Primer for SAP Customers: Understanding Microsoft's
Software Update Strategy
Windows Enterprise Management,
With over 40,000 SAP solution installations
on the Microsoft Windows platform, which include
some of the largest SAP deployments, Microsoft
takes seriously the need for attention to security
for mission-critical applications such as SAP.
Through a variety of security initiatives,
Microsoft offers products, resources, prescriptive
guidance, training, and partners designed to
help customers keep their SAP and overall IT
infrastructures healthy and to enjoy the benefits
and peace of mind a secure computing environment
The Microsoft Trustworthy Computing initiative, announced by Bill Gates in January of 2002 as a long-term initiative for the company, focuses on four key tenets: security, privacy, reliability, and business integrity.
The security effort is driving toward the following goals:
- Improve and simplify the patching experience to help customers keep all of their systems protected and up-to-date.
- Provide security guidance to help customers deploy and operate Microsoft products as securely as possible.
- Innovate on safety technologies that will make Microsoft Windows-based computers more resilient to attack, even when security updates are not installed.
- Improve the quality of our software through the Trustworthy Computing development process, to reduce vulnerabilities before the software ships.
Driving major improvements in the area of patch and update management is a key aspect of the Trustworthy Computing initiative. In 2002, Microsoft formed an internal task force to identify opportunities for improving the software update and security update management process and technologies, and to drive those improvements. This cross-divisional team, the Patch Management Task Force, solicited feedback from organizations of all sizes across the world. Based on this extensive customer engagement, the Patch Management Task Force distilled the input into key areas of focus:
Keeping IT professionals informed about software updates and security updates represents a crucial component to helping SAP customers take the necessary and appropriate actions as they manage operational risks. However, Microsoft readily admits that communicating clearly has at times proven to be a daunting challenge. For example, customers have been known to search four different Web sites for security update management content, and complained that the security rating levels were unclear and that terminology and naming conventions were inconsistent.
The Security Bulletin Notification Service enables SAP customers to receive timely and accurate information directly from Microsoft about worms, viruses, and other security events. It represents one of the first steps taken to help customers determine if an event is relevant to their environments, how and when to download and deploy the security updates, and how the software updates or security updates affect their overall IT infrastructures. Customers can sign up to be notified via email when the latest Security Bulletins are posted with versions for business IT professionals and end users.
In the past year, based on customer feedback, Microsoft made the following improvements to the Security Bulletin Notification Service:
- The Microsoft Security Response Center standardized its distribution processes and now sends bulletins monthly on the second calendar Tuesday (except in situations where a known exploit exists, in which case the bulletin is issued immediately).
- Microsoft created a Security Bulletin Web search tool, consolidating the number of locations customers needed to search for information about security updates.
- Microsoft provided other tools and resources such as a security guidance kit, virus information alliance, and solution accelerators that provide prescriptive guidance.
Consistency and Quality
Each Microsoft product grew over the years, with innovation and development focused primarily on helping customers meet their deployment objectives in a variety of situations. This independence enabled individual product teams to meet the business and technical needs of their customers in creative ways. However, this independence also meant that software updates and security updates developed in silos. With no common nomenclature or taxonomy, product teams developed numerous installer technologies that provided different user interfaces and different functionality. Specifically, the stability of security update code, package size, consistency, and system restart requirements needed further refinement.
Security update quality also remains an ongoing challenge, with customer feedback indicating too many recalls, unnecessary system restarts, and large sizes. When Microsoft releases a product, it uses a comprehensive regression, compatibility, functionality, and security testing plan to ensure a quality release. However, security updates typically need to be tested and released as quickly as possible. To address these consistency and quality issues, Microsoft has made — and plans to continue making — several changes:
- Microsoft plans to harmonize terminology and naming conventions and to develop and enforce guidelines across all product groups.
- Microsoft now uses a five-week test cycle with exit criteria for each step of the cycle, increased depth testing for all security update components, added daily workstation stress testing, self-hosting, consistent security update release criteria, and management-level signoff for updates prior to their release. To address patch size, package contents are more closely inspected for unnecessary or duplicated files.
- A customer patch validation program has been implemented to uncover testing issues in the customer environment.
- The Microsoft Security Response Center (MSRC) and the Secure Windows Initiative Team are conducting a formal post-mortem review of any security update issued in conjunction with a Security Bulletin.
- The established frequency with which new updates are released was reduced from once per week to once per month on the second Tuesday of the month. In emergency situations — that is, when information about how to exploit a vulnerability is determined to be
available or imminently available publicly — Microsoft will release
necessary updates outside established release cycles.
- The proportion of security updates delivered by Windows Update that require a system to be restarted has been reduced by 10%.
- HotPatching (in-memory patching) technology initially scheduled for delivery with Microsoft Windows Server 2003 Service Pack 1 (SP1) will reduce by 30% the number of Windows Server 2003 security updates that require computer restarts. This percentage is expected to increase over time.
- Microsoft's engineering teams are also developing smarter installers with better detection and dynamic analysis to determine whether a system restart is required and what operating system improvements allow file replacement without restarting.
The Right Tools
Microsoft continues to develop tools and technologies for update management. These tools are designed and customized to the unique needs of Microsoft's customers — from the individual home user to the largest enterprise. To effectively address this varied set of customer needs, Microsoft maintains a broad update management technology strategy. Figure 1 lists Microsoft's key security solution
|Microsoft Security Solution Components
Microsoft is a long-standing member of the SAP Partner Program, and Microsoft and SAP continue to work together to ensure that SAP applications deployed on the Windows platform are compatible with the latest Microsoft patches and updates. Microsoft and SAP development teams can then take proactive and appropriate measures to inform customers of any actions that need to be taken.
