cloud Security Basics.pdf

© SAP AG 2004, SAP TechEd / SCUR101 / 3
Security Challenges
„ How do I control which users access my systems?
„ How do I make sure they’re not able to get to data I don’t
want them to see?
„ How do I preserve the integrity of documents sent over
the Internet?
„ How do I prevent hackers from getting access to my
networks?
„ How can I protect messages that I send to my business
partners?
„ How can I protect the channels over which we
communicate?

Learning Objectives
As a result of this workshop, you will
be able to:
„ Explain some of the fundamental concepts involved in IT
security
„ Understand which of them to apply in response to a particular
threat

The Big Picture
A holistic approach to security across the whole organization
Sound strategy broken down into:
„ Policies
„ Clear responsibilities
The right technology to support this

Network Security
Authentication and Single Sign-On
Authorization

Authentication and Single Sign-On
The Challenge:
Authentication
How do I know a user is who they say they are?
Single Sign-On
How can I reduce the number of times each user has
to enter their credentials without weakening security?

Introducing Alice, Bob,...
Hi Bob!
I’m Alice.
Hi Alice!
How does Bob know that Alice is really Alice?
Alice
Alice Bob
Bob

... and Mallory!
Hi Bob!
I’m Alice.
Hi Alice!
How does Bob know that Mallory isn’t Alice?
Alice
Alice
Bob
Bob
Mallory
Mallory

Sending Proof for Authentication
Hi Bob!
I’m Alice.
Hi Alice!
Alice must send proof that she is who she claims to be.
I am Alice!
Alice
Alice
Bob
Bob

Authentication Options
I am Alice!
Common authentication options include:
„ User Name and Password
„ Logon Tickets
„ X.509 Certificates
Alice
Alice

Authentication: User ID and Password
The user enters his or her user ID and a password:
„ Password is hashed (one-way encryption)
„ Mallory can only pretend to be Alice if he guesses
her password
Alice/******
Alice/******
Alice
Alice

Single Sign-On: Successive Authentication
Single sign-on occurs after the initial authentication:
„ After the initial authentication, the user does not have to
re-authenticate to access systems.
I am Alice!
I am
Alice!
I am Alice!
Alice
Alice

Single Sign-On: Logon Ticket
Using a logon ticket:
„ Logon ticket contains information about Alice and the issuing
system (no password)
„ Successive system checks the validity of the ticket
Alice/******
Alice/******
Alice Logon Ticket
User ID: Alice
Issuing System:
Portal Server
Alice
Alice Logon Ticket
User ID: Alice
Issuing System:
Portal Server
Logon Ticket
User ID: Alice
Issuing System:
Portal Server
Alice
Alice

Authentication and SSO: X.509 Certificates I
X.509 certificates (“digital
certificates”) can be used both for
initial authentication and for
successive single sign-on
Each certificate includes:
„Name
„CA name
„Validity period
„Public key

X.509 Certificates II
X.509 certificates use Secure
Sockets Layer (SSL):
„Internet standard for secure HTTP
connections
„Provides for server, client or
mutual authentication and
encryption
„Uses both symmetric and public-
key encryption for protection

Authentication: X.509 Certificates
Mutual authentication between Alice and the server
Public
Private
Secret
Public
Private
Secret
Alice
Alice

Verifying X.509 Certificates
I am Alice!
Hi Bob!
I’m Alice.
Really. I even
have a
certificate!
How do you know that the certificate really belongs to Alice?
Alice
Alice Bob
Bob
Mallory
Mallory

Introducing Hal
By building a trust relationship with a third party, Hal.
I’m Hal. I issued
both Alice’s and
Bob’s
certificates.
They trust me.
?
!
Ok, Alice, the
certificate is
really yours.
Alice
Alice Bob
Bob
Hal (CA)
Hal (CA)

Hal (CA)
Hal (CA)
Verifiying X.509 Certificates
Wait a second!
I won’t trust it
then!
No Bob. That is
not the
certificate I
gave to Alice.
I am Alice!
Hi Bob!
I’m Alice.
Really. I even
have a
certificate!
Alice
Alice
Bob
Bob
Mallory
Mallory

Public Key Infrastructure
Certification Authority (CA)
„ Issues digital certificates according to a specific policy
„ Levels of trust vary depending on the CA’s policy
?
!
Hi Bob!
I’m Alice.
Hi Alice!
Alice
Alice Bob
Bob
Hal (CA)
Hal (CA)

Summary: Authentication and Single Sign-On
What is Authentication?
Authentication is the process of obtaining identification
credentials such as name and password from a user
and validating those credentials against some
authority.
If the credentials are valid, the entity that submitted the
credentials is considered an authenticated identity.
What is Single Sign-On?
Single Sign-On is the subsequent authentication after the
initial authentication; the user is not required to provide
credentials again.

Authorizations
The Challenge:
Once legitimate users have accessed the
system, how can I make sure they only do
what they are allowed to?

