Expand +



Special Feature: Security for SAP Solutions

by SAPand Partners | SAPinsider

October 1, 2004

by SAP and Partners SAPinsider - 2004 (Volume 5), October (Issue 4)
Five Questions Help Gauge the Effectiveness of Systems Security Across Your SAP Applications Landscape

Sachar Paulus
Chief Security Officer,


Enhancing Security and Identity Access With Central User Administration and BMC Software Tools

Integrated Identity and Access Management in SAP Solution Landscapes

A Primer for SAP Customers: Understanding Microsoft's Software Update Strategy

The Real Thing and the Not-Quite-Real Thing: Real-Time Analysis of Security Issues in Your Business-Critical Systems

Is your SAP solution landscape adequately secured? It’s a question that my team and I are held accountable for here at SAP and that I imagine many of you are as well. Anyone charged with this responsibility knows that security is a moving target. The IT assets we need to secure are continually changing, and so are the threats we are endeavoring to protect them from. Given this challenge and the high stakes associated with security, you may want to consider the following questions heading into 2005:

Are you up-to-date on SAP security options? SAP offers a lot of them. Built into our products is a broad range of security mechanisms ranging from various authentication methods, SSO, fine-grained authorization models, and secure document exchange to audit logs, among others. On the services side, there are on-site security assessments, remote security optimization services, and general sanity checks. (Visit and the SAP Service Catalog for more information.) Partners also offer consulting products, services, and security reviews.*

Are you exercising those options? Need I say more?

Are the decision makers at your company responsible for SAP application management and those responsible for overall systems landscape security working in lock step with one another? If your security officers are not involved in SAP applications management decisions (and vice versa), you may be handed down security policies that are at odds with the very business objectives your SAP systems are supposed to be addressing. For example, a security policy that disallows you to connect intranet systems to the Internet is contrary to benefiting from cross- organizational collaborative business scenarios.

Is the frequency with which you apply patches impacting your security activities? Everyone needs to apply patches to keep up with security. If you are doing this with uncomfortable frequency, you may want to look into SAP NetWeaver '04. All the technology components in this release have been synchronized — applications and technology components share the same core technology, and you’ll be applying far fewer patches. Also note that by the end of the year, SAP will be offering a security advisory service that regularly notifies customers of security fixes.

Applications have changed. We use them to streamline and optimize processes beyond the borders of our organizations. E-recruiting applications, for example, extend HR applications that formerly ran just in the back office. Manufacturers are enabling suppliers to perform remote inventory checks and participate in collaborative planning exercises. This all comes with a heightened magnitude of risk. So the fifth and final question to continually ask yourself is this: Are your security measures keeping pace with your changing applications landscape?

Software companies that are interested in partnering with SAP should contact Beth Wyrick, Director, Software Partner Program, at or +1 610 661-8365.

back to top

Enhancing Security and Identity Access with Central User Administration and BMC Software Tools

Gary Holland
US Director for SAP
Identity Management,
BMC Software

Your SAP applications are at work in a distributed environment of platforms and locations. Across this landscape, user access is a pressing security issue. From their first day on the job and throughout their employment life cycle, employees must have access to IT resources and SAP applications in conformance with security policies and standards. This makes the management of roles, profiles, access rights, and passwords an ongoing administrative issue.

SAP Central User Administration (CUA) was created to manage access for the users of SAP R/3, SAP Industry Solutions, or mySAP Business Suite. CUA is a control mechanism that simplifies access management by enabling administrators to create sets of access rights and associate users or groups of users — such management tasks include user account creation, access rights grouping, enforcement, etc. These associations impose appropriate controls on users of SAP solutions.

At the same time, user information needed to create these associations may lie outside the SAP landscape or require input from people across the organization. In these cases, administrators can look to complementary tools to gather and manage the information needed for secure user administration.

Centralized and Automated Account Creation Across SAP Clients
Management of roles (Web or traditional), profiles, and authorization of object access is a complex, time-consuming task. These access attributes may be automatically assigned based on user information that is stored in the mySAP HR module or other enterprise directories. When the SAP administrative team does not have access to this data, attributes and role associations must be made manually.

