• Save
SAP Security Assessment V3 English
Upcoming SlideShare
Loading in...5
×
 

SAP Security Assessment V3 English

on

  • 11,306 views

SAP Security Assessment framework

SAP Security Assessment framework

Statistics

Views

Total Views
11,306
Views on SlideShare
11,227
Embed Views
79

Actions

Likes
11
Downloads
0
Comments
2

8 Embeds 79

http://www.slideshare.net 41
http://seguridad-informacion.blogspot.com 24
http://mahavirsancheti.blogspot.com 8
http://roar109.googlepages.com 2
http://www.ninjaproxy.com 1
http://assessment0708.blogspot.com 1
http://www.lmodules.com 1
http://www.linkedin.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • I likedthis material and it is very used. you can also find more detailed SAP tutorial material at http://saptrainingtutorial.com
    Are you sure you want to
    Your message goes here
    Processing…
  • I can not display the silde.. should try again at my home. Anyhow, search more SAP Tutorials at www.sap-exp.com
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Introduction and welcome.

SAP Security Assessment V3 English SAP Security Assessment V3 English Presentation Transcript

  • SAP Security Assessment SAP R/3 Security Assessment The first step towards the secure management of your ERP                          
  • Why Openware - Insside
      • Through the “SAP Security Assessment” practice, we offer a solution which leads to management awareness, making them viable for the existent security problems in R/3 environments.
      • The suggested approach combines processes, policies, practices and technology so as to offer a wide variety at the time of diagnosing and securing your ERP.
      • In addition, we propose a holistic, incremental and evolutionary perspective that permits scalability to its different components and maturing stages, in order to assure a successful adoption.
      • We possess a solid and extensive track record.
    • +14 years of experience
    • Projects in Latin America and Europe
    • We have qualified and committed Professionals
    • International Acknowledgments:
        • Endeavor Foundation
        • Avina Foundation
        • Junior Achievement
        • Junior Chamber International
    • Within the TOP50 of Argentinian companies in terms of CSR
    • Within the TOP10 of Argentinian information security companies
    Track record
  • Track record
  • Track record Assessment and Revision of SAP R/3 Platform Terra Networks Argentina T-Manages Argentina Telephonic Group (T-Gestiona Grupo Telefónica Argentina) Assessment and Revision of SAP Profiles T-Manages Spain Telephonic Group (T-Gestiona Grupo Telefónica España) AES Chile – Implementación Sarbanes Oxley Remote Access and SAP Security Monsanto Famiq Penetration Test DELSUR – El Salvador Liberty Argentina Insurance Company (Liberty Compañía de Seguros Argentina) Rosario’s City Council (Municipalidad de Rosario) Argentina Movile Telephonic (Telefónica Moviles Argentina) Audit and Information Security Implementation Emergia (Telephonic Group) Sesa Select (Vedior Group) Telefónica Empresa (Telephonic Group) Revisión de Seguridad Portal Terra Networks (Telephonic Group) Adquira Spain Security Audit (Auditoría de Seguridad Adquira España) Telefónica Comunicaciones Personales (Telephonic Group) Argentina Municipal Bank of Rosario (Banco Municipal de Rosario) CEICOM Spain (CEICOM España) DPS Best Select Chile Terminal 6 Minera Lumbrera Meridiam Bank (Banco Meridiam) Argentina Federal Police (Policia Federal Argentina) Vulnerability Assessments New Bisel Bank (Nuevo Banco Bisel) Toyota Globant Microglobal NCA Globalstar – TESACOM Globant Neuralsoft
  • Why to secure SAP?
    • Generally, ERP platforms are designed for international markets which have to be customized. Thus, some functions and parameters are not always consistent with the requirements or particular regulations.
    • The main users participate only partially in the implementation of the new ERP systems. Therefore, some parameters settings can be skipped because they are unknown for the ordinary users or consultants.
    • Figures that show its complexity:
      • +28,000 tables and views
      • 240,000 functions and programs
      • 1,000 parameter accesses of security administration
      • +15,000 vulnerabilities in operating environments
  • What is the importance of security in the ERP world ?
  • Risk areas: Causes
    • A system which manages all the business information.
    • In 90% of the revisions that were carried out, there are profile incompatibilities that may cause frauds to the Company.
    • The possibility of “Authorized Frauds”.
    • Accesses to mandators with possibilities of service unavailability, through critical transactions.
    • The financial data not identified in the ERP systems as “productive” can be deleted.
    • The audit tracks can be activated or deactivated account by account.
    • Wrongly assigned profiles may generate frauds.
    • Problems in the architecture design of the environment and infrastructures.
  • Risk areas: Consequences
      • Access to confidential information.
