· Explains best practices for SAP system security
· Offers examples and solutions for the implementation of security technologies in all SAP components
· Contains new chapters on SAP NetWeaver, SAP BusinessObjects, GRC solutions, and much more

The revised and expanded second edition of this best-selling book describes all requirements, basic principles, and best practices of security for an SAP system. You’ll learn how to protect each SAP component internally and externally while also complying with legal requirements; furthermore, you’ll learn how to master the interaction of these requirements to provide a holistic security and risk management solution. Using numerous examples and step-by-step instructions, this book will teach you the technical details of implementing security in SAP NetWeaver.

Comprehensive Description
Learn where and how you can secure processes or improve the security of existing SAP systems. This
description includes both sample risk potentials with their possible effects, as well as the corresponding control measures.

Tried and Tested Solutions
Understand the proven methods of an SAP security strategy, as well as international guidelines and standards. Step-by-step examples describe how to technically implement security solutions.

Up-to-Date Information
Explore new technologies, as well as SAP products and procedures, and learn how you can integrate them with your risk analysis.

ERM Navigation Control Map
Take advantage of the ERM Navigation Control Map, included as a supplement to the book, which presents the technical, process-oriented, organizational, and legal aspects of SAP components and security solutions.

Highlights

· Risk and Control Management, GRC, Enterprise Risk Management
· SAP NetWeaver AS, Solution Manager, PI, Portal, MDM
· SAP BusinessObjects, SAP NetWeaver BW
· Web Services, Enterprise Services, and SOA
· SAP ERP, HCM, CRM, SRM, SCM, SEM
· Database Server, SAP Middleware, UIs
· SOX, J-SOX, GoBS, IFRS, FDA, Basel II, REACh
· ISO/IEC 27001, ISO/IEC 27002, CoBIT, ITIL, BSI

The Authors

Mario Linkies is CEO and President of LINKIES. Management Consulting Group. Dr. Horst Karin is President of DELTA Information Security Consulting, Inc. The two business consultants have engaged in the topics of SAP security and information security, risk control, identity and authorization solutions, data privacy, and compliance for many years.

