More Related Content
Similar to cloud Security Basics.pdf (20)
cloud Security Basics.pdf
- 3. © SAP AG 2004, SAP TechEd / SCUR101 / 3
Security Challenges
„ How do I control which users access my systems?
„ How do I make sure they’re not able to get to data I don’t
want them to see?
„ How do I preserve the integrity of documents sent over
the Internet?
„ How do I prevent hackers from getting access to my
networks?
„ How can I protect messages that I send to my business
partners?
„ How can I protect the channels over which we
communicate?
- 4. © SAP AG 2004, SAP TechEd / SCUR101 / 4
Learning Objectives
As a result of this workshop, you will
be able to:
„ Explain some of the fundamental concepts involved in IT
security
„ Understand which of them to apply in response to a particular
threat
- 5. © SAP AG 2004, SAP TechEd / SCUR101 / 5
The Big Picture
A holistic approach to security across the whole organization
Sound strategy broken down into:
„ Policies
„ Clear responsibilities
The right technology to support this
- 7. © SAP AG 2004, SAP TechEd / SCUR101 / 7
Authentication and Single Sign-On
The Challenge:
Authentication
How do I know a user is who they say they are?
Single Sign-On
How can I reduce the number of times each user has
to enter their credentials without weakening security?
- 8. © SAP AG 2004, SAP TechEd / SCUR101 / 8
Introducing Alice, Bob,...
Hi Bob!
I’m Alice.
Hi Alice!
How does Bob know that Alice is really Alice?
Alice
Alice Bob
Bob
- 9. © SAP AG 2004, SAP TechEd / SCUR101 / 9
... and Mallory!
Hi Bob!
I’m Alice.
Hi Alice!
How does Bob know that Mallory isn’t Alice?
Alice
Alice
Bob
Bob
Mallory
Mallory
- 10. © SAP AG 2004, SAP TechEd / SCUR101 / 10
Sending Proof for Authentication
Hi Bob!
I’m Alice.
Hi Alice!
Alice must send proof that she is who she claims to be.
I am Alice!
Alice
Alice
Bob
Bob
- 11. © SAP AG 2004, SAP TechEd / SCUR101 / 11
Authentication Options
I am Alice!
Common authentication options include:
„ User Name and Password
„ Logon Tickets
„ X.509 Certificates
Alice
Alice
- 12. © SAP AG 2004, SAP TechEd / SCUR101 / 12
Authentication: User ID and Password
The user enters his or her user ID and a password:
„ Password is hashed (one-way encryption)
„ Mallory can only pretend to be Alice if he guesses
her password
Alice/******
Alice/******
Alice
Alice
- 13. © SAP AG 2004, SAP TechEd / SCUR101 / 13
Single Sign-On: Successive Authentication
Single sign-on occurs after the initial authentication:
„ After the initial authentication, the user does not have to
re-authenticate to access systems.
I am Alice!
I am
Alice!
I am Alice!
Alice
Alice
- 14. © SAP AG 2004, SAP TechEd / SCUR101 / 14
Single Sign-On: Logon Ticket
Using a logon ticket:
„ Logon ticket contains information about Alice and the issuing
system (no password)
„ Successive system checks the validity of the ticket
Alice/******
Alice/******
Alice Logon Ticket
User ID: Alice
Issuing System:
Portal Server
Alice
Alice Logon Ticket
User ID: Alice
Issuing System:
Portal Server
Logon Ticket
User ID: Alice
Issuing System:
Portal Server
Alice
Alice
- 15. © SAP AG 2004, SAP TechEd / SCUR101 / 15
Authentication and SSO: X.509 Certificates I
X.509 certificates (“digital
certificates”) can be used both for
initial authentication and for
successive single sign-on
Each certificate includes:
„Name
„CA name
„Validity period
„Public key
- 16. © SAP AG 2004, SAP TechEd / SCUR101 / 16
X.509 Certificates II
X.509 certificates use Secure
Sockets Layer (SSL):
„Internet standard for secure HTTP
connections
„Provides for server, client or
mutual authentication and
encryption
„Uses both symmetric and public-
key encryption for protection
- 17. © SAP AG 2004, SAP TechEd / SCUR101 / 17
Authentication: X.509 Certificates
Mutual authentication between Alice and the server
Public
Private
Secret
Public
Private
Secret
Alice
Alice
- 18. © SAP AG 2004, SAP TechEd / SCUR101 / 18
Verifying X.509 Certificates
I am Alice!