With the deployment of a complementary user-provisioning tool connecting SAP clients and non-SAP solution environments, SAP administrators are able to:

  • Support automated batch feeds from external sources, driving creation of new user accounts (provisioning) within SAP solutions and other environments

  • Support real-time detection of HR updates for provisioning or de-provisioning SAP user accounts

  • Automate business rules to set or modify SAP user account attributes

  • Enhance and retain CUA's ability to locally manage user accounts for specific SAP instances while facilitating a means of central administration

Automate Access Rights Approval
Assigning access rights might require authorization from various levels within the organization. Delays in this process mean lost productivity. A Web-based approval automation tool can help reduce approval delays and provide an audit trail of the approval process, as well as support deployments of access rights to applications across global company sites.

Password Reset Requests and Synchronization Across Diverse Clients
The number of passwords people must remember creates challenges for all organizations, and lost or forgotten passwords create a backlog for SAP administrators. So synchronizing passwords across SAP and non-SAP accounts benefits users and administrators alike.

By adding a password tool to a CUA deployment, tedious password reset requests are offloaded to your help desk or to a self-service process. What's more, password policies can be enforced across SAP clients and non-SAP solution environments.

BMC Software, an SAP Software Partner, offers an SAP-certified solution interface for SAP solutions. CONTROL-SA, an SAP complementary solution, supports user provisioning, access approval, and password synchronization. To learn more about BMC Software's CONTROL-SA solution, please visit

back to top

Integrated Identity and Access Management in SAP Solution Landscapes

Mike Small
Director eTrust
Security Strategy,
Computer Associates
International, Inc.

Organizations are evolving to become more accessible to customers, partners, vendors, suppliers, and employees. However, controls — where what you can do is based on who you are — are fundamental to managing risk. Many organizations have taken a piecemeal approach to identity and access management, resulting in higher-than-necessary costs, with only poorly implemented controls. Along with the increasing amount of data, governments and regulatory bodies are issuing directives relating to data privacy and confidentiality. The result? Organizations find themselves squeezed between cost control and regulatory compliance.

Computer Associates (CA), an SAP Software Partner, recognizes the challenges that organizations face in dealing with identity and access management issues and offers eTrust Identity and Access Management Suite, an integrated standards-based set of solutions with a common portal-based user interface, Web services support, directory independence, end-to-end audit functions, and more.

eTrust Identity and Access Management Suite helps organizations streamline management, establish trusted access to partners, protect investments in SAP solutions, reduce overall costs, improve overall efficiency, and facilitate compliance with regulations through end-to-end auditing, with a number of applications:

eTrust Access Control
Policy-based access control for UNIX servers hardens the base operating system and creates a secure server foundation for SAP solutions (see Figure 1). This application enables users to implement:

  • The general UNIX system protections suggested in the SAP Security Guide.1

  • Additional protections for files and directories of an SAP installation residing on the UNIX operating system.

  • Additional protections for "privileged identities" in an SAP installation on the UNIX operating system.
Figure 1
eTrust Identity and Access Management Architecture

eTrust Admin
To automate user provisioning to SAP solutions as well as other IT and non-IT resources, eTrust Admin — certified for integration with SAP R/3 4.6 — helps improve business efficiency and achieve regulatory compliance by providing:

  • A single view for each user showing all their SAP and non-SAP accounts, such as mailboxes.

  • Automated changes to access rights across all platforms when a user's information is changed in mySAP HR. This reduces the costs and delays when providing access for new employees.

  • A single user interface to manage users' access rights on SAP and non-SAP systems to reduce the cost of administration.

  • Provisioning of users' access rights according to their job function. eTrust Admin relates SAP roles and profiles to users' rights on non-SAP platforms.

  • Automatic password synchronization and self-service capabilities for password reset to reduce help-desk costs.

  • A single action to suspend or unlock all accounts owned by a user, which reduces the risk of access rights being left open when employees are terminated.

  • Reports showing all administrative changes and tracing how a user's rights were obtained, to help comply with security best practices like BS7799 and ISO17799.

eTrust Directory
To help build a secure and reliable foundation for your SAP solutions, eTrust Directory is certified for integration with SAP BC-LDAP 6.30. It combines LDAP access with X.500 distribution and replication, and:

  • Scales to over 500 million users, with faster processing speeds than other directory products, according to independent benchmark testing.2

  • Processes more than 10,000 searches per second on a single 2GHz CPU. This results in considerable hardware savings.

  • Supports n-way multi-master zero latency replication. This makes it very reliable, since data is never lost when failover occurs.

  • Integrates multiple directories into a single "virtual" directory that can greatly simplify administration.

