• Like
SAP Dynamic Attribute-Based Acces Control - White Paper

SAP Dynamic Attribute-Based Acces Control - White Paper






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    SAP Dynamic Attribute-Based Acces Control - White Paper SAP Dynamic Attribute-Based Acces Control - White Paper Document Transcript

    • SAP Dynamic Attribute - BasedAccess ControlBest Practice WhitepaperIntroduction accessible by US persons while in US locations. When she is on a business trip to Singapore meeting with herData security has become one of the most significant suppliers in their APAC regional HQ, exposing materialchallenges in global businesses. Requirements are data, CAD drawings or BOM’s stored in SAP would be adriven by a variety of sources including government violation of ITAR. If she attempts to display informationcompliance, lack of data identification, product subject to ITAR on her iPad during a presentation,development in trade restricted countries where accessing data using SAP Netweaver Portal, location-legal protections are inadequate, data leakage based services can flag her location based on her IPbeyond project teams due to mishandling, insecure address and should trigger a DENY message in SAP.or unmonitored data transfer or distribution between In this example, the product manager’s role serves assupply chain partners, and data lost on unprotected the functional attributes, the data elements (material/laptops, removable drives, or mobile devices. This CAD/BOM) as well as the location information serveguide will discuss the features and roles of functional as data attributes and the business rule provides theand data access level controls and how they governance for access control. Figure 1 depicts theinteroperate to address the data security challenges three dimensional model of large organization systemcompanies operating globally face within the context security architecture including functional access, dataof their enterprise SAP landscape. access, and governance.Business RequirementsLarge organizations are increasingly dealing withregulatory compliance issues such as CWC, FDA 21 Functional AccessCFR Part 11, ITAR, EAR, BAFA, DOE 810, NERC/CIP and Determine the actions a user can performSEC, among others. Securing intellectual property Data Accessis also a major concern as growing business is often Data Accessnecessitated by increasing collaboration, both Determine the data ainternal and external, such as in the areas of product user can seeand engineering, supply chain, partnerships andjoint ventures. In order to support these business Functional Access Governancescenarios within a SAP environment, it is necessary to Rules for accessincorporate attributes such as access location, time managementof day, export license, user citizenship, or project/program assignment. Consider a US-based productmanager of a US corporation whose product is Figure 1: Three dimensions of business authoriazationsubject to ITAR regulations, but has both governmentand commercial application. The business rule forcompliance may be that ITAR data in SAP is only
    • SAP Authorization is often needed to integrate the SAP authorization engine with HR-related data sourced from SAP HR orThe SAP authorization concept is designed for role external HRIS systems to support data requirementsbased security or Role Based Access Control (RBAC). that may be linked to an employee or contractor.RBAC has been the predominant approach to system This common example can quickly cause a “rolesecurity for SAP and other major IT vendors since explosion” within SAP authorization to managethe mid-1990’s and was formalized as an ANSI/ the various factors that contribute to an “ACCESS”INCITS standard in 2004, based on the NIST RBAC or “DENY” system decision. Broadly speaking, themodel (Sandhu, Ferraiolo, and Kuhn) 1. SAP’s security implementation of data-based requirements resultsarchitecture contains five layers (User, Profile, in an exponential increase in access rules comparedAuthorization, Authorization Object, Object Class) that to access variables (Figure 2). This approach oftensupports functional access to the SAP system. A user results in implementing more roles than employeesmay be assigned one or more profiles subject to their and becomes an administrative bottleneck.role responsibility within the organization, such as abuyer or payer. The buyer profile may be authorized toprocure raw materials for company code “100” up to avalue of $10,000 and the payer may be authorized to Required Access Rulespay invoices from vendors for all materials in companycode “100” up to a value of $50,000, for example.Governance principles and organizational bestpractices may dictate that the same user should nothave both the buyer profile and payer profile in orderto avoid potential fraud. In this simple example, SAPsecurity is able to distinguish which user can performa specific function by limiting their access to