS and processing servers will exchange data, specifically it could pass credentials to the database. Web Application Server  These credentials could be stored in the CMS repository (in the case of Firewall saved credentials). Use SSO where possible!  Finally, actual data from the database, or in the form of a saved report will be transferred back to the end user. CMS CMS Repository  Server communication can be encrypted with Corba SSL – If encryption is turned on, all clients will need to be configured for SSL Processing Servers Relation al DB© 2012 SAP AG. All rights reserved. 10
    • CMS repository database The CMS repository does not store any data contained in your reports. It stores only the metadata describing the report, including its layout, format, access restrictions etc. However it can contain connection information to underlying databases. – Good news – sensitive stuff is always encrypted! CMS CMS Repository© 2012 SAP AG. All rights reserved. 11
    • Secure your data The most valuable artifact is your data. You will transfer data from your data sources to the processing servers before presenting it to the end user. Consider risk of data integrity and confidentiality, and encrypt the communication channel here if appropriate. – Remember, configuring Corba SSL, and securing your web traffic will not secure this communication exchange of retrieving data from database. Processing Servers Relational DB© 2012 SAP AG. All rights reserved. 12
    • Report content on the FRS Saved reports are physically stored on the File Repository Server. By default under …SAP BusinessObjects Enterprise XI 4.0FileStore – They may contain saved data, in the case of report instances. This content is NOT ENCRYPTED Consider who you are protecting from. Are the BI administrators and the OS administrators the same person? Use file level security to secure the BI install folder, but especially the FileStore folder. – Make sure the account that the server is running under can still access this content. You can consider file level encryption – Make sure SIA process has rights to data. Reports can also be saved without data, requiring a data connection & refresh each time. This may not always be practical for DB load & performance reasons.© 2012 SAP AG. All rights reserved. 13
    • Securing file content – Temporary file locationsAdditionally to the FRS, during the creation of reports, data may be stored temporarily.Lock these down! Tip* Look at the “Placeholders” link to find meaning of placeholder variables like %defaultDataDir%By default, %DefaultDataDir% = /SAP BusinessObjects EnterpriseXI 4.0/Data/© 2012 SAP AG. All rights reserved. 14
    • Reverse proxies, firewalls Client HTTPS Standard IT protection mechanisms apply. There are many BI Servers, and in the spirit of reducing the attack surface, it is highly advisable to hide those behind a firewall Reverse Proxy Firewall BI Web Application Server BI Backend Servers Database Zone© 2012 SAP AG. All rights reserved. 15
    • Insider threats Adding content to folders can be dangerous, restrict to only reports Content created/upload ends up on the FRS. Use Real Time Virus Scan on FRS, and limit who has access to create content.© 2012 SAP AG. All rights reserved. 16
    • Built in user accountsEvery system has a built in “Administrator” account. Rename it!Enable lockout of failed logon attemptsSpeaking of defaults…. CMS Port (6400), Tomcat Port (8080) – But this is more „security byobscurity‟© 2012 SAP AG. All rights reserved. 17
    • Monitoring/AuditingThe sample auditing reports can give you insight into the usage of your systemhttp://scn.sap.com/docs/DOC-6175© 2012 SAP AG. All rights reserved. 18
    • Stay up to date with patches SAP announces security patch day, every 2nd Tuesday of every month (same as Microsoft) Keep an eye out for BI patches Security fixes are included as part of regular patches.We work hard with security researchers internally & externally to stay on top of the latest developments insecurity, assessing various new threats and attack vectors.© 2012 SAP AG. All rights reserved. 19
    • Further InformationSAP Public Webhttp://scn.sap.com/community/bi-platform/blog/2012/02/11/encryption-data-security-in-bi-40Watch SAP TechEd Onlinewww.sapteched.com/onlineOther external linkshttp://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html© 2012 SAP AG. All rights reserved. 20
    • FeedbackPlease complete your session evaluation for AP300.Thanks for attending this SAP TechEd session.
    • © 2012 SAP AG. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads,permission of SAP AG. The information contained herein may be changed without prior notice. Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc.Some software products marketed by SAP AG and its distributors contain proprietary software components ofother software vendors. INTERMEC is a registered trademark of Intermec Technologies Corporation.Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Wi-Fi is a registered trademark of Wi-Fi Alliance.Microsoft Corporation. Bluetooth is a registered trademark of Bluetooth SIG Inc.IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System Motorola is a registered trademark of Motorola Trademark Holdings LLC.z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7,POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere,Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos areLinux is the registered trademark of Linus Torvalds in the United States and other countries. trademarks or registered trademarks of SAP AG in Germany and other countries.Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, WebSystems Incorporated in the United States and other countries. Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business ObjectsOracle and Java are registered trademarks of Oracle and its affiliates. is an SAP company.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and servicesCitrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc.registered trademarks of Citrix Systems Inc. Sybase is an SAP company.HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks of Crossgate AGConsortium, Massachusetts Institute of Technology. in Germany and other countries. Crossgate is an SAP company.Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, All other product and service names mentioned are the trademarks of their respective companies. Dataand Xcode are trademarks or registered trademarks of Apple Inc. contained in this document serves informational purposes only. National product specifications may vary.IOS is a registered trademark of Cisco Systems Inc. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerryStorm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registeredtrademarks of Research in Motion Limited. © 2012 SAP AG. All rights reserved. 22