You are on page 1of 41

SECUDE Solutions & Implementation Plan of Secure Single Sign-on for SAP

1

4/30/13

© 2007 SECUDE International AG, Lucerne

Agenda
•  •  •  •  •  •  •  Solution Capabilities Implementation Plan Proof of Concept Impact on the Business Support Service Summary Q & A.
© 2007 SECUDE International AG, Lucerne

SAP Applications are the Basis for Automating and Managing Business Processes
confidentiality of data in SAP compliance with laws and regulations successful audits protect reputation of company

trusted business processes availability of SAP application

Controls and security mechanism for SAP are required to ensure smooth execution of business processes and optimized business results
© 2007 SECUDE International AG, Lucerne

Data and Processes in SAP that Need to be Protected

Financial information
(costs, revenue, profit)

HR data Production data Customer data Price lists R&D projects Partnerships

Order entry Online business Production control Supply chain Financial transactions Employee self service

© 2007 SECUDE International AG, Lucerne

Need for Security in SAP Applications is Increasing More regulations Global business Network and Internet security more and more unter control Extended network of customers and partners SAP server & instance consolidation trend Increased need for proper risk management and controls for compliancy Compliance also with foreign laws/regulations Changing attack profiles. business application are more often target of attacks Increased security risks through external access Impact of security violation increases © 2007 SECUDE International AG. Lucerne .

because the Crypto Library in SAP system is from SECUDE. support authentication mechanisms. thus ensuring that company data remains confidential on the network.Data integrity: §  SAP SNC uses the GSS-API V2 (Generic Security Services Application Programming Interface Version 2) interface to communicate with the external security products. §  Confidentiality: §  SECUDE solution provides confidentiality and integrity of all communication including the communication of the authentication of data. To guarantee the integrity of the data the message is hashed and digitally signed so that it cannot be modified once sent. integrity and privacy = confidentiality SECUDE solution needs not to change the Crypto Library of the SAP. © 2007 SECUDE International AG. Lucerne §  §  . and support of multiple cryptographic algorithms. All client-to-server and server-to-server communication is encrypted. There are three “level of security” for SAP system •  Authentication only •  Authentication & integrity •  Authentication. We provide the broadest offering in regards to platform support. SECUDE securelogin uses the x.509 certificate to provide integrity. SECUDE’s solution as market-leading offering for secure SSO to SAP certainly fulfills this.

SAP Enterprise Portal. Lucerne . Windows Kerberos. SECUDE securelogin provides Single Sign-On to SAP R/3 Enterprise Platform. and SAP Web Application Server. SECUDE securelogin support a variety of alternative mechanisms. Organization can choose the mechanism that fits best to their requirements (convenience / productivity / security). §  © 2007 SECUDE International AG.Authentication: §  SECUDE solution enables customers to implement alternative user authentication mechanisms for SAP. Smart Cards (from various vendors) and Soft Tokens. One-Time Password Tokens (e. from RSA or Secure Computing). including Windows logon info. even in a mixed mode.g.

Lucerne .Potential Attacks on SAP Environments (1) Password File Internet ITS/WebAS Server HR Server Web Browser SAPGUI Unencrypted transfer of business data CRM Server Database Server + disk User name and password on the network Message alteration BW Server Database server + Disk Identity assumption LAN Rogue server ??? Server FI Server Internet © 2007 SECUDE International AG.

Lucerne .Potential Attacks on SAP Environments and Protection Mechanisms (2) Attack §  §  §  §  Man-in-the-middle attack Unauthorized modification of data Impersonation Listenting on the network Protection Mechanism è authentication of sender è digitally signed data è proof of origin / identity è encrypted communication © 2007 SECUDE International AG.

Cost Drivers around SAP Sign-on Users •  SAP user name and password have to be entered again and again in a large distributed SAP environment •  Different user names and password have to be memorized for different SAP systems •  Passwords have to be changed on a regular basis •  User often try unsuccessfully to remember forgotten passwords •  Requests to the IT help desk about forgotten passwords •  IT effort to maintain consistent password policies across different SAP versions & products IT © 2007 SECUDE International AG. Lucerne .

Integrity. SAP versions. and operating systems •  Support of many authentication mechanisms and Smart Card providers •  Efficient and convenient use of security functions •  Designed for use in enterprise environments of any size Single Sign-on SECUDE Solution Backend High Availability Flexible Mix & Match Policy-based Configuration Enterprise Operations Secure Communication (Confidentiality. Proof of Origin) Windows Username/Password SDK for Custom Authentication RSA Authentication Radius SAP Username/Password Externally Provided Certificates •  Improved user and IT productivity through single sign-on •  Protection of confidential data •  Control against fraudulent transactions •  Compliances with laws and regulations © 2007 SECUDE International AG.Solution Capabilities SECUDE Solutions for Secure Single Sign-on for SAP SECUDE Solution Frontend SAP Business Applications SAP Technology Basis SAP User Interfaces Market-leading solutions for secure single sign-on for SAP •  Support of most SAP applications. SAP user interfaces. Lucerne Improved business results .