certain Number of Access Variablestransactions, programs and services. One of the keyfeatures and benefits of SAP authorization is its ease Figure 2: Role Explosionof use in system administration and support of humanresource functions such as role changes and employeeturnover.If this example is within the context of a UK multi- Attribute Based Access Controlnational chemical company setting up a joint In the scenarios where data elements contribute toventure with a local company in Belarus to service the access criteria, Attribute Based Access Controlthe emerging market, there is an additional layer of (ABAC) is the solution that would best support thedata security needed based on location in order to business authorization requirements in a scalable way.restrict access to recipes and intellectual property not Within enterprise software, XACML (eXtensible Accessrelated to the joint venture. Assuming there are 10 Control Markup Language) - a standard defined by thedistinct buyer profiles in SAP, each would need to be OASIS standards association - is becoming the defactoreplicated for each joint venture, plus presumably a standard used in the enterprise software market. The“buyer_all” profile. If this example is further extended basic elements of XACML architecture includes a Policyto include compliance requirements from the Chemical Administration Point (PAP), Policy Decision Point (PDP),Weapons Convention for chemicals produced by the Policy Enforcement Point (PEP) and Policy InformationUS subsidiary, each of the profiles created would need Point (PIP). The key feature of segregating these areasto be replicated again to account for these additional is the ability to quickly update authorization policiesrestrictions. Additional custom ABAP development and reduction of ongoing system maintenance.1 Ravi Sandhu, David Ferraiolo and Richard Kuhn. “The NIST Model forRole-Based Access Control: Towards A Unified Standard,” 2000 <http://csrc.nist.gov/rbac/sandhu-ferraiolo-kuhn-00.pdf> 2
    • The ABAC model can be classified by subject attributes Hybrid Solution(e.g. user, computer and application specific data),environment attributes (e.g. time, connection type To support the needs of global businesses running onor threat level) and resources attributes (data values, SAP, an organization will have some combination ofclassification or content). The power and scalability of static and dynamic access attributes. To this extent,the ABAC model is that access may be granted using employing a hybrid architecture of implementingany combination of the attributes for a given scenario. SAP Authorization complemented by an ABACAs business requirements and environments change, system will provide the control necessary to ensurethe administration of the ABAC system may be to business requirements are met along with optimizingsimply update the attributes in the PAP. When data the maintenance of the authorization systems. Theattributes are dynamic in nature, an ABAC approach is recommended approach is to create an authorizationthe ideal solution to optimally support access control map to clearly identify the Functional Roles and Datarequirements. Attributes for a given organization. An example of engineering collaboration with an external partner is shown in Figure 3. Functions Governance Governance View BOMs View ECOs - External Create/Edit Create/Edit Create/Edit Create/Edit Drawings Drawings Materials Materials Action/ Engineering access BOMs Data Class ECOs View View requires Partner Commercial Manager Approval Products - Classification of Controlled Products Controlled Products requires Trade Supplier Compliance review Data Products Program X Data Program Y Data Figure 3: Authorization Map 3
    • The determination of functional roles is typically the features and fully integrated capabilities of SAPdone in establishing SAP security architecture and is authorization, such as ease of user assignment, todepicted as role 1-3 in the example. The addition of efficiently supporting data attributes and avoiding thedata attributes 4 and 5 can be best implemented in “role explosion” and custom development that wouldan ABAC layer as depicted in figure 4. The optimal otherwise be necessary and costly.approach in design is to determine which attributesare static and those that are dynamic. Static attributes NEXTLABS and SAPsuch as base office location and position are bestimplemented in SAP authorization and dynamic NextLabs Compliant Enterprise Entitlement Managerattributes such as export license, project affiliation is an SAP-endorsed business solution and integratesand login information are best implemented by the with the SAP ERP, SAP Product Lifecycle Management,additional layer of an ABAC system. and SAP BusinessObjects™ Global Trade Services applications to provide end-to-end information riskThe Governance layer in figure 4 represents the management. The Entitlement Manager extends SAPconsolidation of