The days of isolated security incidents are long gone. Cyber attacks are now mainstream occurrences, and their scale, scope, and speed are staggering. And there are no signs of a slowdown — stories about new system threats, security breaches, and business espionage emerge daily.
A study earlier this year found that 68% of the organizations surveyed had a security incident in the past 24 months, and 57% expected to experience a security breach within the next year — 46% within the next six months.1
To help its customers avoid becoming another one of these statistics and to make security risks more calculable, SAP offers a comprehensive portfolio of security features and products that provide customers with the tools they need to protect their data — and their business. Figure 1 provides an architectural overview of SAP’s full range of security offerings. To put customers in the best possible position not only to counter ever-evolving attacks, but also to understand them and prevent them from happening again, SAP is constantly improving and expanding its security functionality and solutions. This article focuses on SAP’s latest investments in security innovations. In particular, it looks at the latest security enhancements built into SAP NetWeaver Application Server (SAP NetWeaver AS); the new and planned features for SAP Identity Management, SAP Single Sign-On, and SAP NetWeaver AS, add-on for code vulnerability analysis; and two brand-new security products planned for release later this year, the SAP Cloud Identity service and SAP Enterprise Threat Detection.
Enhanced Security Features for SAP NetWeaver AS
SAP NetWeaver AS comes with built-in platform security capabilities, including features for user management, authentication, authorization, encryption, and web services security, as well as an API for plugging in external virus scanners. To help customers keep pace with security threats, SAP has added two new configurable security features for ABAP-based environments — Read Access Logging (RAL) and Unified Connectivity (UCON) — as well as enhanced authorization support for SAP’s in-memory technology.
Read Access Logging
Read Access Logging (RAL), introduced in SAP NetWeaver AS ABAP 7.4, allows organizations to configure a highly granular and extensive set of logging functionality to monitor access to sensitive data. RAL expands the breadth of your auditing and logging capabilities by enabling you not only to log access to data that has been changed, but also to log access to data that has only been displayed. It includes support for tracking access to data via various user interfaces, such as Web Dynpro, as well as communication via web service calls and remote function calls (RFCs), enabling you to configure logging for scenarios such as which user accessed what credit card data. RAL helps customers both secure their data and comply with legal regulations and standards.2
Unified Connectivity (UCON), introduced in SAP NetWeaver AS ABAP 7.4, is a feature that helps organizations secure communications between ABAP-based systems. Many SAP systems communicate with one another or with non-SAP systems via RFC, which enables this communication by allowing RFC-enabled function modules (RFMs) to be called between these systems. UCON provides a proper authorization concept for these RFM calls. With UCON, you can first track and trace which RFMs are used in your systems, and then structure and organize an authorization framework around only the relevant ones — access to RFMs deemed irrelevant is then blocked, reducing the potential for attack. After the initial collection and authorization of RFMs, you can rerun UCON on a regular basis to help ensure the security of your connections and your peace of mind.3
Authorization Support for SAP HANA
With SAP NetWeaver 7.4 now fully optimized for SAP HANA, SAP plans to enhance the authorization capabilities of SAP NetWeaver AS to provide better and simpler authorization support for SAP HANA. More information on this new functionality is expected at the SAP TechEd && d-code conference this fall.
Enhancements for Current Security Products
In addition to the features built into SAP NetWeaver AS to support platform security, SAP offers further products to help customers safeguard operations across the enterprise. Let’s take a closer look at three current SAP products that enable organizations to address areas that are fundamental to maintaining the integrity of their SAP systems and processes: managing user accounts, centralizing user logons, and uncovering vulnerabilities in ABAP code.
SAP Identity Management
SAP Identity Management (SAP ID Management) allows organizations to centrally administer user accounts and provision corresponding roles and authorizations into SAP and non-SAP back-end systems
Three areas are fundamental to maintaining the integrity of SAP systems and processes: managing user accounts, centralizing user logons, and uncovering vulnerabilities in ABAP code.
across the enterprise landscape. Introduced in 2007, the solution provides an authoritative, single source of user information and authorizations, helping to both streamline operations and protect applications and data.
SAP ID Management integrates seamlessly into the business processes in customer landscapes. To achieve compliant and integrated user and access management, SAP ID Management can be integrated with SAP Access Control to run a segregation of duties (SoD) analysis prior to role assignments or role changes to avoid granting users too much access. SAP ID Management also has built-in workflow capabilities for managing user information.
