Download chapter 8: 'User management and security in SAP environments'
Excerpted from the book "SAP R/3 Handbook, Third Edition," ISBN 0072257164, Copyright 2005. Written permission from McGraw-Hill is required for all other uses. Copyright © 2005 McGraw-Hill. All rights reserved.
Traditional SAP implementation projects usually considered security just as the design and realization of the authorization concept. At the
application level the authorization concept (user masters, profiles, authorizations, activity groups, roles) is key to provide access to needed transactions and ensure secure access to sensitive data and as such is extremely important within the SAP security infrastructure. However, systems within mySAP Business Suite applications and SAP NetWeaver do have many other
levels that could be attacked, and therefore a consistent security strategy must also consider all these other layers and components of the SAP systems.
Security can be defined from two different perspectives that have in common the objective of protecting the company systems and information assets. These two perspectives are as follows:
- Security as the protection measures and policies against unauthorized accesses by illegitimate users (both internal and external). An internal attack is considered when a SAP user tries to access or perform functions for which he or she is not allowed.
- Security as protection measures against hardware, software, or any other type of environmental failures (disasters, fi res, earthquakes, and others) using safety technologies (backup/restore/disaster recovery/standby systems/archiving and so on).
In this chapter only the first perspective is dealt with: explaining some of the most common and practical concepts of SAP security components and security infrastructure from the first perspective to protect SAP systems from unauthorized accesses. It must be noted that a global security policy includes other "non-SAP" related components that can be defined as "peripheral security," such as the measures that must be taken to protect workstations, servers, and networks from the many types of outside attacks (e.g., viruses, denial of services, password cracking, sniffers).
Security Policy BasicsCompanies must implement some type of security policy to protect their assets, but also they are required to comply with their country's legal obligations, business agreements, and industry laws and regulations. For instance, many countries have some forms of laws for protecting confidential data of employees. It is also very important to keep all financial records for tax authorities. And in terms of business partners, it is of great importance to ensure the confidentiality of commercial agreements with vendors or customers.
Modern information systems and technologies are both the means and the containers of the strategic and operative business information. They are the known but hidden treasures of companies, and companies need to keep their treasures secure.
The Security Policy is the set of procedures, standards, roles, and responsibilities covering and specifying all the security and organizational measures that companies must follow to protect their business from threats and vulnerabilities. An approach to security will have the objective of building a strong security policy and should start by assessing a risk analysis to implement, monitor, and enforce such policy. It is important to realize that security implementation never ends and must be continually updated, reviewed, communicated, implemented, monitored, and enforced.
The security strategy and risk analysis must first consider these basic issues:
- What is to be protected? Companies must identify those assets—such as critical information (customer list, employee personal data, contracts), hardware, software, intangibles (hours of operation, cost of nonrevenue, nonproduction) or others— that require some type and some degree of protection against unwanted and unauthorized access, which could damage or destroy to some degree such assets.
- Which are the possible threats? The second security issue is to identify the possible sources of attack and the degree of vulnerability of infrastructure. Threats are of different type and nature and sometimes unknown. They are often intentional, but can also be unintentional. They can be external threats or can be internal (for instance, by other geographical locations or by burned-out or frustrated employees).
- What protection measures can be taken? Finally, the risk analysis and the security policy must identify the best security measures to implement and enforce such policy effi ciently. Measures can be standard measures included in the information system capabilities, additional and external security infrastructure, and behavioral rules. For instance, a basic and strong security measure is the password that users must provide to access systems; however, it is almost impossible with technical means to know whether someone told his or her password to someone else.
Efficiency in security policy means that measures do not include awkward procedures that would obstruct or make users' jobs more difficult. Security policies always follow a principle of controls, which means that the security strategy must approach the balance between risks and control measures.
As indicated, security is a continuous process due to the fact that new assets, new threats, or new technology can be identified as well as some threats or assets that are obsolete and no longer need protection. These facts will make the security policy a living entity that also includes the retraining of employees.
In the following sections, the SAP security infrastructure is discussed so that you can better identify threats and vulnerabilities as well as the standard and nonstandard measures that can be applied to better protect and secure your assets.
Risks and VulnerabilitiesThe increasing need for broad and open connectivity within complex SAP system landscapes and the increasing number of components within the architecture combined with options for external communications increase the risk of being attacked.
Systems are more vulnerable when a security policy is either insufficient or nonexistent. In these cases people trust that standard measures will be enough, but normally this is not the case.
The following is a brief list of threat types:
- External network attacks to set systems unavailable
- External password cracking attacks
- Internal sabotage to set systems unavailable
- Internal attacks for collecting confidential data
- Unintentional internal attacks or misbehavior
- Trojan programs
- Intentional internal breach of security policy
- Unintentional breach of security policy
- Unknown attacks
Overview of Security Concepts
Visit the McGraw-Hill website for a detailed description and to learn how to purchase this title.