Sap Security

 CYBSEC has been working and advising in SAP security issues since 2001, under UNIX, Windows and AS/400 platforms. As from 2005, they show an intense activity in the detection of vulnerabilities and have made significant contributions towards their solution.know more sap security online  training                                

In 2007, CYSEC began to work directly with SAP Ag Germany, establishing a fluent and highly constructive contact with security areas.

Following is a description of SAP system security related services rendered by CYBSEC:

1. Design of SAP architecture within a secure environment

The object of this service is to design or re-design the architecture of SAP with the highest security level possible.

This service is focused on defining security in the network topology of SAP components (SAP Applications Servers, Database Servers, Administrators and Final Users).

It covers the development of a secure network scheme and the security measures to be adopted: Firewalls, DMZs, Encryption, applications Firewalls, Operating system security, Database security and SAP security, among others.

2. SAP Internal security configuration and parametrization

This service provides Organizations with the necessary advise to specify the internal security level they expect for their SAP applications.

Among others, various aspects taken into consideration are:

  • Security of implemented SAP version and modules.
  • Hot Packages installed.
  • Definition and distribution of Clients.
  • Password parameters.
  • Ability to alter Systems and clients.
  • Default users password.
  • Users with unlimited transaction access.
  • Existence of blocked transactions.
  • Access to sensitive transactions.
  • Modification of system parameters and profiles.
  • Workbench Organizer Configuration.
  • Transport system access.
  • Table editing.
  • Users access level to software.
  • Existence of transportation order logs
  • Use of SAP*, SAPCPIC, Earlwatch.
  • Use of SAP_ALL, SAP_NEW profiles.

CYBSEC shall apply all the security measures necessary to achieve the highest security level.

3. SAP Infrastructure assurance

This service is aimed at reaching the highest security level possible along the entire infrastructure supported by SAP: Operating System, Database, SAP Application, Interfaces and user access.

CYBSEC will assist in the implementation of the security measures needed to reach the highest security level.

In order to ensure the security level of the operating system we work at: security configurations; audit logs; users, access passwords and profiles; permissions to critical directories, installed patches, security of enabled services, among others.

For database security purposes, we work with computer security patches, database auditing, permissions in Database directories and files, analyses of the Database owner, default passwords and specific database security parameters, among others.

For SAP Application assurance, we work in each of the aspects mentioned in item 2, SAP Internal security configuration and parametrization.

Existing interfaces (strong encryption, authentication, etc.) with other external systems providing or receiving SAP are assured.

We work on secure access on SAP users’ and administrators’ side.

The outcome of this service will be the operation of SAP with the highest security level possible.

4. Security compliance audits (SOX, PCI e ISO 27001)

These are aimed at assessing and determining the current and actual security level of SAP infrastructure, applying security auditing techniques. To complement the audits, a GAP analysis regarding regulations such as SOX, PCI* and ISO 27001 can be conducted.

The audit consists of:

  • Security review of the operating system, data base and SAP application.
  • Security analysis of SAP parametrization.
  • Security analysis of connectivity to external systems.
  • Analysis of defined users and profiles

As an outcome, companies who are SAP users will have objective information about their own security level available.

The GAP analysis allows you to assess the fulfilment levels to the international regulations on the matter.know more sap security online  training  

CYBSEC is a Qualified Security Advisor certified by the PCI Council. Click here for further information

5. Revision and assurance of Web Services (Enterprise Portal/ICM/ITS/BC/Applications)

In its continuous evolution, SAP, through the use of tools such as ITS and Business Connector, allows systems to be available from outside with the subsequent increase in the risk level.

CYBSEC experts assess the actual security level of the implementation of tools for external access to SAP through the Web establishing existing vulnerabilities, bringing forward and implementing alternatives to address them so as to increase their security level to the utmost.

Our work covers the assessment of network topology, the analysis of the current operating system and web server security. The security level of the implemented tools (ITS, Business Connector, etc), and the interconnection with the internal SAP system are assessed as well.

This service will result in the Organization having a secure use of remote functionalities at their disposal.

6. Analysis, design and implementation of secure interfaces

Interfaces meant for sending and receiving information have always been the Achilles’ heel of a system’s security.

The object of this service is to make available secure interfaces among the several systems that operate with SAP.

CYBSEC can develop a secure interface model taking into account data encryption, authentication between the involved parties, the interface internal security and its secure programming, among others.

The secure model developed is applied to the existing interfaces.know more sap security online  training  

7. SAP Penetration Testing

This is aimed at having an objective external assessment on the actual security level in SAP infrastructure.

In order to carry out this test, CYBSEC experts will connect to the external network without having any kind of information available, and will try to access the systems supporting SAP infrastructure (base operating systems, databases, application servers, etc.).

This methodology allows us to determine the actual security level and rapidly detect security risks so as to move towards their solution.

8. Course on SAP Security

CYBSEC has designed a course on SAP Security, in which their experts share their experience regarding SAP security.

The course can be given in two forms: theoretical learning (8 hours) or practical training (16 hours)

Subjects for discussion are:

  • Computer Security Fundamentals in SAP.
  • Operating System Security ( Windows / UNIX ).
  • Database Security ( MS SQL Server / Oracle ).
  • Basic Security Concepts in SAP R/3.
  • SAP R/3: Transport System Security .
  • SAP R/3: User and Authentication Administration.
  • SAP R/3: Communications security.
  • SAP R/3: Security in connectivity.
  • SAP R/3: System Updating.
  • Log Analysis and Audit.
  • SapytoTool.

    • Click here to see the subjects in detail.know more sap security online  training  


    Comments

    Post a Comment

    Popular posts from this blog

    Is SAP GRC about security and user provisioning

      GRC has its roots in the space of providing and managing user access within an SAP environment. This includes role provisioning and the whole processes of managing movers, joiners and leavers. know more sap grc online training But despite these origins, GRC has evolved to solve a broader business problem. Managing Risk (and Cyber Security) in SAP GRC tools also provide a critical insight into who’s doing what, when and where.  They highlight risks which could lead to financial fraud - Segregation of Duties breaches, access to sensitive transactions, ineffective controls and Cyber Security threats - given that the average organisation loses 5% of its revenues to financial fraud (estimated to be $4 trillion per annum globally and increasing) it’s a crucial process to be on-top of. The trouble is, SAP’s GRC tool is designed for very large organisations and it simply too complex and expensive for most SAP customers The alternative to SAP GRC ProfileTailor Dynamics provides...
    Read more

    SAP Security Recommendations

      Maintain  the SAP secure gateway: There are various attacks to SAP gateway such as running operating system commands without authentication. Restrict access to SAP gateway by proper network controls both internally and externally. If business case exists for customer networks to use RFC communications because of applications such as BEx (Business Explorer), apply proper security configuration on the SAP gateway for restricting TYPE E and TYPE R connections. know more sap security training Please refer to secinfo, reginfo configuration for more information. Make-sure that SAP landscape is free of weak or default passwords: SAP systems contain hundreds or thousands of users. A single compromised account can cause issues for the rest of the landscape. After SAP systems are configured for proper password policy, we recommend running password audits on SAP systems periodically to prevent weak passwords such as " Summer-2012 " or " Welcome01 " to be present. Although su...
    Read more