  • Supports UDDI lookup and discovery, and DSML integration makes it a secure repository for Web services information.

eTrust Single Sign-On (SSO)
With role-based single sign-on to SAP and non-SAP applications with a choice of authentication methods, not only do end users have a better user experience, but it also reduces the risks and costs associated with multiple credentials. In addition, eTrust SSO:

  • Supports a wide range of authentication methods to suit the specific needs of an organization. These include Microsoft Windows, mainframe, tokens, smart cards, as well as biometric devices.

  • Provides a personalized end-user portal/desktop with customized content and allowed applications ready to use.

  • Supports automated logon to applications using a variety of methods including username/password, tokens, one-time passwords.

  • Requires no changes to any of your existing applications to obtain these benefits.

eTrust Web Access Control
This application extends eTrust SSO to provide role-based extranet access management to secure Web resources and prevent intrusions.

CA's eTrust Identity and Access Management Suite, with its modular, open design, provides standards-based interfaces to existing and future security technologies, and enhances SAP solutions by protecting the infrastructure and reducing TCO. All of its components can stand alone and yet are seamlessly integrated — greatly reducing deployment and enabling a quick ROI.

For more information on CA's eTrust Identity and Access Management Suite, please visit

back to top

1 See the chapter "SAP Systems Security Under UNIX" at

2 Using the industry-standard Directory Mark tests, audited by the independent test house CPT Global, eTrust Directory outperformed its competitors in all query and update tests on a standard 2.4GHz Pentium 4 machine.

A Primer for SAP Customers: Understanding Microsoft's Software Update Strategy

Glenn Pereira
Product Manager,
Windows Enterprise Management,

With over 40,000 SAP solution installations on the Microsoft Windows platform, which include some of the largest SAP deployments, Microsoft takes seriously the need for attention to security for mission-critical applications such as SAP. Through a variety of security initiatives, Microsoft offers products, resources, prescriptive guidance, training, and partners designed to help customers keep their SAP and overall IT infrastructures healthy and to enjoy the benefits and peace of mind a secure computing environment brings.

Trustworthy Computing

The Microsoft Trustworthy Computing initiative, announced by Bill Gates in January of 2002 as a long-term initiative for the company, focuses on four key tenets: security, privacy, reliability, and business integrity.

The security effort is driving toward the following goals:

  • Improve and simplify the patching experience to help customers keep all of their systems protected and up-to-date.

  • Provide security guidance to help customers deploy and operate Microsoft products as securely as possible.

  • Innovate on safety technologies that will make Microsoft Windows-based computers more resilient to attack, even when security updates are not installed.

  • Improve the quality of our software through the Trustworthy Computing development process, to reduce vulnerabilities before the software ships.

Driving major improvements in the area of patch and update management is a key aspect of the Trustworthy Computing initiative. In 2002, Microsoft formed an internal task force to identify opportunities for improving the software update and security update management process and technologies, and to drive those improvements. This cross-divisional team, the Patch Management Task Force, solicited feedback from organizations of all sizes across the world. Based on this extensive customer engagement, the Patch Management Task Force distilled the input into key areas of focus:

Clear Communications

Keeping IT professionals informed about software updates and security updates represents a crucial component to helping SAP customers take the necessary and appropriate actions as they manage operational risks. However, Microsoft readily admits that communicating clearly has at times proven to be a daunting challenge. For example, customers have been known to search four different Web sites for security update management content, and complained that the security rating levels were unclear and that terminology and naming conventions were inconsistent.

The Security Bulletin Notification Service enables SAP customers to receive timely and accurate information directly from Microsoft about worms, viruses, and other security events. It represents one of the first steps taken to help customers determine if an event is relevant to their environments, how and when to download and deploy the security updates, and how the software updates or security updates affect their overall IT infrastructures. Customers can sign up to be notified via email when the latest Security Bulletins are posted with versions for business IT professionals and end users.

In the past year, based on customer feedback, Microsoft made the following improvements to the Security Bulletin Notification Service:

  • The Microsoft Security Response Center standardized its distribution processes and now sends bulletins monthly on the second calendar Tuesday (except in situations where a known exploit exists, in which case the bulletin is issued immediately).

  • Microsoft created a Security Bulletin Web search tool, consolidating the number of locations customers needed to search for information about security updates.

  • Microsoft provided other tools and resources such as a security guidance kit, virus information alliance, and solution accelerators that provide prescriptive guidance.