•  confidentiality •  proof of origin SECUDE enables the convenient and efficient use of secure communication for SAP à high user acceptance © 2007 SECUDE International AG.Solution Capabilities Secure Communication for SAP personal security environment SNC SSL SAP server SAP user interfaces •  single sign-on user workstation •  data integrity. Lucerne .

Solution Capabilities Single Sign-on for SAP . Lucerne .An Example for Windows Logon / ADS 1 SECUDE secure login server 2 Microsoft Active Directory server 4 5 personal security environment SAP server SNC SSL 3 1 2 Send Windows logon data Authentication request 3 4 Authentication successful New user credential (certificate) 5 Mangement of credential on user workstation © 2007 SECUDE International AG.

An Example for Windows Logon / ADS © 2007 SECUDE International AG.Solution Capabilities Single Sign-on for SAP . Lucerne .

Implementation Time Line © 2007 SECUDE International AG. Lucerne .

Implementation Operations in Enterprise Environments (1) Mass Installation and Configuration on Thousands of User Workstations personal security environment configuration policies policy server •  MS Active Directory (group policies) •  SECUDE secure login server policy-based configuration for: •  User specific authentication mechanisms •  Management of expired credentials installation package in msi format •  and much more … Low cost of ownership through efficient installation and configuration of the software on a large number of user workstations in enterprise environments and through integration with existing standard tools & processes © 2007 SECUDE International AG. Lucerne .

with support of typical enterprise operations features © 2007 SECUDE International AG. … Authentication request from user workstation SECUDE secure login server 1 SECUDE secure login server 2 failover authentication server enterprise operations backup. startup / shutdown.Implementation Operations in Enterprise Environments (2) High Availability. SAP NetWeaver Reliable use in large enterprise environments. … SECUDE secure login server runs as web application on standard environments like Tomcat. BEA WebLogic. Logging. logging. Lucerne . Backup.

Web-based Administration / Configuration •  Remote initialization and configuration •  User guidance via wizards and info screen •  Quick access to operations status and troubleshooting information •  Easy migration of data from previous SECUDE versions •  Integraiton in company-wide consoles possible Low total cost of ownership through efficient administration of SECUDE secure login servers via a web-based administration console. Lucerne . that can be integrated in company-wide consoles © 2007 SECUDE International AG.

Administration Console © 2007 SECUDE International AG. Lucerne .

C=AE ssf/ssfapi_lib = c:\program files\secude\secude.dll ssf/ssf_md_alg = SHA1 © 2007 SECUDE International AG.SNC Settings on the SAP Server •  •  •  •  •  •  •  •  •  •  •  •  •  •  snc/enable = 1 snc/data_protection/min = 2 snc/data_protection/max = 3 snc/data_protection/use = 3 snc/accept_insecure_gui = 1 snc/accept_insecure_cpic = 1 snc/accept_insecure_r3int_rfc = 1 snc/r3int_rfc_secure = 0 snc/r3int_rfc_qop = 3 snc/permit_insecure_start = 1 snc/gssapi_lib = c:\program files\secude\secude.dll snc/identity/as = p:CN=SAP CA. Lucerne . L=Dubai. O=SECUDEMEA.

Lucerne .Distinguish Name for User © 2007 SECUDE International AG.

Lucerne .SNC Settings for User in SAP © 2007 SECUDE International AG.

Lucerne .How SNC Works Supported processes: SAP work processes " " " " " " " " SAP server processes SAPGUI for Windows SAPGUI for Java SAP lpd SAP Router Integrations DIAG RFC SAP compression protocol SNC Protocols: SECUDE Windows/ ADS SAP SECUDE Library RSA © 2007 SECUDE International AG.

Lucerne .But Secure Single Sign-on of SECUDE also Works with SAP’s Web-based Applications Supported applications: " " " " SAP Portal SAP ITS SAP WebAS Java other HTTPS-based applications SSL Protocol " © 2007 SECUDE International AG.

Lucerne . OpenLDAP. Sun Java System Directory Server) as identity and credential store •  RSA partnership •  Extensibility through open JAAS interface •  Integration with user provisioning workflow possible © 2007 SECUDE International AG.Implementation Integration with Identity Management Solutions •  Support of different LDAP servers (ActiveDirectory.

Lucerne .Proof of Concept © 2007 SECUDE International AG.

Lucerne .Proof of Concept © 2007 SECUDE International AG.