The current release of SAP ID Management (version 7.2, support package stack 9) supports three database options — Microsoft SQL Server, IBM DB2, and Oracle — for storing user identity and authorization information. In Q4 of this year, SAP plans to ship a new release (version 8.0) of SAP ID Management that will support SAP HANA. The planned release will also include an Eclipse-based development environment that enables simpler user account management and So administration, along with enhanced UIs, reporting capabilities, and integration with SAP solutions for governance, risk, and compliance (GRC).4
SAP Single Sign-On
Introduced in 2011, SAP Single Sign-On simplifies access to business information by enabling one-time, secure, system-wide login for users across the enterprise, reducing the administrative costs and security risks associated with multiple login points.
This single sign-on (SSO) access is secured through authentication tokens (such as a smart card that the owner carries to authorize access to a network service) based on standard authentication and encryption technology. The current release of SAP Single Sign-On (version 2.0, support package stack 3) supports the Kerberos, X.509 digital certificates, and Security Assertion Markup Language (SAML) standards. SSO to SAP solutions (via the standard SAP GUI for Windows or a web browser, for instance) requires only a simple Kerberos-based authentication. To enable SSO access to non-SAP applications as well as SAP solutions, SAP Single Sign-On provides support for X.509 digital certificates, and customers can leverage a SAML-based identity provider to enable cloud-based, cross-domain SSO and identity federation. In addition, SAP Single Sign-On includes a password manager component that provides secure password storage for any legacy systems in your system landscape that do not accept standardized authentication tokens, enabling a true enterprise SSO solution for customers.
Planned new features, to be delivered continuously, include strong authentication and one-time password tokens for mobile SSO; a Federal Information Processing Standard (FIPS) 140 certification5 for the solution’s cryptographic library; and policy-based authentication, which allows organizations to base authentication decisions on date, time, location, or IP address.6
SAP NetWeaver AS, Add-On for Code Vulnerability Analysis
The security of an organization’s data assets starts with the source code that underlies the applications that access that data. To help customers ensure that their custom-developed applications are safe from attack, SAP now offers the tool it uses internally to scan its own ABAP source code for vulnerabilities.
SAP NetWeaver AS, add-on for code vulnerability analysis, allows organizations to scan and analyze their custom ABAP code for the most common and critical security flaws.
Introduced at the end of 2013, SAP NetWeaver AS, add-on for code vulnerability analysis, is a separately licensed product that allows organizations to scan and analyze their custom ABAP code for the most common and critical security flaws, including SQL injections, cross-site scripting, and buffer overflows. Tightly integrated into the existing test infrastructure of SAP NetWeaver AS ABAP, the tool not only retrieves a list of security vulnerabilities, it also offers detailed and comprehensive suggestions on how to fix the identified vulnerabilities, and in turn avoid them altogether in the future. SAP NetWeaver AS, add-on for code vulnerability analysis, is available for use with:
- SAP NetWeaver AS ABAP 7.4 (support package 5)
- SAP NetWeaver AS ABAP 7.3 (enhancement package 1, support package 9)
- SAP NetWeaver AS ABAP 7.0 (enhancement package 3, support package 9)
- SAP NetWeaver AS ABAP 7.0 (enhancement package 2, support package 14)
Evolving technologies, programming languages, and protocols will bring with them new sets of security risks. SAP monitors these developments, and will enhance this product to address any ABAP-related vulnerabilities that may emerge.7
Upcoming Security Products
As technologies advance, requirements change, and business applications become more complex, new threats will materialize to take advantage of potential points of weakness. SAP continues to develop new products that enable customers to take advantage of the latest innovations and advance their business while keeping their landscapes secure. Next, we’ll take a sneak peek at two brand-new products, planned for release in the coming months, that address two critical areas in modern SAP landscapes: secure application access in cloud-based environments, and real-time detection of security breaches.
SAP Cloud Identity Service
The SAP Cloud Identity service is an SAP Cloud offering that enables authentication and SSO for SAP and non-SAP cloud-based applications. SAP hosts the solution as a service in the cloud — customers can then use the service to grant users secure cloud-based access to applications such as SuccessFactors solutions, SAP Cloud for Travel and Expense, and SAP Cloud for Sales, as well as non-SAP cloud applications. With the SAP Cloud Identity service, customers will be able to use strong and secure SSO in cloud deployments without the hassle of having to administer the product themselves. In addition, the SAP Cloud Identity service will integrate with SAP Single Sign-On to support customers that have already deployed an SAML-based identity provider on premise to enable cloud-based, cross-domain SSO, saving you from having to move your on-premise identity provider into the cloud.
