More Related Content
Similar to SAP Security (20)
More from Conferencias FIST (20)
SAP Security
- 1. Security in SAP Systems
FIST Conference
26th of November 2004
Barcelona
Dr. Michael Woitass
©Dr. Michael Woitass Version 02/04
- 2. Agenda
Security risks
High-level security in SAP systems
Single Sign-On to SAP
Secure Network Communication (SNC) in SAP
Digital signature of documents (SSF) in SAP
2
©Dr. Michael Woitass Version 02/04
- 3. Information security
¿Do organisations need cryptographic solutions?
The competitive advantage of many companies and institutions results from
obtaining ad managing information.
The loss of information can generate a serious risk for these organisations.
Without protection internal data may be accessible via the network:
Personal data
Financial data
Customers and providers
Product and service prices
Intellectual proprietary
Confidential corporate information.
3
©Dr. Michael Woitass Version 02/04
- 4. SAP systems environment
SAP data are transmitted by an insecure network.
WEB Browser WEB Server ITS SAPgui / SAPlogon
R/3
Internet
WEB SAP WEB
Browser Application Server SAPlpd
Internet
Insecure
SAP Router SAP Router network
rfc access
4
©Dr. Michael Woitass Version 02/04
- 5. Security of SAP systems
Standard SAP:
The security of SAP systems depends on the security of
the network.
The login information (userid and password) can be captured
during transmission.
SAP data are transmitted as legible text.
SAPgui / SAPlogon R/3
5
©Dr. Michael Woitass Version 02/04
- 6. Security risks
Appropriate security purposes eliminate the risks.
Attack Security purpose
• Man-in-the-middle Authentication
• Unauthorised modification Data integrity
• Unauthenticated sender Proof of origin
• Wiretapping Confidentiality
6
©Dr. Michael Woitass Version 02/04
- 7. Security technology
Asymmetric cryptography provides the technology
to guarantee high-level security.
Security purpose Technology
• Autentication Strong authentication
• Data integrity Digital signature
• Proof of origin Digital signature
• Confidentiality Encryption
7
©Dr. Michael Woitass Version 02/04
- 11. SAP Security
Cryptographic solutions facilitate
Secure Single Sign-On to SAP (SSO)
Encryption of data communications in SAP (SNC)
Digital signature of SAP documents (SSF)
11
©Dr. Michael Woitass Version 02/04
- 12. SAP Security
Cryptographic solutions facilitate
Secure Single Sign-On to SAP (SSO)
Encryption of data communications in SAP (SNC)
Digital signature of SAP documents (SSF)
12
©Dr. Michael Woitass Version 02/04
- 13. Secure access to SAP
Single Sign-On by means of:
Crypto libraries at client and server side
Strong authentication using digital certificates
SAPgui SAP R/3
Client Server
Authentication
with certificate
Network Secure Sign-On Network
Interface Interface
Security Security
Library Library
13
©Dr. Michael Woitass Version 02/04
- 14. Secure Login with certificates
Strong authentication between SAP clients and servers
User Server
Generates an Signs the message
arbitrary message from the user
B
Generates another
arbitrary message
Verifies the signature
of the server B
Verifies the signature
Signs the message of the user
of the server A
A
14
©Dr. Michael Woitass Version 02/04
- 16. Single Sign-On with smartcards
Identification
with
PIN
Access
Certificate and private key
16
©Dr. Michael Woitass Version 02/04
- 17. SSO Integration
Motivation:
• The company wants to establish a Single Sign-On via the
logon to the network (e.g. Windows Active Directory
authentication, one-time tokens).
• The company uses SAP systems.
• The objective is to implement a certificate-based Single
Sign-On to SAP without the need to have a PKI installed.
17
©Dr. Michael Woitass Version 02/04
- 18. Architecture
scalable scalable
Secure Login Active
Server Directory
3
2 5 4
Generate
Secure Login Certificate
Client 6
UserID, Domain,
1
Password
Windows Soft Token
Logon
18
©Dr. Michael Woitass Version 02/04
- 19. Architecture
SAP GUI – SAP Server
Single Sign-On
Secure Communication
SAP GUI SAP R/3
Client Server
GSS-API SNC GSS-API
Security Security
Library Library
Soft Token
19
©Dr. Michael Woitass Version 02/04
- 20. Architecture
Web Browser – Web Server
Single Sign-On
Secure Communication
Internet
Explorer WEB
Microsoft Server
SSL
Crypto
API
CSP
Soft Token
20
©Dr. Michael Woitass Version 02/04
- 21. Advantages
High User Acceptance
The user doesn’t need to learn a new software.
The user will not be afflicted to enter his login data again and again.
High Security
Secure authentication and communication in SAP applications via SNC.
Secure authentication and communication in Web applications via SSL.