For a full article on the above security initiatives, please see www.microsoft.com/ technet/security/topics/patch/patchmanagement.mspx and for general information, see www.microsoft.com/security and www.microsoft-sap.com.
back to top
Real Thing and the Not-Quite-Real Thing:
Analysis of Security Issues in Your Business-Critical
Marketing & Business Development,
Most sci-fi fans and movie buffs will remember "The Andromeda Strain" — in this classic film, a microorganism hitches a ride on a meteor and lands on Earth. It promptly infects and kills the local population. Since it mutates every few hours, the scientists trying to find a cure can never isolate the genetic structure of the current strain. By a stroke of good fortune, the organism eventually evolves into a benign form and the Earth is saved.
Security professionals, however, cannot count on that kind of luck. Like the Andromeda organism, ERP systems are in a constant state of change. Everything is in motion. As the number of users, roles, and transactions change, the system only mutates more rapidly, assuming a life of its own.
Stopping the system to assess the effectiveness of security and controls or to make changes is not an option when business-critical SAP and other solutions are hard at work. Even if you could take a snapshot of the system at one point in time, it would be of little help. By definition, the results of your analysis would be incomplete because the system will already have changed. Anything less than real-time assessment increases risk and exposure. Frankly, anything less than real-time assessment is a halfway measure — flawed from the start.
Security is serious business. Halfway measures are unacceptable. In fact, from the standpoint of fraud, malicious activity, security standards, and compliance requirements, halfway measures for business-critical SAP R/3 and other backend systems can be corporate suicide.
A complete solution requires real-time assessment of current security and controls violations. It should eliminate false positives and avoid conflicts before they occur. Further, on a 24/7 basis, all ongoing remediation, mitigation, and role changes should undergo real-time simulation before entering the production system. Thus, the system can be kept continuously clean and compliant.
There are two approaches you can take to security and controls solutions today. One approach is touted in the marketplace as "continuous monitoring." The other approach is what we call "Continuous Compliance." Virsa Systems, an SAP Software Partner, delivers Continuous Compliance in its own security and controls offering: the Continuous Compliance Suite.
When you look closely at the difference between continuous monitoring and Continuous Compliance, the disparity is significant — it's the difference between the real thing and the almost-real thing.
Continuous Monitoring: Not Quite Ready for Real-Time
Continuous monitoring, in most cases, is not a real-time solution. It's a halfway measure. Even the term "continuous" is a misnomer. The only thing continuous about it is that it is continuously executed too late. It's like jumping halfway across a chasm. You can get the first part right and still ruin your day.
The continuous monitoring solutions touted in the marketplace are not real-time. That is their primary failing. They are after-the-fact detection systems. By definition, they report violations after they have occurred, when the damage is already done. They jump halfway across the chasm, executing SOD (segregation of duties) analysis after the risk has been introduced in your production system.
Unless a continuous monitoring solution is real-time, it functions by downloading ERP data from the production system and subjecting it to analysis. Depending on the size of the enterprise, downloading can take hours. By the time the download and analysis are complete, new users, new role assignments, and corresponding transactions have already altered the system. Any remediation or mitigation actions are executed on an already changed system and may or may not eliminate the conflict. You will not know the answer until you execute another download and analysis. The potential for cascading negative effects is significant.
Since constant downloading depletes IT and system resources, few advocates of continuous monitoring execute a controls analysis more frequently than daily or even weekly. Depending on the frequency of downloading and analysis, the violations might persist for a considerable length of time. Even if you did not care about the consumption of resources and began downloads of the ERP hourly, you would forever be analyzing changes after-the-fact.
Lacking real-time simulation
capability, these continuous monitoring solutions may even introduce new conflicts directly to the production system — and not discover them until the next download. By failing to halt violations before they occur, remediation is slow and painful. Fraud and malicious mischief go undetected for longer periods, and enforcement of your security policy is delayed. The exposure is significant and potentially expensive in terms of cash, time, and non-compliance.
Continuous Compliance: A Complete Real-Time Solution
When access and controls are persistently checked in real-time, risk is reduced to a minimum. This simple and intuitive notion is fundamental to Virsa's concept of Continuous Compliance — confidence in the integrity of security and controls.
With Virsa's Continuous Compliance Suite, access requests are approved only after the approver performs a real-time SOD analysis with live data from SAP R/3 (see Figure 1). Thus, before a role is generated or an assignment is made to a user, its effect on transactions is clear. The risk and the mitigation are evident to business owners, before any change is introduced to the system.
|Virsa's Continuous Compliance Suite in an SAP Solution Landscape
Similarly, when best practice rules are configured and tested in real-time at both the transaction and object authorization levels, then approval and validation of single and composite roles, users, and user groups can be executed more confidently. Problems are avoided. False positives are eliminated. Auditors get greater transparency to rule changes and related risks. Ongoing compliance costs are reduced and "Confident Compliance" is achieved.
A real-time, 24/7 solution like Virsa's Continuous Compliance Suite avoids the pitfalls of continuous monitoring of offline data. Further, because the Continuous Compliance Suite has been optimized to ensure no discernable impact on performance, there is less consumption of resources. Virsa has even reduced implementation costs with a built-in library of 15,300 best-practice SOD rules. Typically, these rules apply to better than 95% of circumstances a company might encounter.
SAP R/3 makes real-time real. The Continuous Compliance Suite, an SAP-certified interface fully integrated with SAP R/3, leverages SAP R/3's power and capability, delivering the only real-time SOD security and controls system available for SAP in today's market. From Web-based, real-time access approval for rapid creation and validation of users, to real-time assessment and simulation of rules and roles, to real-time alerts and tracking of fire call IDs, Virsa's Continuous Compliance Suite is the key to Confident Compliance for all your SAP solutions.
For more information on Virsa's Continuous Compliance Suite, please visit www.virsasystems.com.
back to top