Roled-Based User Access
Developer
Administrator
Accountant
Sales Clerk
Manager
Roles
„ User only sees those activities that he or she needs
„ As an accountant, Bob sees his role-specific menu when he
logs on (view account balance, post payment, ...)
Bob
Bob

Authorizations
Authorizations
„ Building blocks that specifiy which tasks the user is allowed to
perform
„ Stored in the user’s role information
Bob
Bob

Bob
Bob
Authority Checks
Authority Checks
„ Performed at runtime to determine if the user has the right to
carry out a task
„ Authority checks can be applied to transactions, tables,
documents, and other resources
Authority Check
Transaction
View Account
Balance

Summary: Authorization and Roles
What is authorization?
Once an identity has been authenticated, the authorization process
determines whether that identity has access to a given resource.
What is a role?
The role a person plays in an organization can be used to determine
the access to information and applications – in other words, their
authorizations.
For example, the CFO of a company has different access rights to
accounting data than the employees who work for him as
administrators. Most employees have a number of roles, such as
employee and accountant, or employee, manager, and engineer.

Network Security
The Challenge:
How can I protect my system at the network level
from eavesdropping and tampering?

Using Firewalls and Routers
LAN
External Network
DIAG
DIAG
telnet
Router
Alice
Alice
Mallory
Mallory
Mallory
Mallory

Introducing Eve
Sorry Alice -
I’ll do business
with Eve.
Alice must prevent eavesdropping to protect communications.
Hi Bob!
I have a better
deal for you.
Better Deal
Hi Bob!
I have a deal
for you.
Deal
Alice
Alice Bob
Bob
Eve
Eve

Eve
Eve
Encrypted Communications
That’s a great
deal, Alice!
Alice encrypts her network communications.
Rats!
Hi Bob!
I have a deal
for you.
$&%/?=§
Alice
Alice Bob
Bob

Summary: Firewalls and Encryption
What is a Firewall?
A firewall is a set of programs residing on a gateway server that
protect the resources of an internal network.
It is used to prevent unauthorized access to a network, such as a
company‘s LAN.
It blocks unwanted network traffic while allowing other traffic to pass.
It ensures that all communication between networks conforms to the
organization's security policies.
Which mechanisms can be used for encryption?
Secure Sockets Layer (SSL) provides an encryption layer for the
Hypertext Transfer Protocol (HTTP) – HTTP becomes HTTPS
For SAP protocols, the Generic Security Services (GSS) interface
that allows you to plug in different encryption products

Partners Providing Trust

Security@SAP
Security is a quality characteristic of SAP solutions
ITSEC E2 medium certification
„ Re-evaluation according to Common Criteria
currently underway
„ Development and production processes have been evaluated and
approved
SAP is the only provider with such a high level of
certification for applications
SAP Security Consultant Certification
SAP Security Optimization Service
Coming soon: Security Bulletin Service

Summary: Security Basics
Q: How do I control which users access my systems?
By using reliable authentication mechanisms.
Q: How do I make sure they’re not able to get to data I don’t want
them to see?
By having a well-thought out authorization concept in place.
Q: How do I preserve the integrity of documents sent over the Web?
By attaching trust information to the data itself, using digital
signatures.
Q: How can I prevent hackers from getting access to my networks?
By setting up a secure network architecture.
Q: How can I protect messages that I send to my business partners?
By using encryption and digital signature technologies.
Q: How can I protect the channels over which we communicate?
By encrypting your communication channels.

Further Information
Î Public Web:
www.sap.com
SAP Developer Network: www.sdn.sap.com Î SAP NetWeaver Platform Î Security
SAP Customer Services Network: www.sap.com/services/
Î Related Workshops/Lectures at SAP TechEd 2004
SCUR102 User Management and Authorizations:Overview, Lecture
SCUR103 Compliance: mySAP ERP Solutions for Sarbanes-Oxley, Lecture
SCUR104 Electronic Signatures: Technology and Regulatory Compliance, Lecture
SCUR201 SAP Infrastructure Security, Lecture
SCUR202 SAP Security Optimization Service, Lecture
SCUR203 The SAP Management of Internal Controls (MIC) Tool, Lecture
SCUR251 Single Sign-On in Heterogeneous Landscapes, Workshop
SCUR351 User Management and Authorizations: The Details, Workshop
SCUR352 Leveraging Ext. Authentication Based on Industry Standards, Workshop
PRTL152 Portal Roles – Roles vs. Authorizations, Workshop
SDN101 Writing Secure Web Applications, Lecture
Î Related SAP Education Training Opportunities
http://www.sap.com/education/ ADM940-960

Q&A
Questions?

SAP Developer Network
Look for SAP TechEd ’04 presentations and videos on
the SAP Developer Network.
Coming in December.
http://www.sdn.sap.com/

Please complete your session evaluation.
Be courteous — deposit your trash,
and do not take the handouts for the following session.
Feedback
Thank You !

„ No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
„ Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
„ Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
„ IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries,
pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or
registered trademarks of IBM Corporation in the United States and/or other countries.
„ Oracle is a registered trademark of Oracle Corporation.
„ UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
„ Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
„ HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
„ Java is a registered trademark of Sun Microsystems, Inc.
„ JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and
implemented by Netscape.
„ MaxDB is a trademark of MySQL AB, Sweden.
„ SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein
as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other
countries all over the world. All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only. National product specifications may vary.
„ These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group
shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional warranty.
Copyright 2004 SAP AG. All Rights Reserved

cloud Security Basics.pdf

Recommended

Recommended

More Related Content

Similar to cloud Security Basics.pdf

Similar to cloud Security Basics.pdf (20)

Recently uploaded

Recently uploaded (20)

cloud Security Basics.pdf