Inhaltsverzeichnis

Alle Kapitel aufklappen
Alle Kapitel zuklappen
Preface by Wolfgang Lassmann
19
Preface by Monika Egle
21
Preface by Jose Estrada
23
Introduction
25
PART I Basic Principles of Risk Management and IT Security
31
1 Risk and Control Management
33
1.1 Security Objectives
34
1.2 Company Assets
36
1.2.1 Types of Company Assets
38
1.2.2 Classification of Company Assets
39
1.3 Risks
40
1.3.1 Types of Risks
41
1.3.2 Classification of Risks
44
1.4 Controls
45
1.4.1 Types of Controls
45
1.4.2 Classification of Controls
46
2 Enterprise Risk Management Strategy
49
2.1 Status Quo
51
2.2 Components
52
2.2.1 General Framework
56
2.2.2 Strategy
57
2.2.3 Methods
58
2.2.4 Best Practices
59
2.2.5 Documentation
59
2.3 Best Practices of an SAP Security Strategy
60
2.3.1 Procedure
60
2.3.2 Principle of Information Ownership
68
2.3.3 Identity Management
74
3 Requirements
79
3.1 Legal Requirements
79
3.1.1 Sarbanes-Oxley Act (SOX)
80
3.1.2 SOX Implementation in Japan
89
3.1.3 Principles for IT-Supported Accounting Systems
90
3.1.4 International Financial Reporting Standards
92
3.2 Industry-Specific Requirements
93
3.2.1 Food and Pharmaceutical Industry and Biomedical Engineering
93
3.2.2 Finance and Banking Industry — Basel (I, II, III)
94
3.2.3 Chemical Substances and Environmental Protection
98
3.3 Internal Requirements
99
4 Security Standards
101
4.1 International Security Standards
102
4.1.1 ISO/IEC 27002:2005
102
4.1.2 CobiT
107
4.1.3 ITIL
110
4.1.4 COSO
112
4.2 Country-Specific Security Standards
116
4.2.1 NIST Special Publication 800-12
117
4.2.2 IT Baseline Protection Manual
120
4.2.3 PIPEDA
122
5 IT Security
127
5.1 Cryptography
127
5.1.1 Symmetric Encryption Procedure
128
5.1.2 Asymmetric Encryption Procedure
129
5.1.3 Elliptic Curve Cryptography
130
5.1.4 Hybrid Encryption Procedure
131
5.1.5 SSL Encryption
133
5.1.6 Hash Procedures
134
5.1.7 Digital Signature
135
5.2 Public Key Infrastructure
137
5.3 Authentication Procedures
140
5.3.1 User Name and Password
140
5.3.2 Challenge Response
140
5.3.3 Kerberos
141
5.3.4 Secure Token
142
5.3.5 Digital Certificate
143
5.3.6 Biometric Procedures
143
5.4 Basic Principles of Networks and Security Aspects
144
5.4.1 OSI Reference Model
144
5.4.2 Overview of Firewall Technologies
150
PART II Security in SAP NetWeaver and Application Security
153
6 Enterprise Risk Management (ERM) Navigation Control Map
155
6.1 SAP Applications
163
6.2 SAP NetWeaver Components
165
6.3 Security Technologies
167
6.3.1 Authorizations, Risk and Change Management, and Auditing
168
6.3.2 Identity Management
169
6.3.3 Secure Authentication and SSO
171
6.3.4 Technical Security
172
6.4 Influencing Factors
173
7 Web Services, Enterprise Services, and Service-Oriented Architectures
175
7.1 Introduction and Technical Principles
177
7.2 Security Criteria for Web Services
181
7.2.1 Security and Risk Management for Service-Oriented Architectures
186
7.2.2 SAP Enterprise Services
187
7.2.3 Security Guidelines for SAP Enterprise Services
190
7.3 Service-Oriented Architectures and Governance
193
8 GRC Solutions in SAP Business­Objects
197
8.1 Introduction and Functions
197
8.1.1 Goals of the GRC Solutions in SAP Business­Objects
198
8.1.2 Methods of the GRC Solutions in SAP Business­Objects
199
8.1.3 Planning the Deployment of GRC Solutions in SAP Business­Objects
200
8.1.4 Overview of the GRC Solutions in SAP Business­Objects
201
8.2 SAP Business­Objects RM
205
8.2.1 Main Components
205
8.2.2 Phases
206
8.2.3 Responsibilities
212
8.2.4 Reporting
214
8.3 SAP Business­Objects Access Control
214
8.3.1 General Requirements on the SAP Authorization System
214
8.3.2 Main Components
221
8.4 SAP Business­Objects Process Control
229
8.4.1 My Home
232
8.4.2 Compliance Structure
233
8.4.3 Evaluation Setup
234
8.4.4 Evaluation Results
234
8.4.5 Certification
235
8.4.6 Report Center
236
8.4.7 User Access
238
8.5 SAP Business­Objects Global Trade Services (GTS)
238
8.5.1 Compliance Management
241
8.5.2 Customs Management
243
8.5.3 Risk Management
245
8.5.4 Electronic Compliance Reporting
247
8.5.5 System Administration
247