Consistency and Quality

Each Microsoft product grew over the years, with innovation and development focused primarily on helping customers meet their deployment objectives in a variety of situations. This independence enabled individual product teams to meet the business and technical needs of their customers in creative ways. However, this independence also meant that software updates and security updates developed in silos. With no common nomenclature or taxonomy, product teams developed numerous installer technologies that provided different user interfaces and different functionality. Specifically, the stability of security update code, package size, consistency, and system restart requirements needed further refinement.

Security update quality also remains an ongoing challenge, with customer feedback indicating too many recalls, unnecessary system restarts, and large sizes. When Microsoft releases a product, it uses a comprehensive regression, compatibility, functionality, and security testing plan to ensure a quality release. However, security updates typically need to be tested and released as quickly as possible. To address these consistency and quality issues, Microsoft has made — and plans to continue making — several changes:

  • Microsoft plans to harmonize terminology and naming conventions and to develop and enforce guidelines across all product groups.

  • Microsoft now uses a five-week test cycle with exit criteria for each step of the cycle, increased depth testing for all security update components, added daily workstation stress testing, self-hosting, consistent security update release criteria, and management-level signoff for updates prior to their release. To address patch size, package contents are more closely inspected for unnecessary or duplicated files.

  • A customer patch validation program has been implemented to uncover testing issues in the customer environment.

  • The Microsoft Security Response Center (MSRC) and the Secure Windows Initiative Team are conducting a formal post-mortem review of any security update issued in conjunction with a Security Bulletin.

  • The established frequency with which new updates are released was reduced from once per week to once per month on the second Tuesday of the month. In emergency situations — that is, when information about how to exploit a vulnerability is determined to be available or imminently available publicly — Microsoft will release necessary updates outside established release cycles.

  • The proportion of security updates delivered by Windows Update that require a system to be restarted has been reduced by 10%.

  • HotPatching (in-memory patching) technology initially scheduled for delivery with Microsoft Windows Server 2003 Service Pack 1 (SP1) will reduce by 30% the number of Windows Server 2003 security updates that require computer restarts. This percentage is expected to increase over time.

  • Microsoft's engineering teams are also developing smarter installers with better detection and dynamic analysis to determine whether a system restart is required and what operating system improvements allow file replacement without restarting.

The Right Tools

Microsoft continues to develop tools and technologies for update management. These tools are designed and customized to the unique needs of Microsoft's customers — from the individual home user to the largest enterprise. To effectively address this varied set of customer needs, Microsoft maintains a broad update management technology strategy. Figure 1 lists Microsoft's key security solution components.

Figure 1
Microsoft Security Solution Components

Microsoft is a long-standing member of the SAP Partner Program, and Microsoft and SAP continue to work together to ensure that SAP applications deployed on the Windows platform are compatible with the latest Microsoft patches and updates. Microsoft and SAP development teams can then take proactive and appropriate measures to inform customers of any actions that need to be taken.

For a full article on the above security initiatives, please see technet/security/topics/patch/patchmanagement.mspx and for general information, see and

back to top

The Real Thing and the Not-Quite-Real Thing: Real-Time Analysis of Security Issues in Your Business-Critical Systems

Mark Feldman
Vice President,
Marketing & Business Development,
Virsa Systems

Most sci-fi fans and movie buffs will remember "The Andromeda Strain" — in this classic film, a microorganism hitches a ride on a meteor and lands on Earth. It promptly infects and kills the local population. Since it mutates every few hours, the scientists trying to find a cure can never isolate the genetic structure of the current strain. By a stroke of good fortune, the organism eventually evolves into a benign form and the Earth is saved.

Security professionals, however, cannot count on that kind of luck. Like the Andromeda organism, ERP systems are in a constant state of change. Everything is in motion. As the number of users, roles, and transactions change, the system only mutates more rapidly, assuming a life of its own.

Stopping the system to assess the effectiveness of security and controls or to make changes is not an option when business-critical SAP and other solutions are hard at work. Even if you could take a snapshot of the system at one point in time, it would be of little help. By definition, the results of your analysis would be incomplete because the system will already have changed. Anything less than real-time assessment increases risk and exposure. Frankly, anything less than real-time assessment is a halfway measure — flawed from the start.

Security is serious business. Halfway measures are unacceptable. In fact, from the standpoint of fraud, malicious activity, security standards, and compliance requirements, halfway measures for business-critical SAP R/3 and other backend systems can be corporate suicide.

