Platform Security: "Insecure SAP system interfaces: an underestimated risk." ------------------------------------------------------------------------------------- How confident are you that your SAP systems are sufficiently protected against cyberattacks? In our experience, it's far too often the case that companies fail to pay the requisite attention to analyzing and securing their SAP system interfaces. These include RFC connections, SAP Gateway, and extended ST01 traces, along with considerations of their relevance, criticality, and potential defects. As you take the steps necessary to secure your landscape, the suite module SAST Interface Management can provide you with optimal support. It's capable of evaluating multiple systems, creating a comprehensive interface overview in graphical or tabular format, and categorizing the flaws it finds. ------------------------------------------------------------------------------------- Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de

1. Insecure SAP system
interfaces:
an underestimated risk.
Webinar: June, 2018
„SAST Interface Management“

2. SAST SOLUTIONS: Our suite at a glance.
- 2 -
Modular design. Individual possibilities.

3. Basic thoughts about SAST Interface Management
- 3 -
Our Goals
 Get Clean: Supporting interface cleanup.
 Securing the SAP Gateway using tailor-made ACLs.
 Determining exact authorization values ​​for interface users by long-term trace.
 Eliminating security risks due to improper configuration.
 Stay Clean: Maintaining a clean and safe operating condition.

4. Overview of SAST Interface Management functionality
- 4 -
Overview
 Basic analysis of RFC, HTTP, TCP / IP, trusted RFC, SSO2 and remote database connections.
 Gaining data from the RFC call analysis for the optimal design of RFC authorizations under
security aspects.
 Creation / completion of RFC interface authorizations, revision of trust relationships between
the systems.
 Support in the administration of the SAP Gateway through creating secure ACL files.
 An long-term trace of interface authorizations ensures that authorization values ​​can be
determined for interface users.

5. Benefits from SAST Interface Management
- 5 -
Benefits
 Monitoring and analysis of all systems can be done from a single point of entry system.
 Complete analysis of the RFC interfaces leads to an inventory that is presented in graphic and tabular
form thus enriched with risk classification information.
 All results of the analysis can be recalled at any time. This simplifies the processing and cleaning of the
interfaces thus ensuree clean working conditions.
 In the sense of an efficient risk management, the output of the analysis results is possible after various
categories, from system type through system group to protection requirement classification, It provides
direct specifications for the adjustment / adaptation of the RFC authorizations.
 ACL files of the SAP Gateway can be generated and used directly.
Helps to restrict program access and secure access to the SAP Gateway.
 Based on gateway logging files, default values ​​can be determined and used to directly generate the ACL
files reginfo, secinfo and prxyinfo.

6. Analysis of RFC Interfaces
- 6 -
RFC connections analysis of
 Single systems
 System groups
 System landscapes
Depending on your analysis needs, both the incoming and also outgoing RFC connections
can be viewed and then all results stored in a list for later use.


7. Reporting of RFC Connections
- 7 -
 Differentiated output of the results according to RFC connection types as well as
inbound and outbound connections.
 Consideration and display of special connections:
 Remote database connections
 SSO2 Logon tickets
 Trusted RFC connections
 Aggregation of analysis results after:
 System types (development-, quality assurance- and production systems)
 Classification of protection requirements
 System groups for comparing system types (ERP, CRM, NetWeaver)

8. Reporting of RFC Interfaces
- 8 -
Graphical display of incoming and / or outgoing connections to the central analysis system.

9. Reporting of RFC Interfaces
- 9 -
Tabular output of system and connection data.

10. Reporting of RFC Interfaces (Example)
- 10 -
Evaluating called RFC functions, an analysis of existing RFC authorizations can be performed
and then improvement suggestions for optimization are displayed:
From the results a worklist can be created in order to clean and secure the RFC connections
step by step using only the authorizations necessary.


11. ACL files SAP Gateway
- 11 -
Using SAST INTERFACE MANAGEMENT, proposals for the security control files of the
SAP Gateway (reginfo, secinfo, prxyinfo) can be determined on basis of the gateway logs’
statistical data.
For this purpose, the activation of the gateway logging and the evaluation of the log files for suitable periods
(e.g. 3 months) is necessary for obtaining most accurate data on all connections used.
!

12. Long-term trace of interface permissions
- 12 -
Based on the long-term trace data of SAST INTERFACE MANAGEMENT, correct authorization
values ​​for the interfaces are determined.
In conjunction with SAST ROLE MANAGEMENT, correct roles for all interface users can be
generated using the traced data.


13. LET´S TAKE THE NEXT STEP TOGETHER
TIM KRÄNZKE
Director International Sales & Alliances
 More than 30 years experience in IT
 Specialized in SAP Security Products since 14+ years
 Long-term working with International Customers and Partners
Email: sast@akquinet.de
Web: www.sast-suite.com
© Copyright AKQUINET AG. All rights reserved. This publication is protected by copyright.
All rights, in particular the right of reproduction, distribution, and translation, are reserved. No part of this document may be reproduced in any form (photocopy, microfilm or other process) or processed, copied, or distributed using electronic systems without the prior
written agreement of AKQUINET AG. Some of the names mentioned in this publication are registered trademarks of the respective provider and as such are subject to legal provisions.
The information in this publication has been compiled with the greatest care. However, no guarantee can be given for its applicability, correctness, and completeness. AKQUINET AG shall assume no liability for losses arising from use of the information.