all business rules providing the authorization concepts to provide attribute-basedconstraints. This is a system interpretation of access to SAP business objects such as materials,constraints such as export licenses, non-disclosure BOMs, routings, change masters, parts specifications,agreements and internal policies. With the prominence CAD drawings, and documents. It can leverage SAPof offshore SAP support and administration, it is not roles and access control contexts and combine themuncommon for breach of policies to occur when with other attributes for dynamic authorizationan employee of a IT outsourcing partner located decisions. The Entitlement Manager can be configuredoffshore has “SAP ALL” in their authorization profile. to automatically classify critical SAP data by associationBy employing this hybrid approach, companies can or inheritance or based on location of storage. Thisachieve governance over system administration while greatly simplifies the task of data classification andmaintaining their existing global production support helps ensure that program data is properly identifiedmodel. for effective access control throughout its lifecycle. Finally, the Entitlement Manager works smoothlyIn order to support growth and sustainability objective, through the SAP GUI and SAP NetWeaver® Portal andit is prudent for organizations not to abandon SAP Mobile Applications components to enforce dataSAP’s authorization model, but to complement and access and sharing policies. The Entitlement Manageraugment. SAP authorization is best for functional can be extended to protect critical data after it isauthorization and should be augmented with ABAC exported from SAP applications to provide end-to-for data authorization. This hybrid design combines end protection. Graphical reporting tools provide a complete audit trail of all authorization decisions. Subject Functional Authorization Layer Data Authorization Layer Resource Figure 4: Authorization Layers 4
    • NextLabs Compliant Enterprise Entitlement Manager Entitlement Manager enables global companies toworks with SAP solutions to provide the following automate export control, secure engineering andbenefits: supply chain collaboration, and enhance data security.  Automate global trade compliance and lower com- pliance costs associated with various export control regulations, such as ITAR, EAR, BAFA, and ECA  Protect intellectual property while enabling global design collaboration and prevent wrongful disclo- sure of design and engineering specifications in compliance with proprietary information exchange agreements and nondisclosure agreements  Prevent data breach across the global supply chain and protect supply, demand, and manufacturing data in accordance with contractor and supplier agreements  Enhance data security and minimize the risk of SAP data spillage and contamination  Support proper data segregation in compliance with regulatory mandates and simplify compliance reporting through centralized logging of accessThe Entitlement Manager enables safe and secureglobal shared service functions while providingregional policy control. By providing fine-grainedauthorization with centralized management, theAbout NextLabsNextLabs®, Inc. is the leading provider of policy-driven information risk management (IRM) software for large enterprises. Our soft-ware offers a cohesive solution for improving compliance and mitigating information risk by helping companies achieve safer andmore secure internal and external collaboration, prevent data loss, and ensure proper authorization to applications and data.Our flagship data protection and entitlement management products, Enterprise Data Protection and Compliant Enterprise®,combine with the Control Center XACML-based policy management platform with integrated content aware and identity-drivenenforcement technology to offer the most comprehensive information risk management (IRM) solution. Our products preserveconfidentiality, prevent data loss, and ensure compliance across more channels and more points, within a single unified solutionwith the unmatched user acceptance and Total Cost of Ownership (TCO).NextLabs’ partnerships with industry leaders such as IBM, SAP, Microsoft, HCL Axon, Adobe, HP, PTC, and Siemens bring to marketindustry-focused information risk management (IRM) solutions that combine industry best practices with turnkey applications, tomeet customers’ governance, risk, and compliance requirements. Visit NextLabs on the web at www.nextlabs.com.© 2005-2012 NextLabs, Inc. All Rights reserved. NextLabs, the NextLabs Logo, ACPL, Compliant Enterprise, the Compliant Enterprise Logo, and Enterprise DLP aretrademarks or registered trademarks of NextLabs, Inc. in the United States. All other trademarks or registered trademarks are the property of their respective owners.8-08 2 Waters Park Drive, #250 n San Mateo, CA n 94403 USA n t: 650-577-9101 n f: 650-577-9102 n www.nextlabs.com 5