8.6 SAP Environment, Health, and Safety (EHS) Management
248
8.6.1 Overview
248
8.6.2 Chemical Safety
250
8.6.3 Environment, Health, and Safety
252
8.6.4 Compliance with Product-Related Environmental Specifications
252
8.6.5 Compliance and Emission Management
253
8.7 SAP Business­Objects Sustainability Performance Management
255
9 SAP NetWeaver Application Server
257
9.1 Introduction and Functions
257
9.2 Risks and Controls
260
9.3 Application Security
269
9.3.1 Technical Authorization Concept for Administrators
269
9.3.2 Authorization Concept for Java Applications
277
9.3.3 Restricting Authorizations for RFC Calls
283
9.4 Technical Security
287
9.4.1 Introducing an SSO Authentication Mechanism
287
9.4.2 Connecting the SAP NetWeaver AS to a Central LDAP Directory
289
9.4.3 Changing the Default Passwords for Default Users
291
9.4.4 Configuring Security on the SAP Gateway
291
9.4.5 Restricting Operating System Access
293
9.4.6 Configuring Important Security System Parameters
294
9.4.7 Configuring Encrypted Communication Connections (SSL and SNC)
296
9.4.8 Restricting Superfluous Internet Services
301
9.4.9 Secure Network Architecture for Using the SAP NetWeaver AS with the Internet
303
9.4.10 Introducing an Application-Level Gateway to Make Internet Applications Secure
304
9.4.11 Introducing Hardening Measures on the Operating System Level
304
9.4.12 Introducing a Quality Assurance Process for Software Development
305
9.4.13 Security and Authorization Checks in Custom ABAP and Java Program Code
307
10 SAP NetWeaver Business Warehouse
309
10.1 Introduction and Functions
309
10.2 Risks and Controls
310
10.3 Application Security
313
10.3.1 Authorizations
314
10.3.2 Analysis Authorizations
318
10.3.3 Other Concepts
319
10.4 Technical Security
323
11 BI Solutions in SAP Business­Objects
325
11.1 Introduction and Functions
326
11.2 Risks and Controls
327
11.3 Application Security
332
11.3.1 Authorization Concept for SAP Business­Objects
332
11.3.2 Application Examples for Authorization Concepts
339
11.3.3 Securing the Administration Access and the Guest User
342
11.3.4 Configuring Password Rules
342
11.3.5 Application Authorizations
343
11.4 Technical Security
344
11.4.1 External Authentication and SSO
344
11.4.2 Using the Audit Function
345
11.4.3 Network Communication via SSL and CORBA Services
346
12 SAP NetWeaver Process Integration
347
12.1 Introduction and Functions
348
12.2 Risks and Controls
350
12.3 Application Security
357
12.3.1 Authorizations for Enterprise Services Builder
357
12.3.2 Passwords and Authorizations for Technical Service Users
359
12.3.3 Authorizations for Administrative Access to SAP NetWeaver PI
360
12.3.4 Password Rules for Administrators
361
12.4 Technical Security
361
12.4.1 Definition of Technical Service Users for Communication Channels at Runtime
362
12.4.2 Setting Up Encryption for Communication Channels
363
12.4.3 Digital Signature for XML-Based Messages
371
12.4.4 Encryption of XML-Based Messages
376
12.4.5 Network-Side Security for Integration Scenarios
376
12.4.6 Audit of the Enterprise Services Builder
377
12.4.7 Securing the File Adapter at the Operating System Level
379
12.4.8 Encrypting PI Communication Channels and Web Services
380
12.4.9 Security for Web Services
380
13 SAP Partner Connectivity Kit
383
13.1 Introduction and Functions
383
13.2 Risks and Controls
384
13.3 Application Security
388
13.4 Technical Security
388
13.4.1 Separate Technical Service User for Every Connected Partner System
389
13.4.2 Setting Up Encryption for Communication Channels
389
13.4.3 Digital Signature for XML-Based Messages
389
13.4.4 Network-Side Security for Integration Scenarios
389
13.4.5 Audit of the Message Exchange
389
13.4.6 Securing the File Adapter at the Operating System Level
390
14 Classic SAP Middleware
391
14.1 SAP Web Dispatcher
391
14.1.1 Introduction and Functions
392
14.1.2 Risks and Controls
392
14.1.3 Application Security
395
14.1.4 Technical Security
395
14.2 SAProuter
403
14.2.1 Introduction and Functions
403
14.2.2 Risks and Controls
404
14.2.3 Application Security
405
14.2.4 Technical Security
405
14.3 SAP Internet Transaction Server (ITS)