  Requirements for Proof of Concept are: Hardware §  Intel Based System §  3. Lucerne . 2003 Server / Linux / Sun Solaris (SECUDE securelogin Server can be installed on the mentioned platforms) but for proof of concept we prefer windows platform §  JAVA 1.5 or latest §  Latest Service Pack §  Connection to Active Directory © 2007 SECUDE International AG.3 (Tomcat 4.4.x) §  Internet Explorer 5.Proof of Concept 1.0 GHz Processor §  2 GB Ram §  80 GB Hard Disk §  1 Network Interface Software §  Microsoft Win 2000.1 §  Servlet Engine 2.  Installation for the Proof of Concept will take 2 days 2.

who is experienced in: •  Giving us access to the needed SAP servers / instances •  Active Directory •  Server for securelogin software •  SAP Client / users •  Deployment Software for the clients •  Giving us all necessary information about existing hardware.Persons from SAP group For our Proof of Concept for SAP we need someone from SAP. Lucerne . software and organization structure © 2007 SECUDE International AG.

customers can define policies that define after what time interval a user has to re-authenticate. Windows logon) that allows users to logon once and transparently access all SAP applications on different servers.g. No further logon is being required until after the user logs out.Impact on Business Single Sign-On (SSO) improves usability and productivity of SAP users by providing or leveraging a single authentication service (e. Alternatively. §  §  §  §  Improved SAP user productivity Reduced password administration effort Reduced effort for recovering passwords Reduced number of calls to IT help desk due to forgotten passwords © 2007 SECUDE International AG. Lucerne .

the IT help desk can expect about 700 calls per month for a 1000 user environment. For an environment with 1000 users. Lucerne . The cost savings for the IT help desk are also significant. the rate of incorrect logins and subsequent efforts to recover the password or to contact the help desk to reset the password is reduced significantly. Cost savings for avoiding these kinds of calls can easily be more than 10’000 $ per year. Estimations point to more than 100 $ savings per month through improved user productivity. With a reduction from an average of 6 logins per day to 1 login. Most cost savings come from the improvement in user productivity. the cost savings can easily add up to multiple 100’000 $ per year. © 2007 SECUDE International AG. With an estimated 35% of help desk calls being related to password reset.Impact on Business ROI of Single Sign-on: Single Sign-on investments typically have a very quick return on investment.

Impact on Business Improved Security – An Additional Business Value Besides the cost savings through single sign-on. © 2007 SECUDE International AG. Single sign-on helps to improve security. but also by the negative impact on the company’s reputation. If IT security risks are not managed properly. making the SAP system the central IT solution to store company-critical information and automate business processes. because authentication via user name and password is inherently less secure than other mechanisms. This is not only caused by direct cost for managing the security breach. For many businesses. companies with publicized IT security breaches experienced an above-average loss in valuation. Many successful companies rely on SAP business software to automate their business processes. companies can also benefit from improved IT security in SAP environments. According to recent analyst studies. a company’s valuation will likely be affected at some point in time. Lucerne . a problem with the SAP environment or a leak of company confidential data would result in a significant loss of revenue and profit.

Impact on the business •  After the configuration to enable SNC on the SAP server. •  After the installation of Securelogin client the client machine have to be restarted once. •  No need to install or modify Active Directory Server. so there is no impact on the business © 2007 SECUDE International AG. Lucerne . it has to be restarted once.

Lucerne .Impact on Business © 2007 SECUDE International AG.

Support & Services There are 3 ways of supporting SAP in case of problem: •  Email (If the problem is small with no impact on productivity •  Phone (If the problem required immediate response with low impact on productivity) There are 2 Level Support for SAPin case of problem: •  First Level Support local SUPPORT in Saudi is the first level support •  Second Level Support SECUDE is the second level support © 2007 SECUDE International AG. Lucerne .

2 3 Priority Reaction Time Escalation Level Department Manager 1 2 3 1h 4h 8h 3h 3d 10 d Senior Management 8h © 2007 SECUDE International AG.Support & Services Priority 1 Description System is down – There is a critical system condition. Lucerne . There are no (or only minor) limitations on using the system. which affects the Licensee’s business processes There is no critical effect on the Licensee’s business processes – There is a workaround solution and the customer can use the product with some restrictions General support questions about product use and handling.

For production scenarios. SNC enables user authentication that is not based on passwords. Lucerne . which means that no password data needs to be sent using the network..SAP GUI protocol © 2007 SECUDE International AG. To transfer data in encrypted form. use our Secure Network Communications (SNC) and an external security product.” SAP Note 39029 .SAP Recommendation “.. we strongly recommend the use of SNC.

Lucerne .SECUDE and SAP – a strong cooperation with benefits for our joint customers •  SECUDE is a spin-off from a joint development project between SAP and Fraunhofer Institute Close R&D cooperation since 1996 SECUDE is official software partner of SAP SECUDE is a founding member of the SAP Global Security Alliance SAP certified solutions •  •  •  •  Global Security Alliance © 2007 SECUDE International AG.

Lucerne .Just some of our Satisfied SECUDE Customers © 2007 SECUDE International AG.

Summary: SECUDE and SAP •  Values for Customer §  secure access to SAP §  cost savings through single sign-on for SAP •  Unique functionality §  Easy migration from soft tokens to hard tokens §  Web administration §  Choice of authentication methods •  •  Proven. © 2007 SECUDE International AG. Lucerne . efficient. We enable smooth business process execution and optimized business results. and easy to integrate into existing customer environments. convenient. flexible solutions with low cost of ownership Adaptable to SAP environments SECUDE makes access to SAP secure.

Lucerne .Thank You © 2007 SECUDE International AG.