Hi Bob!
I’m Alice.
Really. I even
have a
certificate!
How do you know that the certificate really belongs to Alice?
Alice
Alice Bob
Bob
Mallory
Mallory
- 19. © SAP AG 2004, SAP TechEd / SCUR101 / 19
Introducing Hal
By building a trust relationship with a third party, Hal.
I’m Hal. I issued
both Alice’s and
Bob’s
certificates.
They trust me.
?
!
Ok, Alice, the
certificate is
really yours.
Alice
Alice Bob
Bob
Hal (CA)
Hal (CA)
- 20. © SAP AG 2004, SAP TechEd / SCUR101 / 20
Hal (CA)
Hal (CA)
Verifiying X.509 Certificates
Wait a second!
I won’t trust it
then!
No Bob. That is
not the
certificate I
gave to Alice.
I am Alice!
Hi Bob!
I’m Alice.
Really. I even
have a
certificate!
Alice
Alice
Bob
Bob
Mallory
Mallory
- 21. © SAP AG 2004, SAP TechEd / SCUR101 / 21
Public Key Infrastructure
Certification Authority (CA)
„ Issues digital certificates according to a specific policy
„ Levels of trust vary depending on the CA’s policy
?
!
Hi Bob!
I’m Alice.
Hi Alice!
Alice
Alice Bob
Bob
Hal (CA)
Hal (CA)
- 22. © SAP AG 2004, SAP TechEd / SCUR101 / 22
Summary: Authentication and Single Sign-On
What is Authentication?
Authentication is the process of obtaining identification
credentials such as name and password from a user
and validating those credentials against some
authority.
If the credentials are valid, the entity that submitted the
credentials is considered an authenticated identity.
What is Single Sign-On?
Single Sign-On is the subsequent authentication after the
initial authentication; the user is not required to provide
credentials again.
- 24. © SAP AG 2004, SAP TechEd / SCUR101 / 24
Authorizations
The Challenge:
Once legitimate users have accessed the
system, how can I make sure they only do
what they are allowed to?
- 25. © SAP AG 2004, SAP TechEd / SCUR101 / 25
Roled-Based User Access
Developer
Administrator
Accountant
Sales Clerk
Manager
Roles
„ User only sees those activities that he or she needs
„ As an accountant, Bob sees his role-specific menu when he
logs on (view account balance, post payment, ...)
Bob
Bob
- 26. © SAP AG 2004, SAP TechEd / SCUR101 / 26
Authorizations
Authorizations
„ Building blocks that specifiy which tasks the user is allowed to
perform
„ Stored in the user’s role information
Bob
Bob
- 27. © SAP AG 2004, SAP TechEd / SCUR101 / 27
Bob
Bob
Authority Checks
Authority Checks
„ Performed at runtime to determine if the user has the right to
carry out a task
„ Authority checks can be applied to transactions, tables,
documents, and other resources
Authority Check
Transaction
View Account
Balance
- 28. © SAP AG 2004, SAP TechEd / SCUR101 / 28
Summary: Authorization and Roles
What is authorization?
Once an identity has been authenticated, the authorization process
determines whether that identity has access to a given resource.
What is a role?
The role a person plays in an organization can be used to determine
the access to information and applications – in other words, their
authorizations.
For example, the CFO of a company has different access rights to
accounting data than the employees who work for him as
administrators. Most employees have a number of roles, such as
employee and accountant, or employee, manager, and engineer.
- 30. © SAP AG 2004, SAP TechEd / SCUR101 / 30
Network Security
The Challenge:
How can I protect my system at the network level
from eavesdropping and tampering?
- 31. © SAP AG 2004, SAP TechEd / SCUR101 / 31
Using Firewalls and Routers
LAN
External Network
DIAG
DIAG
telnet
Router
Alice
Alice
Mallory
Mallory
Mallory
Mallory
- 32. © SAP AG 2004, SAP TechEd / SCUR101 / 32
Introducing Eve
Sorry Alice -
I’ll do business
with Eve.
Alice must prevent eavesdropping to protect communications.
Hi Bob!
I have a better
deal for you.
Better Deal
Hi Bob!
I have a deal
for you.
Deal
Alice
Alice Bob
Bob
Eve
Eve
- 33. © SAP AG 2004, SAP TechEd / SCUR101 / 33
Eve
Eve
Encrypted Communications
That’s a great
deal, Alice!
Alice encrypts her network communications.
Rats!
Hi Bob!
