SAP Security
Upcoming SlideShare
Loading in...5
×
 

SAP Security

on

  • 950 views

 

Statistics

Views

Total Views
950
Views on SlideShare
950
Embed Views
0

Actions

Likes
0
Downloads
37
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NoDerivs LicenseCC Attribution-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

SAP Security SAP Security Presentation Transcript

  • Security in SAP Systems FIST Conference 26th of November 2004 Barcelona Dr. Michael Woitass©Dr. Michael Woitass Version 02/04
  • Agenda Security risks High-level security in SAP systems Single Sign-On to SAP Secure Network Communication (SNC) in SAP Digital signature of documents (SSF) in SAP 2©Dr. Michael Woitass Version 02/04
  • Information security ¿Do organisations need cryptographic solutions? The competitive advantage of many companies and institutions results from obtaining ad managing information. The loss of information can generate a serious risk for these organisations. Without protection internal data may be accessible via the network: Personal data Financial data Customers and providers Product and service prices Intellectual proprietary Confidential corporate information. 3©Dr. Michael Woitass Version 02/04
  • SAP systems environment SAP data are transmitted by an insecure network. WEB Browser WEB Server ITS SAPgui / SAPlogon R/3 Internet WEB SAP WEB Browser Application Server SAPlpd Internet Insecure SAP Router SAP Router network rfc access 4©Dr. Michael Woitass Version 02/04
  • Security of SAP systems Standard SAP: The security of SAP systems depends on the security of the network. The login information (userid and password) can be captured during transmission. SAP data are transmitted as legible text. SAPgui / SAPlogon R/3 5©Dr. Michael Woitass Version 02/04
  • Security risks Appropriate security purposes eliminate the risks. Attack Security purpose • Man-in-the-middle Authentication • Unauthorised modification Data integrity • Unauthenticated sender Proof of origin • Wiretapping Confidentiality 6©Dr. Michael Woitass Version 02/04
  • Security technology Asymmetric cryptography provides the technology to guarantee high-level security. Security purpose Technology • Autentication Strong authentication • Data integrity Digital signature • Proof of origin Digital signature • Confidentiality Encryption 7©Dr. Michael Woitass Version 02/04
  • Basics: asymmetric encryption Encryption and decryption with public-key-cryptography 8©Dr. Michael Woitass Version 02/04
  • Basics: hybrid encryption Encryption and decryption with hybrid cryptography 9©Dr. Michael Woitass Version 02/04
  • Basics: digital signature Digital signature and its verification 10©Dr. Michael Woitass Version 02/04
  • SAP Security Cryptographic solutions facilitate Secure Single Sign-On to SAP (SSO) Encryption of data communications in SAP (SNC) Digital signature of SAP documents (SSF) 11©Dr. Michael Woitass Version 02/04
  • SAP Security Cryptographic solutions facilitate Secure Single Sign-On to SAP (SSO) Encryption of data communications in SAP (SNC) Digital signature of SAP documents (SSF) 12©Dr. Michael Woitass Version 02/04
  • Secure access to SAP Single Sign-On by means of: Crypto libraries at client and server side Strong authentication using digital certificates SAPgui SAP R/3 Client Server Authentication with certificate Network Secure Sign-On Network Interface Interface Security Security Library Library 13©Dr. Michael Woitass Version 02/04
  • Secure Login with certificates Strong authentication between SAP clients and servers User Server Generates an Signs the message arbitrary message from the user B Generates another arbitrary message Verifies the signature of the server B Verifies the signature Signs the message of the user of the server A A 14©Dr. Michael Woitass Version 02/04
  • Secure Single Sign-On Secure Single Sign-On to all SAP servers 15©Dr. Michael Woitass Version 02/04
  • Single Sign-On with smartcards Identification with PIN Access Certificate and private key 16©Dr. Michael Woitass Version 02/04
  • SSO Integration Motivation: • The company wants to establish a Single Sign-On via the logon to the network (e.g. Windows Active Directory authentication, one-time tokens). • The company uses SAP systems. • The objective is to implement a certificate-based Single Sign-On to SAP without the need to have a PKI installed. 17©Dr. Michael Woitass Version 02/04
  • Architecture scalable scalable Secure Login Active Server Directory 3 2 5 4 Generate Secure Login Certificate Client 6 UserID, Domain, 1 Password Windows Soft Token Logon 18©Dr. Michael Woitass Version 02/04
  • Architecture SAP GUI – SAP Server Single Sign-On Secure Communication SAP GUI SAP R/3 Client Server GSS-API SNC GSS-API Security Security Library Library Soft Token 19©Dr. Michael Woitass Version 02/04
