SAP Security

Security in SAP Systems

FIST Conference
26th of November 2004
Barcelona
Dr. Michael Woitass

©Dr. Michael Woitass Version 02/04

Agenda

Security risks

High-level security in SAP systems

Single Sign-On to SAP

Secure Network Communication (SNC) in SAP

Digital signature of documents (SSF) in SAP

2

Information security

¿Do organisations need cryptographic solutions?

The competitive advantage of many companies and institutions results from
obtaining ad managing information.
The loss of information can generate a serious risk for these organisations.

Without protection internal data may be accessible via the network:

Personal data

Financial data

Customers and providers

Product and service prices

Intellectual proprietary

Confidential corporate information.
3

SAP systems environment

SAP data are transmitted by an insecure network.

WEB Browser WEB Server ITS SAPgui / SAPlogon

R/3
Internet

WEB SAP WEB
Browser Application Server SAPlpd

Internet

Insecure
SAP Router SAP Router network
rfc access

4

Security of SAP systems

Standard SAP:

The security of SAP systems depends on the security of
the network.

The login information (userid and password) can be captured
during transmission.

SAP data are transmitted as legible text.

SAPgui / SAPlogon R/3

5

Security risks

Appropriate security purposes eliminate the risks.

Attack Security purpose
• Man-in-the-middle Authentication
• Unauthorised modification Data integrity
• Unauthenticated sender Proof of origin
• Wiretapping Confidentiality

6

Security technology

Asymmetric cryptography provides the technology
to guarantee high-level security.

Security purpose Technology

• Autentication Strong authentication
• Data integrity Digital signature
• Proof of origin Digital signature
• Confidentiality Encryption

7

Basics: asymmetric encryption

Encryption and decryption
with public-key-cryptography

8

Basics: hybrid encryption

Encryption and decryption
with hybrid cryptography

9

Basics: digital signature

Digital signature and
its verification

10

SAP Security

Cryptographic solutions facilitate

Secure Single Sign-On to SAP (SSO)

Encryption of data communications in SAP (SNC)

Digital signature of SAP documents (SSF)

11

SAP Security





12

Secure access to SAP

Single Sign-On by means of:
Crypto libraries at client and server side
Strong authentication using digital certificates

SAPgui SAP R/3
Client Server
Authentication
with certificate
Network Secure Sign-On Network
Interface Interface

Security Security
Library Library

13

Secure Login with certificates

Strong authentication between SAP clients and servers

User Server

Generates an Signs the message
arbitrary message from the user
B

Generates another
arbitrary message

Verifies the signature
of the server B

Verifies the signature
Signs the message of the user
of the server A
A

14

Secure Single Sign-On

Secure
Single Sign-On
to all
SAP servers

15

Single Sign-On with smartcards

Identification
with
PIN

Access
Certificate and private key
16

SSO Integration

Motivation:

• The company wants to establish a Single Sign-On via the
logon to the network (e.g. Windows Active Directory
authentication, one-time tokens).

• The company uses SAP systems.

• The objective is to implement a certificate-based Single
Sign-On to SAP without the need to have a PKI installed.

17

Architecture

scalable scalable

Secure Login Active
Server Directory
3

2 5 4

Generate
Secure Login Certificate
Client 6

UserID, Domain,
1
Password

Windows Soft Token
Logon

18

Architecture

SAP GUI – SAP Server

Single Sign-On
Secure Communication

SAP GUI SAP R/3
Client Server

GSS-API SNC GSS-API

Security Security
Library Library

Soft Token

19

Architecture

Web Browser – Web Server

Single Sign-On
Secure Communication

Internet
Explorer WEB
Microsoft Server
SSL
Crypto
API
CSP

Soft Token

20

Advantages

High User Acceptance
The user doesn’t need to learn a new software.
The user will not be afflicted to enter his login data again and again.

High Security
Secure authentication and communication in SAP applications via SNC.
Secure authentication and communication in Web applications via SSL.

Reduced Administration
No overhead of a Public Key Infrastructure, nevertheless certificate-
based login to SAP applications and Web applications.

Reduced Costs
Reuse of established authentication method.
Single Sign-On assures an optimized workflow.

21

SAP Security





22

Architecture

Integration in SAP with
Secure Network Communication (SNC)

Workprocess

Compression
Protocol

SNC

GSS API
Generic Security Services
Security
Library
23

Secure network

End-to-End security by means of:
Crypto libraries at client and server side
SAP standard interface SNC

SAPgui SAP R/3
Client Server
Authentication
with certificate
Network Network
SNC
Interface Interface
GSS GSS
API API
Security Security
Library Library

24

Architecture

Secure Network Communications (SNC) in SAP

Application Programming Interface
standardised by the IETF
Abstraction from mechanisms used
behind the API
Workprocess
Certification within SAP‘s CSP
Program (BC-SNC Interface)

Compression
Protocol

SNC

GSS API
Generic Security Services
Security
Library
25

Integration on the R/3 server side

SNC configuration: central user administration

26

Integration in SAPlogon

SNC configuration:
selection of the security level

27

Example: Spanish Data Protection Law

Requerimientos:

La LOPD (Ley Orgánica de Protección de Datos) entró en
vigor el 1 de julio de 2002.

La ley exige medidas de seguridad de nivel alto,
entre ellos el cifrado de los datos.

Las empresas y administraciones públicas españoles que
tienen SAP R/3 y tratan datos de nivel alto de seguridad
deberán cumplir con la ley.

28

Example: Spanish Data Protection Law

Medidas de seguridad de nivel alto:

Los ficheros que contengan determinados datos personales
requerirán la implantación de medidas de nivel alto:
– ideología, religion, creencias
– origen racial, salud o vida sexual de las personas físicas
– datos recabados para fines policiales.

Principalmente, estas medidas consisten en:
– el cifrado previo de los datos
– el almacenamiento de la información relativa al acceso a
los ficheros durante al menos dos años
– el almacenamiento de las copias de seguridad en un lugar
distinto a donde se encuentren los equipos informáticos.

29

SAP Security





30

Digital signature of SAP documents

Digital signature in SAP
The digital signature
guarantees

the identity
Data
extraction of the user

Private key
and
Encryption
RSA Algorithm
with asymmetric
Digital
1.024 Bits
signature
encryption the integrity
of the data.

Extraction of
signed data

31

Example: Project ArchiSig

Electronic Signature of Medical Documents –
Integration and Evaluation of a Public Key
Infrastructure (PKI) in Hospitals

32

Workflow in SAP IS-H*MED

The secretary writes The doctor signs the The department head
A medical document. document. countersigns.

The Workflow passes the
document to the daprtment
head.

SAP IS-H Med SECUDE
Security Time stamp
Library

The medical document and the signatures are transferred to the archiving system.

IXOS-eCONserver

33

Document workflow: create, modify, sign, verify

Determinar el
siguiente paso

Crear un
expediente
Mostrar pdf
„My letters“
- Tareas
Función de firma
Historial de firmas
- Lista de documentos
Verificación
Firmar el
documento

Archivo del
documento
Enviar a la
secretaria
34

Integration of the signature in SAP IS-H*MED

35

Resume

Certificate-based security technology facilitates:

Secure Single Sign-On to SAP

Encryption of SAP data

Digital signature of SAP documents.

36

Security in SAP Systems

¡Muchas gracias por su atención!

Michael Woitass mwoitass@telefonica.net


SAP Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to SAP Security

Similar to SAP Security (20)

More from Conferencias FIST

More from Conferencias FIST (20)

Recently uploaded

Recently uploaded (20)

SAP Security