I have a deal
for you.
$&%/?=§
Alice
Alice Bob
Bob
- 34. © SAP AG 2004, SAP TechEd / SCUR101 / 34
Summary: Firewalls and Encryption
What is a Firewall?
A firewall is a set of programs residing on a gateway server that
protect the resources of an internal network.
It is used to prevent unauthorized access to a network, such as a
company‘s LAN.
It blocks unwanted network traffic while allowing other traffic to pass.
It ensures that all communication between networks conforms to the
organization's security policies.
Which mechanisms can be used for encryption?
Secure Sockets Layer (SSL) provides an encryption layer for the
Hypertext Transfer Protocol (HTTP) – HTTP becomes HTTPS
For SAP protocols, the Generic Security Services (GSS) interface
that allows you to plug in different encryption products
- 35. © SAP AG 2004, SAP TechEd / SCUR101 / 35
Partners Providing Trust
- 36. © SAP AG 2004, SAP TechEd / SCUR101 / 36
Security@SAP
Security is a quality characteristic of SAP solutions
ITSEC E2 medium certification
„ Re-evaluation according to Common Criteria
currently underway
„ Development and production processes have been evaluated and
approved
SAP is the only provider with such a high level of
certification for applications
SAP Security Consultant Certification
SAP Security Optimization Service
Coming soon: Security Bulletin Service
- 37. © SAP AG 2004, SAP TechEd / SCUR101 / 37
Summary: Security Basics
Q: How do I control which users access my systems?
By using reliable authentication mechanisms.
Q: How do I make sure they’re not able to get to data I don’t want
them to see?
By having a well-thought out authorization concept in place.
Q: How do I preserve the integrity of documents sent over the Web?
By attaching trust information to the data itself, using digital
signatures.
Q: How can I prevent hackers from getting access to my networks?
By setting up a secure network architecture.
Q: How can I protect messages that I send to my business partners?
By using encryption and digital signature technologies.
Q: How can I protect the channels over which we communicate?
By encrypting your communication channels.
- 38. © SAP AG 2004, SAP TechEd / SCUR101 / 38
Further Information
Î Public Web:
www.sap.com
SAP Developer Network: www.sdn.sap.com Î SAP NetWeaver Platform Î Security
SAP Customer Services Network: www.sap.com/services/
Î Related Workshops/Lectures at SAP TechEd 2004
SCUR102 User Management and Authorizations:Overview, Lecture
SCUR103 Compliance: mySAP ERP Solutions for Sarbanes-Oxley, Lecture
SCUR104 Electronic Signatures: Technology and Regulatory Compliance, Lecture
SCUR201 SAP Infrastructure Security, Lecture
SCUR202 SAP Security Optimization Service, Lecture
SCUR203 The SAP Management of Internal Controls (MIC) Tool, Lecture
SCUR251 Single Sign-On in Heterogeneous Landscapes, Workshop
SCUR351 User Management and Authorizations: The Details, Workshop
SCUR352 Leveraging Ext. Authentication Based on Industry Standards, Workshop
PRTL152 Portal Roles – Roles vs. Authorizations, Workshop
SDN101 Writing Secure Web Applications, Lecture
Î Related SAP Education Training Opportunities
http://www.sap.com/education/ ADM940-960
- 39. © SAP AG 2004, SAP TechEd / SCUR101 / 39
Q&A
Questions?
- 40. © SAP AG 2004, SAP TechEd / SCUR101 / 40
SAP Developer Network
Look for SAP TechEd ’04 presentations and videos on
the SAP Developer Network.
Coming in December.
http://www.sdn.sap.com/
- 41. © SAP AG 2004, SAP TechEd / SCUR101 / 41
Please complete your session evaluation.
Be courteous — deposit your trash,
and do not take the handouts for the following session.
Feedback
Thank You !
- 42. © SAP AG 2004, SAP TechEd / SCUR101 / 42
„ No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
„ Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
„ Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
„ IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries,
pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or
registered trademarks of IBM Corporation in the United States and/or other countries.
„ Oracle is a registered trademark of Oracle Corporation.
„ UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
„ Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
„ HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
„ Java is a registered trademark of Sun Microsystems, Inc.
„ JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and
implemented by Netscape.
„ MaxDB is a trademark of MySQL AB, Sweden.
„ SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein
as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other
countries all over the world. All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only. National product specifications may vary.
„ These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group
shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional warranty.
Copyright 2004 SAP AG. All Rights Reserved