Table of Contents

• ... Preface by Wolfgang Lassmann ... 19
• ... Preface by Monika Egle ... 21
• ... Preface by Jose Estrada ... 23
• ... Introduction ... 25
• PART I ... Basic Principles of Risk Management and IT Security ... 31
• 1 ... Risk and Control Management ... 33
• 1.1 ... Security Objectives ... 34
• 1.2 ... Company Assets ... 36
• 1.2.1 ... Types of Company Assets ... 38
• 1.2.2 ... Classification of Company Assets ... 39
• 1.3 ... Risks ... 40
• 1.3.1 ... Types of Risks ... 41
• 1.3.2 ... Classification of Risks ... 44
• 1.4 ... Controls ... 45
• 1.4.1 ... Types of Controls ... 45
• 1.4.2 ... Classification of Controls ... 46
• 2 ... Enterprise Risk Management Strategy ... 49
• 2.1 ... Status Quo ... 51
• 2.2 ... Components ... 52
• 2.2.1 ... General Framework ... 56
• 2.2.2 ... Strategy ... 57
• 2.2.3 ... Methods ... 58
• 2.2.4 ... Best Practices ... 59
• 2.2.5 ... Documentation ... 59
• 2.3 ... Best Practices of an SAP Security Strategy ... 60
• 2.3.1 ... Procedure ... 60
• 2.3.2 ... Principle of Information Ownership ... 68
• 2.3.3 ... Identity Management ... 74
• 3 ... Requirements ... 79
• 3.1 ... Legal Requirements ... 79
• 3.1.1 ... Sarbanes-Oxley Act (SOX) ... 80
• 3.1.2 ... SOX Implementation in Japan ... 89
• 3.1.3 ... Principles for IT-Supported Accounting Systems ... 90
• 3.1.4 ... International Financial Reporting Standards ... 92
• 3.2 ... Industry-Specific Requirements ... 93
• 3.2.1 ... Food and Pharmaceutical Industry and Biomedical Engineering ... 93
• 3.2.2 ... Finance and Banking Industry — Basel (I, II, III) ... 94
• 3.2.3 ... Chemical Substances and Environmental Protection ... 98
• 3.3 ... Internal Requirements ... 99
• 4 ... Security Standards ... 101
• 4.1 ... International Security Standards ... 102
• 4.1.1 ... ISO/IEC 27002:2005 ... 102
• 4.1.2 ... CobiT ... 107
• 4.1.3 ... ITIL ... 110
• 4.1.4 ... COSO ... 112
• 4.2 ... Country-Specific Security Standards ... 116
• 4.2.1 ... NIST Special Publication 800-12 ... 117
• 4.2.2 ... IT Baseline Protection Manual ... 120
• 4.2.3 ... PIPEDA ... 122
• 5 ... IT Security ... 127
• 5.1 ... Cryptography ... 127
• 5.1.1 ... Symmetric Encryption Procedure ... 128
• 5.1.2 ... Asymmetric Encryption Procedure ... 129
• 5.1.3 ... Elliptic Curve Cryptography ... 130
• 5.1.4 ... Hybrid Encryption Procedure ... 131
• 5.1.5 ... SSL Encryption ... 133
• 5.1.6 ... Hash Procedures ... 134
• 5.1.7 ... Digital Signature ... 135
• 5.2 ... Public Key Infrastructure ... 137
• 5.3 ... Authentication Procedures ... 140
• 5.3.1 ... User Name and Password ... 140
• 5.3.2 ... Challenge Response ... 140
• 5.3.3 ... Kerberos ... 141
• 5.3.4 ... Secure Token ... 142
• 5.3.5 ... Digital Certificate ... 143
• 5.3.6 ... Biometric Procedures ... 143
• 5.4 ... Basic Principles of Networks and Security Aspects ... 144
• 5.4.1 ... OSI Reference Model ... 144
• 5.4.2 ... Overview of Firewall Technologies ... 150
• PART II ... Security in SAP NetWeaver and Application Security ... 153
• 6 ... Enterprise Risk Management (ERM) Navigation Control Map ... 155
• 6.1 ... SAP Applications ... 163
• 6.2 ... SAP NetWeaver Components ... 165
• 6.3 ... Security Technologies ... 167
• 6.3.1 ... Authorizations, Risk and Change Management, and Auditing ... 168
• 6.3.2 ... Identity Management ... 169
• 6.3.3 ... Secure Authentication and SSO ... 171
• 6.3.4 ... Technical Security ... 172
• 6.4 ... Influencing Factors ... 173
• 7 ... Web Services, Enterprise Services, and Service-Oriented Architectures ... 175
• 7.1 ... Introduction and Technical Principles ... 177
• 7.2 ... Security Criteria for Web Services ... 181
• 7.2.1 ... Security and Risk Management for Service-Oriented Architectures ... 186
• 7.2.2 ... SAP Enterprise Services ... 187