      • Access to Productive Databases.
      • Connection of equipment which does not comply with security policies.
      • Operation errors which cause service unavailability due to the excessive permissions of the administrator users.
      • No detection of Security events in a timely manner.
      • No preventive or mitigation actions due to the lack of a device of events correlation.
      • Abuse in profile assignation which increases the probability of frauds.
      • No strategy for the management of users and passwords to access the application, Operating System, and Databases.
      • Incoherence between the values assigned in the transactions and the activity values in those transactions.
  • What do we propose?
    • Carry out an integral diagnosis of SAP R/3 security (SSA) that shows the risk to which the organization is exposed, as regards:
      • Possibility of Fraud
      • Application availability and business continuity
      • Confidentiality of business information
      • Integrity of the Information in the application, operating environments and Interface systems
      • Level of incompatible functions assigned to users
  • SSA- Security Model
    • We take into consideration 3 basic principles:
    • Base the security strategies on business risks and technical risks jointly.
    • Attain an effective security environment which involves and combines strategy and policies, implementation and administration, event monitoring and technological architecture.
    • Apply integral processes of risk administration to the components, business processes, and connected computing science technology, as well.
  • SSA Process Vulnerability & Risk Analysis 1
    • Vulnerability Analysis
    • Risk Analysis
    • Recommendations
    Analysis of the Actual Context 0
    • Analysis of
    • actual context:
      • - Organization
      • - Technology
      • - Security
      • - Processes
      • - People
    SSA: Stage 1 Security Deployment: Stage 2 Awareness 3 4 2
    • Security Hardening
    • Identity Management
    • Event Management
    • Patch Management
    • Other…
    Security Hardening & Mgmt Monitoring for compliance
    • Validation of objectives already set
    • Compliance
    Development of the normative frame
    • Analyze users’ profiles
    • Define functions
    • Segregate functions
    • Standardize processes
    • Definition de accesses
    • Normative Frame
    SOX ISO17799/270001 COBIT Organizational Capacity Technical Complexity Business Benefits (Critical Success Factors)
  • SSA: Regular participants Client
    • Sponsor User
    • Project Coordinator
    • SAP/networks administrators
    • Representatives of the user sector/HR
    Openware
    • Senior Strategist
    • Architect
    • Security Consultant (CISA)
  • SSA- In depth Analysis of actual context
    • Define the scope of the project
    • Contextual assessment
    • Users’ control.
    • Authorization system.
    • Profile Incompatibility / Possibility of Frauds.
    • Network infrastructure.
    • Operating system security.
    • Protection of database accesses.
    • Control of the transportation system.
    • External communications security.
    • Security mechanisms in document exchanges.
    • Internet security.
    • Migration to upper versions.
    Methodology and tools
    • As a whole, the suggested methodology adapts itself to the standard control objectives COBIT / COSO / ISO.
    • Utilization of tools which belong to the applications, for instance AIS (Audit Information Systems), which are part of the SAP R/3 SYSTEM and tools developed by INSSIDE and Openware.
    Vulnerability and risk analysis 0 1
  • SSA- Submissions
    • Report on detected vulnerabilities, main risks which generate those weaknesses and recommendations to solve them
        • Users’ Control
          • Authentication in SAP.
          • Password Policies.
          • SAP standard users’ passwords.
          • External authentication methods.
          • Monitoring through the Security Audit Log.
          • Control of changes in the users’ registers.
          • Licenses Administration.
        • Authorizations System
          • BASIS Administration (Mandators’ structure).
          • Powerful Profile Management
          • Access to Transactions and critical Authorization Objects
          • Notes updating.
          • Strategies for the application of Hotpackages.
          • Performance and response times.
        • Transportation System
          • Work environment.
          • Program passage among environments.
          • TMS (Transportation Managing System).
  • SSA- Submissions
    • Report on detected vulnerabilities, main risks which generate those weaknesses and recommendations to solve them
        • Internet Security
          • ITS (Internet Transaction Server).
          • Control over firewalls, services, ports, directories and critical files protection.
          • Utilization of generic users
        • Network Infrastructure
          • SAP and general networks servicies (Routers, Firewalls, SAPRouter).