A complete solution requires real-time assessment of current security and controls violations. It should eliminate false positives and avoid conflicts before they occur. Further, on a 24/7 basis, all ongoing remediation, mitigation, and role changes should undergo real-time simulation before entering the production system. Thus, the system can be kept continuously clean and compliant.

There are two approaches you can take to security and controls solutions today. One approach is touted in the marketplace as "continuous monitoring." The other approach is what we call "Continuous Compliance." Virsa Systems, an SAP Software Partner, delivers Continuous Compliance in its own security and controls offering: the Continuous Compliance Suite.

When you look closely at the difference between continuous monitoring and Continuous Compliance, the disparity is significant — it's the difference between the real thing and the almost-real thing.

Continuous Monitoring: Not Quite Ready for Real-Time

Continuous monitoring, in most cases, is not a real-time solution. It's a halfway measure. Even the term "continuous" is a misnomer. The only thing continuous about it is that it is continuously executed too late. It's like jumping halfway across a chasm. You can get the first part right and still ruin your day.

The continuous monitoring solutions touted in the marketplace are not real-time. That is their primary failing. They are after-the-fact detection systems. By definition, they report violations after they have occurred, when the damage is already done. They jump halfway across the chasm, executing SOD (segregation of duties) analysis after the risk has been introduced in your production system.

Unless a continuous monitoring solution is real-time, it functions by downloading ERP data from the production system and subjecting it to analysis. Depending on the size of the enterprise, downloading can take hours. By the time the download and analysis are complete, new users, new role assignments, and corresponding transactions have already altered the system. Any remediation or mitigation actions are executed on an already changed system and may or may not eliminate the conflict. You will not know the answer until you execute another download and analysis. The potential for cascading negative effects is significant.

Since constant downloading depletes IT and system resources, few advocates of continuous monitoring execute a controls analysis more frequently than daily or even weekly. Depending on the frequency of downloading and analysis, the violations might persist for a considerable length of time. Even if you did not care about the consumption of resources and began downloads of the ERP hourly, you would forever be analyzing changes after-the-fact.

Lacking real-time simulation capability, these continuous monitoring solutions may even introduce new conflicts directly to the production system — and not discover them until the next download. By failing to halt violations before they occur, remediation is slow and painful. Fraud and malicious mischief go undetected for longer periods, and enforcement of your security policy is delayed. The exposure is significant and potentially expensive in terms of cash, time, and non-compliance.

Continuous Compliance: A Complete Real-Time Solution

When access and controls are persistently checked in real-time, risk is reduced to a minimum. This simple and intuitive notion is fundamental to Virsa's concept of Continuous Compliance — confidence in the integrity of security and controls.

With Virsa's Continuous Compliance Suite, access requests are approved only after the approver performs a real-time SOD analysis with live data from SAP R/3 (see Figure 1). Thus, before a role is generated or an assignment is made to a user, its effect on transactions is clear. The risk and the mitigation are evident to business owners, before any change is introduced to the system.

Figure 1
Virsa's Continuous Compliance Suite in an SAP Solution Landscape

Similarly, when best practice rules are configured and tested in real-time at both the transaction and object authorization levels, then approval and validation of single and composite roles, users, and user groups can be executed more confidently. Problems are avoided. False positives are eliminated. Auditors get greater transparency to rule changes and related risks. Ongoing compliance costs are reduced and "Confident Compliance" is achieved.

A real-time, 24/7 solution like Virsa's Continuous Compliance Suite avoids the pitfalls of continuous monitoring of offline data. Further, because the Continuous Compliance Suite has been optimized to ensure no discernable impact on performance, there is less consumption of resources. Virsa has even reduced implementation costs with a built-in library of 15,300 best-practice SOD rules. Typically, these rules apply to better than 95% of circumstances a company might encounter.

SAP R/3 makes real-time real. The Continuous Compliance Suite, an SAP-certified interface fully integrated with SAP R/3, leverages SAP R/3's power and capability, delivering the only real-time SOD security and controls system available for SAP in today's market. From Web-based, real-time access approval for rapid creation and validation of users, to real-time assessment and simulation of rules and roles, to real-time alerts and tracking of fire call IDs, Virsa's Continuous Compliance Suite is the key to Confident Compliance for all your SAP solutions.

For more information on Virsa's Continuous Compliance Suite, please visit

back to top

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!