• 7.2.3 ... Security Guidelines for SAP Enterprise Services ... 190
• 7.3 ... Service-Oriented Architectures and Governance ... 193
• 8 ... GRC Solutions in SAP Business­Objects ... 197
• 8.1 ... Introduction and Functions ... 197
• 8.1.1 ... Goals of the GRC Solutions in SAP Business­Objects ... 198
• 8.1.2 ... Methods of the GRC Solutions in SAP Business­Objects ... 199
• 8.1.3 ... Planning the Deployment of GRC Solutions in SAP Business­Objects ... 200
• 8.1.4 ... Overview of the GRC Solutions in SAP Business­Objects ... 201
• 8.2 ... SAP Business­Objects RM ... 205
• 8.2.1 ... Main Components ... 205
• 8.2.2 ... Phases ... 206
• 8.2.3 ... Responsibilities ... 212
• 8.2.4 ... Reporting ... 214
• 8.3 ... SAP Business­Objects Access Control ... 214
• 8.3.1 ... General Requirements on the SAP Authorization System ... 214
• 8.3.2 ... Main Components ... 221
• 8.4 ... SAP Business­Objects Process Control ... 229
• 8.4.1 ... My Home ... 232
• 8.4.2 ... Compliance Structure ... 233
• 8.4.3 ... Evaluation Setup ... 234
• 8.4.4 ... Evaluation Results ... 234
• 8.4.5 ... Certification ... 235
• 8.4.6 ... Report Center ... 236
• 8.4.7 ... User Access ... 238
• 8.5 ... SAP Business­Objects Global Trade Services (GTS) ... 238
• 8.5.1 ... Compliance Management ... 241
• 8.5.2 ... Customs Management ... 243
• 8.5.3 ... Risk Management ... 245
• 8.5.4 ... Electronic Compliance Reporting ... 247
• 8.5.5 ... System Administration ... 247
• 8.6 ... SAP Environment, Health, and Safety (EHS) Management ... 248
• 8.6.1 ... Overview ... 248
• 8.6.2 ... Chemical Safety ... 250
• 8.6.3 ... Environment, Health, and Safety ... 252
• 8.6.4 ... Compliance with Product-Related Environmental Specifications ... 252
• 8.6.5 ... Compliance and Emission Management ... 253
• 8.7 ... SAP Business­Objects Sustainability Performance Management ... 255
• 9 ... SAP NetWeaver Application Server ... 257
• 9.1 ... Introduction and Functions ... 257
• 9.2 ... Risks and Controls ... 260
• 9.3 ... Application Security ... 269
• 9.3.1 ... Technical Authorization Concept for Administrators ... 269
• 9.3.2 ... Authorization Concept for Java Applications ... 277
• 9.3.3 ... Restricting Authorizations for RFC Calls ... 283
• 9.4 ... Technical Security ... 287
• 9.4.1 ... Introducing an SSO Authentication Mechanism ... 287
• 9.4.2 ... Connecting the SAP NetWeaver AS to a Central LDAP Directory ... 289
• 9.4.3 ... Changing the Default Passwords for Default Users ... 291
• 9.4.4 ... Configuring Security on the SAP Gateway ... 291
• 9.4.5 ... Restricting Operating System Access ... 293
• 9.4.6 ... Configuring Important Security System Parameters ... 294
• 9.4.7 ... Configuring Encrypted Communication Connections (SSL and SNC) ... 296
• 9.4.8 ... Restricting Superfluous Internet Services ... 301
• 9.4.9 ... Secure Network Architecture for Using the SAP NetWeaver AS with the Internet ... 303
• 9.4.10 ... Introducing an Application-Level Gateway to Make Internet Applications Secure ... 304
• 9.4.11 ... Introducing Hardening Measures on the Operating System Level ... 304
• 9.4.12 ... Introducing a Quality Assurance Process for Software Development ... 305
• 9.4.13 ... Security and Authorization Checks in Custom ABAP and Java Program Code ... 307
• 10 ... SAP NetWeaver Business Warehouse ... 309
• 10.1 ... Introduction and Functions ... 309
• 10.2 ... Risks and Controls ... 310
• 10.3 ... Application Security ... 313
• 10.3.1 ... Authorizations ... 314
• 10.3.2 ... Analysis Authorizations ... 318
• 10.3.3 ... Other Concepts ... 319
• 10.4 ... Technical Security ... 323
• 11 ... BI Solutions in SAP Business­Objects ... 325
• 11.1 ... Introduction and Functions ... 326
• 11.2 ... Risks and Controls ... 327
• 11.3 ... Application Security ... 332