Reduced Administration
No overhead of a Public Key Infrastructure, nevertheless certificate-
based login to SAP applications and Web applications.
Reduced Costs
Reuse of established authentication method.
Single Sign-On assures an optimized workflow.
21
©Dr. Michael Woitass Version 02/04
- 22. SAP Security
Cryptographic solutions facilitate
Secure Single Sign-On to SAP (SSO)
Encryption of data communications in SAP (SNC)
Digital signature of SAP documents (SSF)
22
©Dr. Michael Woitass Version 02/04
- 23. Architecture
Integration in SAP with
Secure Network Communication (SNC)
Workprocess
Compression
Protocol
SNC
GSS API
Generic Security Services
Security
Library
23
©Dr. Michael Woitass Version 02/04
- 24. Secure network
End-to-End security by means of:
Crypto libraries at client and server side
SAP standard interface SNC
SAPgui SAP R/3
Client Server
Authentication
with certificate
Network Network
SNC
Interface Interface
GSS GSS
API API
Security Security
Library Library
24
©Dr. Michael Woitass Version 02/04
- 25. Architecture
Secure Network Communications (SNC) in SAP
Application Programming Interface
standardised by the IETF
Abstraction from mechanisms used
behind the API
Workprocess
Certification within SAP‘s CSP
Program (BC-SNC Interface)
Compression
Protocol
SNC
GSS API
Generic Security Services
Security
Library
25
©Dr. Michael Woitass Version 02/04
- 26. Integration on the R/3 server side
SNC configuration: central user administration
26
©Dr. Michael Woitass Version 02/04
- 27. Integration in SAPlogon
SNC configuration:
selection of the security level
27
©Dr. Michael Woitass Version 02/04
- 28. Example: Spanish Data Protection Law
Requerimientos:
La LOPD (Ley Orgánica de Protección de Datos) entró en
vigor el 1 de julio de 2002.
La ley exige medidas de seguridad de nivel alto,
entre ellos el cifrado de los datos.
Las empresas y administraciones públicas españoles que
tienen SAP R/3 y tratan datos de nivel alto de seguridad
deberán cumplir con la ley.
28
©Dr. Michael Woitass Version 02/04
- 29. Example: Spanish Data Protection Law
Medidas de seguridad de nivel alto:
Los ficheros que contengan determinados datos personales
requerirán la implantación de medidas de nivel alto:
– ideología, religion, creencias
– origen racial, salud o vida sexual de las personas físicas
– datos recabados para fines policiales.
Principalmente, estas medidas consisten en:
– el cifrado previo de los datos
– el almacenamiento de la información relativa al acceso a
los ficheros durante al menos dos años
– el almacenamiento de las copias de seguridad en un lugar
distinto a donde se encuentren los equipos informáticos.
29
©Dr. Michael Woitass Version 02/04
- 30. SAP Security
Cryptographic solutions facilitate
Secure Single Sign-On to SAP (SSO)
Encryption of data communications in SAP (SNC)
Digital signature of SAP documents (SSF)
30
©Dr. Michael Woitass Version 02/04
- 31. Digital signature of SAP documents
Digital signature in SAP
The digital signature
guarantees
the identity
Data
extraction of the user
Private key
and
Encryption
RSA Algorithm
with asymmetric
Digital
1.024 Bits
signature
encryption the integrity
of the data.
Extraction of
signed data
31
©Dr. Michael Woitass Version 02/04
- 32. Example: Project ArchiSig
Electronic Signature of Medical Documents –
Integration and Evaluation of a Public Key
Infrastructure (PKI) in Hospitals
32
©Dr. Michael Woitass Version 02/04
- 33. Workflow in SAP IS-H*MED
The secretary writes The doctor signs the The department head
A medical document. document. countersigns.
The Workflow passes the
document to the daprtment
head.
SAP IS-H Med SECUDE
Security Time stamp
Library
The medical document and the signatures are transferred to the archiving system.
IXOS-eCONserver
33
©Dr. Michael Woitass Version 02/04
- 34. Document workflow: create, modify, sign, verify
Determinar el
siguiente paso
Crear un
expediente
Mostrar pdf
„My letters“
- Tareas
Función de firma
Historial de firmas
- Lista de documentos
Verificación
Firmar el
documento
Archivo del
documento
Enviar a la
secretaria
34
©Dr. Michael Woitass Version 02/04
- 36. Resume
Certificate-based security technology facilitates:
Secure Single Sign-On to SAP
Encryption of SAP data
Digital signature of SAP documents.
36
©Dr. Michael Woitass Version 02/04
- 37. Security in SAP Systems
¡Muchas gracias por su atención!
Michael Woitass mwoitass@telefonica.net
©Dr. Michael Woitass Version 02/04