          • SNC use (Secure Network Communication).
          • Communications through public networks (Internet, Modem).
          • SAPNet connection (OSS).
        • Operating System Security
          • User configuration policies and logs.
          • Monitoring.
          • Permissions over the directories and SAP main files.
        • Protection of Database Access
          • SQLServer / Oracle configuration.
          • Verify if the standard SAP users’ passwords were modified.
          • SAPDBA protection.
          • Existent controls over the critical tables of the system.
  • SSA- How does it develop?
    • By obtaining a general knowledge of SAP implantation.
    • Test the protection level of standard users that is provided by the system (SAP*, DDIC, etc.) in the production environment for each mandator.
    • Check the configuration quality of the system from the access security’s perspective.
    • Analyze users with critical rights from the security’s and control’s perspective.
    • Verify the existence of activity monitoring mechanisms which assure the trace of the operations.
    • Verify the existence of system management procedures, users’ administration, and verify their implantation and monitoring.
    • Analyze the effectiveness and efficiency of users’ profiles utilized in the R/3 system, and assigned to users.
    • Analyze the security scheme of the SAP environment, that is to say, Operating System, networks, Databases and Interfaces.
  • SSA- Own tools
    • Attaka assess more than 15,000 security vulnerabilities in SAP environments
    • It includes the following modules:
      • Discovery:
        • Consolidation of assets and assessment (internal and external)
      • Reporting:
        • Interactive and historical reports and dashboard with key indicators
      • Remediation:
        • It includes documentation processes and workflow
      • Support:
        • Online access 7x24 based on ITIL, to specialiazed PS
    (*) It is the only security tool in Spanish America under authorization process by cve.mitre.org Vulnerability assessment & management platform
  • SSA- Own tools
    • R/3 Security audit system
    • It includes the following modules:
      • Profile:
        • Consolidates, analyzes and processes the relation between profiles and transactions
      • User Integrity:
        • Validates the integrity and relation between R/3 users, DB users and operating system users
        • Checks the configuration quality of the system from the access security’s perspective
      • Password Hardening:
        • Verifies the security level of the passwords assigned in the R/3 environment
        • Checks the protection level of standard users that is provided by the system (SAP*, DDIC, etc.) for each mandator.
    S I A (Sap Insside Audit)
  • SSA Process Vulnerability & Risk Analysis 1
    • Vulnerability Analysis
    • Risk Analysis
    • Recommendations
    Analysis of the Actual Context 0
    • Analysis of
    • actual context:
      • - Organization
      • - Technology
      • - Security
      • - Processes
      • - People
    SSA: Stage 1 Security Deployment: Stage 2 Awareness 3 4 2
    • Security Hardening
    • Identity Management
    • Event Management
    • Patch Management
    • Other…
    Security Hardening & Mgmt Monitoring for compliance
    • Validation of objectives already set
    • Compliance
    Development of the normative frame
    • Analyze users’ profiles
    • Define functions
    • Segregate functions
    • Standardize processes
    • Definition de accesses
    • Normative Frame
    SOX ISO17799/270001 COBIT Organizational Capacity Technical Complexity Business Benefits (Critical Success Factors)
  • SSA makes it viable..
      • Awareness of the management and final users in terms of security.
      • Development of a normative frame of security and control, and standardize the processes to follow for the management and administration of users, profiles, and access authorizations that assure the protection of the Organization’s information.
          • SAP Compliance
          • SOX Compliance
          • ISO17799/27001 Compliance
      • Component hardening actions and management of assets and resources
      • Monitorig the regularization level (compliance) of the observations presented in the first stage.
  • Stage 2 (potential)
      • Security must be focused on as a strategic aspect of the company, which should include:
    Products, tools and automation Profiles and roles properly assigned Knowledge, functions and responsibilities Modules People Technology
  • Stage 2 (potential) Development of the normative frame
          • SAP Compliance
          • SOX Compliance
          • ISO17799/27001 Compliance
    Monitoring for compliance
    • Monitoring the regularization level of the observations presented in the first stage and compliance
    Security Hardening & Management
    • Security Hardening
    • Identity Management
    • Event Management
    • Patch Management
    • Other
    2 3 4
  • Thank you! SSA SAP Security Assessment http://www.openware.biz/index_en.shtml