• 11.3.1 ... Authorization Concept for SAP Business­Objects ... 332
• 11.3.2 ... Application Examples for Authorization Concepts ... 339
• 11.3.3 ... Securing the Administration Access and the Guest User ... 342
• 11.3.4 ... Configuring Password Rules ... 342
• 11.3.5 ... Application Authorizations ... 343
• 11.4 ... Technical Security ... 344
• 11.4.1 ... External Authentication and SSO ... 344
• 11.4.2 ... Using the Audit Function ... 345
• 11.4.3 ... Network Communication via SSL and CORBA Services ... 346
• 12 ... SAP NetWeaver Process Integration ... 347
• 12.1 ... Introduction and Functions ... 348
• 12.2 ... Risks and Controls ... 350
• 12.3 ... Application Security ... 357
• 12.3.1 ... Authorizations for Enterprise Services Builder ... 357
• 12.3.2 ... Passwords and Authorizations for Technical Service Users ... 359
• 12.3.3 ... Authorizations for Administrative Access to SAP NetWeaver PI ... 360
• 12.3.4 ... Password Rules for Administrators ... 361
• 12.4 ... Technical Security ... 361
• 12.4.1 ... Definition of Technical Service Users for Communication Channels at Runtime ... 362
• 12.4.2 ... Setting Up Encryption for Communication Channels ... 363
• 12.4.3 ... Digital Signature for XML-Based Messages ... 371
• 12.4.4 ... Encryption of XML-Based Messages ... 376
• 12.4.5 ... Network-Side Security for Integration Scenarios ... 376
• 12.4.6 ... Audit of the Enterprise Services Builder ... 377
• 12.4.7 ... Securing the File Adapter at the Operating System Level ... 379
• 12.4.8 ... Encrypting PI Communication Channels and Web Services ... 380
• 12.4.9 ... Security for Web Services ... 380
• 13 ... SAP Partner Connectivity Kit ... 383
• 13.1 ... Introduction and Functions ... 383
• 13.2 ... Risks and Controls ... 384
• 13.3 ... Application Security ... 388
• 13.4 ... Technical Security ... 388
• 13.4.1 ... Separate Technical Service User for Every Connected Partner System ... 389
• 13.4.2 ... Setting Up Encryption for Communication Channels ... 389
• 13.4.3 ... Digital Signature for XML-Based Messages ... 389
• 13.4.4 ... Network-Side Security for Integration Scenarios ... 389
• 13.4.5 ... Audit of the Message Exchange ... 389
• 13.4.6 ... Securing the File Adapter at the Operating System Level ... 390
• 14 ... Classic SAP Middleware ... 391
• 14.1 ... SAP Web Dispatcher ... 391
• 14.1.1 ... Introduction and Functions ... 392
• 14.1.2 ... Risks and Controls ... 392
• 14.1.3 ... Application Security ... 395
• 14.1.4 ... Technical Security ... 395
• 14.2 ... SAProuter ... 403
• 14.2.1 ... Introduction and Functions ... 403
• 14.2.2 ... Risks and Controls ... 404
• 14.2.3 ... Application Security ... 405
• 14.2.4 ... Technical Security ... 405
• 14.3 ... SAP Internet Transaction Server (ITS) ... 407
• 14.3.1 ... Introduction and Functions ... 408
• 14.3.2 ... Risks and Controls ... 410
• 14.3.3 ... Application Security ... 413
• 14.3.4 ... Technical Security ... 415
• 15 ... SAP NetWeaver Master Data Management ... 423
• 15.1 ... Introduction and Functions ... 423
• 15.2 ... Risks and Controls ... 424
• 15.3 ... Application Security ... 429
• 15.3.1 ... Identity Management and Authorizations ... 429
• 15.3.2 ... Revision Security ... 436
• 15.4 ... Technical Security ... 436
• 15.4.1 ... Communication Security ... 436
• 15.4.2 ... Important Additional Components ... 437
• 16 ... SAP NetWeaver Portal ... 439
• 16.1 ... Introduction and Functions ... 439
• 16.1.1 ... Technical Architecture ... 441
• 16.1.2 ... Description of the UME ... 443
• 16.2 ... Risks and Controls ... 447
• 16.3 ... Application Security ... 456
• 16.3.1 ... Structure and Design of Portal Roles ... 456
• 16.3.2 ... Authorizations for the UME ... 463
• 16.3.3 ... Portal Security Zones ... 464
• 16.3.4 ... Authentication Check for iView Access ... 470