Stay tuned for more information on this new product offering. Rollout for the SAP Cloud Identity service is expected at the SAP TechEd && d-code conference this fall.
SAP Enterprise Threat Detection
Attacks on data and systems are relentless, and the speed with which a security breach is neutralized can make or break an organization’s business goals or reputation. To help customers protect themselves from serious harm, SAP has developed a new product that monitors business processes across the enterprise landscape — in both SAP and non-SAP systems — for potential threats. SAP Enterprise Threat
SAP continues to develop new products that enable customers to take advantage of the latest innovations and advance their business while keeping their landscapes secure.
Detection combines the high-performance power of SAP Event Stream Processor with the fast and intensive analytical capabilities of SAP HANA to scan log files and discover attacks based on suspicious patterns. The speed of SAP HANA enables the analysis of huge amounts of accumulated data in business landscapes and the ability to generate results in real time, allowing organizations to counteract threats before they inflict lasting damage.
SAP Enterprise Threat Detection is planned for release in the fall of 2014, with a major rollout at the SAP TechEd && d-code conference. For a detailed introduction to this new product, see the article “Safeguard Your Business-Critical Data with Real-Time Detection and Analysis” by Martin Plummer in this issue of SAPinsider.
The Future of SAP Security
Integrated views of your information assets are key to gaining business advantages in the networked economy. But the more you open your systems, the more you need central controls to protect the assets that drive your competitive edge.
To help you protect your data — and your business — SAP has significantly enhanced its security features and security product portfolio over the years, and will continue to do so going forward. Strategically, SAP is “the cloud company powered by SAP HANA,” and you can expect more products and capabilities to emerge from SAP to address cloud security. In addition, you can also expect to see new SAP HANA-based features and innovation in the area of big data security. Another emerging area is the connection of devices through the internet, also known as machine-to-machine connectivity and the Internet of Things (IoT). As both the cloud and big data trend toward convergence with IoT, IoT security is another area that SAP will look into from a security strategy perspective.
Learn more about the SAP security portfolio at http://scn.sap.com/community/security.
1 Ponemon Institute, “Cyber Security Incident Response: Are We as Prepared as We Think?” (January 2014; www.ponemon.org/blog/cyber-security-incident-response-are-we-as-prepared-as-we-think). [back]
2 For a detailed introduction to RAL, see “Protect Sensitive Data and Prevent Security Violations” by Gerlinde Zibulski and Patrick Hildenbrand in the July-September 2013 issue of SAPinsider. More information is also available at http://scn.sap.com/docs/DOC-53843. [back]
3 For a detailed introduction to UCON, see “Secure Your System Communications with Unified Connectivity” by Dr. Thomas Weiss in the January-March 2014 issue of SAPinsider. More information is also available at http://scn.sap.com/docs/DOC-51003. [back]
4 For a detailed introduction to SAP ID Management, see “What’s New in SAP NetWeaver ID Management 7.2?” by Regine Schimmer and Gerlinde Zibulski in the October-December 2011 issue of SAPinsider. More information is also available at http://scn.sap.com/community/idm, and the product roadmap is available at https://websmp202.sap-ag.de/~sapidb/011000358700001087162013E.pdf. [back]
5 For more information about FIPS 140 certification, see “Is Your Data Properly Protected?” by Annette Fuchs in the January-March 2013 issue of SAPinsider. [back]
6 For a detailed introduction to SAP Single Sign-On, see “An Inside Look at the New Features and Functionality in SAP NetWeaver Single Sign-On 2.0” by Regine Schimmer, Jens Koster, and Frane Milicevic in the April-June 2013 issue of SAPinsider. More information is also available at http://scn.sap.com/community/sso, and the product roadmap is available at https://service.sap.com/~sapidb/012002523100009396052014E.pdf. [back]
7 For a detailed introduction to SAP NetWeaver AS, add-on for code vulnerability analysis, see “Start Your ABAP Applications on Solid Ground” by Patrick Hildenbrand in the October-December 2013 issue of SAPinsider. More information is also available at http://scn.sap.com/docs/DOC-48613, and the product roadmap is available at https://websmp202.sap-ag.de/~sapidb/011000358700000256742014E.pdf. [back]