  • Architecture Web Browser – Web Server Single Sign-On Secure Communication Internet Explorer WEB Microsoft Server SSL Crypto API CSP Soft Token 20©Dr. Michael Woitass Version 02/04
  • Advantages High User Acceptance The user doesn’t need to learn a new software. The user will not be afflicted to enter his login data again and again. High Security Secure authentication and communication in SAP applications via SNC. Secure authentication and communication in Web applications via SSL. Reduced Administration No overhead of a Public Key Infrastructure, nevertheless certificate- based login to SAP applications and Web applications. Reduced Costs Reuse of established authentication method. Single Sign-On assures an optimized workflow. 21©Dr. Michael Woitass Version 02/04
  • SAP Security Cryptographic solutions facilitate Secure Single Sign-On to SAP (SSO) Encryption of data communications in SAP (SNC) Digital signature of SAP documents (SSF) 22©Dr. Michael Woitass Version 02/04
  • Architecture Integration in SAP with Secure Network Communication (SNC) Workprocess Compression Protocol SNC GSS API Generic Security Services Security Library 23©Dr. Michael Woitass Version 02/04
  • Secure network End-to-End security by means of: Crypto libraries at client and server side SAP standard interface SNC SAPgui SAP R/3 Client Server Authentication with certificate Network Network SNC Interface Interface GSS GSS API API Security Security Library Library 24©Dr. Michael Woitass Version 02/04
  • Architecture Secure Network Communications (SNC) in SAP Application Programming Interface standardised by the IETF Abstraction from mechanisms used behind the API Workprocess Certification within SAP‘s CSP Program (BC-SNC Interface) Compression Protocol SNC GSS API Generic Security Services Security Library 25©Dr. Michael Woitass Version 02/04
  • Integration on the R/3 server side SNC configuration: central user administration 26©Dr. Michael Woitass Version 02/04
  • Integration in SAPlogon SNC configuration: selection of the security level 27©Dr. Michael Woitass Version 02/04
  • Example: Spanish Data Protection Law Requerimientos: La LOPD (Ley Orgánica de Protección de Datos) entró en vigor el 1 de julio de 2002. La ley exige medidas de seguridad de nivel alto, entre ellos el cifrado de los datos. Las empresas y administraciones públicas españoles que tienen SAP R/3 y tratan datos de nivel alto de seguridad deberán cumplir con la ley. 28©Dr. Michael Woitass Version 02/04
  • Example: Spanish Data Protection Law Medidas de seguridad de nivel alto: Los ficheros que contengan determinados datos personales requerirán la implantación de medidas de nivel alto: – ideología, religion, creencias – origen racial, salud o vida sexual de las personas físicas – datos recabados para fines policiales. Principalmente, estas medidas consisten en: – el cifrado previo de los datos – el almacenamiento de la información relativa al acceso a los ficheros durante al menos dos años – el almacenamiento de las copias de seguridad en un lugar distinto a donde se encuentren los equipos informáticos. 29©Dr. Michael Woitass Version 02/04
  • SAP Security Cryptographic solutions facilitate Secure Single Sign-On to SAP (SSO) Encryption of data communications in SAP (SNC) Digital signature of SAP documents (SSF) 30©Dr. Michael Woitass Version 02/04
  • Digital signature of SAP documents Digital signature in SAP The digital signature guarantees the identity Data extraction of the user Private key and Encryption RSA Algorithm with asymmetric Digital 1.024 Bits signature encryption the integrity of the data. Extraction of signed data 31©Dr. Michael Woitass Version 02/04
  • Example: Project ArchiSig Electronic Signature of Medical Documents – Integration and Evaluation of a Public Key Infrastructure (PKI) in Hospitals 32©Dr. Michael Woitass Version 02/04
  • Workflow in SAP IS-H*MED The secretary writes The doctor signs the The department head A medical document. document. countersigns. The Workflow passes the document to the daprtment head. SAP IS-H Med SECUDE Security Time stamp Library The medical document and the signatures are transferred to the archiving system. IXOS-eCONserver 33©Dr. Michael Woitass Version 02/04
  • Document workflow: create, modify, sign, verify Determinar el siguiente paso Crear un expediente Mostrar pdf „My letters“ - Tareas Función de firma Historial de firmas - Lista de documentos Verificación Firmar el documento Archivo del documento Enviar a la secretaria 34©Dr. Michael Woitass Version 02/04
  • Integration of the signature in SAP IS-H*MED 35©Dr. Michael Woitass Version 02/04
  • Resume Certificate-based security technology facilitates: Secure Single Sign-On to SAP Encryption of SAP data Digital signature of SAP documents. 36©Dr. Michael Woitass Version 02/04
  • Security in SAP Systems ¡Muchas gracias por su atención! Michael Woitass mwoitass@telefonica.net©Dr. Michael Woitass Version 02/04