• 16.3.5 ... Standard Portal Roles and Delegated User Administration ... 470
• 16.3.6 ... Synchronization of Portal Roles with ABAP Roles ... 473
• 16.3.7 ... Change Management Process for New Portal Content ... 480
• 16.4 ... Technical Security ... 481
• 16.4.1 ... Connecting SAP NetWeaver Portal to a Central LDAP Directory or SAP System ... 481
• 16.4.2 ... Implementation of an SSO Mechanism Based on a One-Factor Authentication ... 484
• 16.4.3 ... Implementation of an SSO Mechanism Based on an Integrated Authentication ... 487
• 16.4.4 ... Implementation of an SSO Mechanism Based on a Person-Related Certificates ... 489
• 16.4.5 ... Configuration for Anonymous Access ... 491
• 16.4.6 ... Secure Initial Configuration ... 492
• 16.4.7 ... Secure Network Architecture ... 493
• 16.4.8 ... Introducing an Application-Level Gateway to Make Portal Applications Secure ... 496
• 16.4.9 ... Configuration of Encrypted Communication Channels ... 500
• 16.4.10 ... Implementation of a Virus Scan for Avoiding a Virus Infection ... 502
• 17 ... SAP NetWeaver Mobile ... 505
• 17.1 ... Introduction and Functions ... 505
• 17.2 ... Risks and Controls ... 508
• 17.3 ... Application Security ... 515
• 17.3.1 ... Authorization Concept for Mobile Applications ... 515
• 17.3.2 ... Authorization Concept for Administration ... 518
• 17.3.3 ... Restricting the Authorizations of the RFC User to ­Back-End Applications ... 519
• 17.4 ... Technical Security ... 520
• 17.4.1 ... Setting Up Encrypted Communications Connections ... 520
• 17.4.2 ... Securing the Synchronization Communication ... 521
• 17.4.3 ... Deactivating Unnecessary Services on the SAP NetWeaver Mobile Server ... 523
• 17.4.4 ... Secure Network Architecture ... 523
• 17.4.5 ... Monitoring ... 524
• 17.4.6 ... Secure Program Code ... 525
• 18 ... SAP Auto-ID Infrastructure ... 527
• 18.1 ... Introduction and Functions ... 527
• 18.2 ... Risks and Controls ... 529
• 18.3 ... Application Security ... 533
• 18.3.1 ... Authorization Concept for SAP Auto-ID Infrastructure ... 533
• 18.3.2 ... Authorization Concept for Administration ... 533
• 18.3.3 ... Restricting the Authorizations of the RFC User to Back-End Applications ... 534
• 18.3.4 ... Authentication, Password Rules, and Security ... 534
• 18.4 ... Technical Security ... 535
• 18.4.1 ... Setting Up Encrypted Communication Connections ... 535
• 18.4.2 ... Deactivating Unnecessary Services on the Server ... 535
• 18.4.3 ... Secure Network Architecture ... 535
• 19 ... SAP Solution Manager ... 537
• 19.1 ... Introduction and Functions ... 537
• 19.2 ... Risks and Controls ... 540
• 19.3 ... Application Security ... 544
• 19.4 ... Technical Security ... 550
• 19.4.1 ... Security Measures for User Access ... 550
• 19.4.2 ... System Monitoring Function ... 551
• 19.4.3 ... RFC Communication Security ... 551
• 19.4.4 ... Data Communication Security ... 552
• 19.4.5 ... Important Components of SAP NetWeaver ... 553
• 20 ... Authorizations in SAP ERP ... 555
• 20.1 ... Introduction and Functions ... 555
• 20.2 ... Risks and Controls ... 556
• 20.3 ... Application Security ... 563
• 20.3.1 ... Authentication ... 563
• 20.3.2 ... Authorizations ... 563
• 20.3.3 ... Other Authorization Concepts ... 578
• 20.3.4 ... Best-Practice Solutions ... 589
• 20.4 ... Technical Security ... 597
• 21 ... SAP ERP Human Capital Management and Data Protection ... 599
• 21.1 ... Introduction and Functions ... 599
• 21.1.1 ... Data Protection in Human Resources ... 599
• 21.1.2 ... Technical and Organizational Measures ... 600
• 21.2 ... Risks and Controls ... 602
• 21.3 ... Application Security ... 609
• 21.3.1 ... HR Master Data Authorizations ... 610
• 21.3.2 ... Applicant Authorizations ... 612
• 21.3.3 ... Personnel Planning Authorizations ... 613
• 21.3.4 ... Reporting Authorizations ... 613
• 21.3.5 ... Structural Authorizations ... 613
• 21.3.6 ... Authorizations for Personnel Development ... 614
• 21.3.7 ... Tolerance Periods for Authorizations ... 614
• 21.3.8 ... Authorizations for Inspection Procedures ... 614
• 21.3.9 ... Customized Authorization Checks ... 614
• 21.3.10 ... Indirect Role Assignment through the Organizational Structure ... 615
• 21.3.11 ... Additional Transactions Relevant to Internal Controls ... 615
• 21.4 ... Technical Security ... 617
• 22 ... SAP Strategic Enterprise Management ... 619
• 22.1 ... Introduction and Functions ... 619
• 22.2 ... Risks and Controls ... 620
• 22.3 ... Application Security ... 622
• 22.4 ... Technical Security ... 623
• 23 ... SAP Customer Relationship Management ... 625
• 23.1 ... Introduction and Functions ... 625
• 23.2 ... Risks and Controls ... 626
• 23.3 ... Application Security ... 628
• 23.3.1 ... Authorizations in SAP CRM ... 629
• 23.3.2 ... Authorizations for Portal Roles ... 635
• 23.4 ... Technical Security ... 636
• 23.4.1 ... Technical Protection of the Mobile Application ... 636
• 23.4.2 ... Important Additional Components ... 636
• 24 ... SAP Supply Chain Management ... 639
• 24.1 ... Introduction and Functions ... 639
• 24.2 ... Risks and Controls ... 640
• 24.3 ... Application Security ... 641
• 24.3.1 ... Authorizations for the Integrated Product and Process Engineering (iPPE) Workbench ... 642
• 24.3.2 ... Authorizations for Supply Chain Planning ... 642
• 24.3.3 ... Authorizations for SAP Event Management ... 643
• 24.4 ... Technical Security ... 644
• 25 ... SAP Supplier Relationship Management ... 647
• 25.1 ... Introduction and Functions ... 647
• 25.2 ... Risks and Controls ... 649
• 25.3 ... Application Security ... 651
• 25.3.1 ... Important Authorizations ... 651
• 25.3.2 ... Rules-Based Security Checks Using Business Partner Attributes ... 659
• 25.3.3 ... User Management ... 663
• 25.4 ... Technical Security ... 664
• 25.4.1 ... Security Environment Based on SAP NetWeaver ... 664
• 25.4.2 ... Security Environment for RFC Communication ... 665
• 26 ... Industry-Specific SAP Solution Portfolios ... 667
• 26.1 ... Introduction and Functions ... 668
• 26.2 ... Risks and Controls ... 668
• 26.3 ... Application Security ... 671
• 26.3.1 ... SAP MaxSecure Support ... 671
• 26.3.2 ... SAP Role Manager ... 672
• 26.4 ... Technical Security ... 675
• 27 ... Database Server ... 677
• 27.1 ... Introduction and Functions ... 677
• 27.2 ... Risks and Controls ... 678
• 27.3 ... Application Security ... 681
• 27.4 ... Technical Security ... 683
• 27.4.1 ... Changing Default Passwords ... 683
• 27.4.2 ... Removing Unnecessary Database Users ... 686
• 27.4.3 ... Limiting Database Access ... 686
• 27.4.4 ... Creation and Implementation of a Database Backup Concept ... 686
• 27.4.5 ... Filtering Database Queries ... 687
• 27.4.6 ... Creation and Implementation of an Upgrade Concept ... 688
• 28 ... User Interfaces ... 689
• 28.1 ... SAP GUI ... 689
• 28.1.1 ... Introduction and Functions ... 689
• 28.1.2 ... Risks and Controls ... 690
• 28.1.3 ... Application Security ... 693
• 28.1.4 ... Technical Security ... 698
• 28.2 ... Web Browser ... 701
• 28.2.1 ... Introduction and Functions ... 702
• 28.2.2 ... Risks and Controls ... 702
• 28.2.3 ... Application Security ... 704
• 28.2.4 ... Technical Security ... 704
• 28.3 ... Mobile Devices ... 706
• 28.3.1 ... Introduction and Functions ... 706
• 28.3.2 ... Risks and Controls ... 707
• 28.3.3 ... Application Security ... 712
• 28.3.4 ... Technical Security ... 712
• ... Appendices ... 717
• A ... Bibliography ... 717
• B ... The Authors ... 719
• ... Index ... 721