407
14.3.1 Introduction and Functions
408
14.3.2 Risks and Controls
410
14.3.3 Application Security
413
14.3.4 Technical Security
415
15 SAP NetWeaver Master Data Management
423
15.1 Introduction and Functions
423
15.2 Risks and Controls
424
15.3 Application Security
429
15.3.1 Identity Management and Authorizations
429
15.3.2 Revision Security
436
15.4 Technical Security
436
15.4.1 Communication Security
436
15.4.2 Important Additional Components
437
16 SAP NetWeaver Portal
439
16.1 Introduction and Functions
439
16.1.1 Technical Architecture
441
16.1.2 Description of the UME
443
16.2 Risks and Controls
447
16.3 Application Security
456
16.3.1 Structure and Design of Portal Roles
456
16.3.2 Authorizations for the UME
463
16.3.3 Portal Security Zones
464
16.3.4 Authentication Check for iView Access
470
16.3.5 Standard Portal Roles and Delegated User Administration
470
16.3.6 Synchronization of Portal Roles with ABAP Roles
473
16.3.7 Change Management Process for New Portal Content
480
16.4 Technical Security
481
16.4.1 Connecting SAP NetWeaver Portal to a Central LDAP Directory or SAP System
481
16.4.2 Implementation of an SSO Mechanism Based on a One-Factor Authentication
484
16.4.3 Implementation of an SSO Mechanism Based on an Integrated Authentication
487
16.4.4 Implementation of an SSO Mechanism Based on a Person-Related Certificates
489
16.4.5 Configuration for Anonymous Access
491
16.4.6 Secure Initial Configuration
492
16.4.7 Secure Network Architecture
493
16.4.8 Introducing an Application-Level Gateway to Make Portal Applications Secure
496
16.4.9 Configuration of Encrypted Communication Channels
500
16.4.10 Implementation of a Virus Scan for Avoiding a Virus Infection
502
17 SAP NetWeaver Mobile
505
17.1 Introduction and Functions
505
17.2 Risks and Controls
508
17.3 Application Security
515
17.3.1 Authorization Concept for Mobile Applications
515
17.3.2 Authorization Concept for Administration
518
17.3.3 Restricting the Authorizations of the RFC User to ­Back-End Applications
519
17.4 Technical Security
520
17.4.1 Setting Up Encrypted Communications Connections
520
17.4.2 Securing the Synchronization Communication
521
17.4.3 Deactivating Unnecessary Services on the SAP NetWeaver Mobile Server
523
17.4.4 Secure Network Architecture
523
17.4.5 Monitoring
524
17.4.6 Secure Program Code
525
18 SAP Auto-ID Infrastructure
527
18.1 Introduction and Functions
527
18.2 Risks and Controls
529
18.3 Application Security
533
18.3.1 Authorization Concept for SAP Auto-ID Infrastructure
533
18.3.2 Authorization Concept for Administration
533
18.3.3 Restricting the Authorizations of the RFC User to Back-End Applications
534
18.3.4 Authentication, Password Rules, and Security
534
18.4 Technical Security
535
18.4.1 Setting Up Encrypted Communication Connections
535
18.4.2 Deactivating Unnecessary Services on the Server
535
18.4.3 Secure Network Architecture
535
19 SAP Solution Manager
537
19.1 Introduction and Functions
537
19.2 Risks and Controls
540
19.3 Application Security
544
19.4 Technical Security
550
19.4.1 Security Measures for User Access
550
19.4.2 System Monitoring Function
551
19.4.3 RFC Communication Security
551
19.4.4 Data Communication Security
552
19.4.5 Important Components of SAP NetWeaver
553
20 Authorizations in SAP ERP
555
20.1 Introduction and Functions
555
20.2 Risks and Controls
556
20.3 Application Security
563
20.3.1 Authentication
563
20.3.2 Authorizations
563
20.3.3 Other Authorization Concepts
578
20.3.4 Best-Practice Solutions
589
20.4 Technical Security
597
21 SAP ERP Human Capital Management and Data Protection
599
21.1 Introduction and Functions
599
21.1.1 Data Protection in Human Resources
599
21.1.2 Technical and Organizational Measures
600
21.2 Risks and Controls
602
21.3 Application Security
609
21.3.1 HR Master Data Authorizations
610
21.3.2 Applicant Authorizations
612
21.3.3 Personnel Planning Authorizations
613
21.3.4 Reporting Authorizations
613
21.3.5 Structural Authorizations
613
21.3.6 Authorizations for Personnel Development
614
21.3.7 Tolerance Periods for Authorizations
614
21.3.8 Authorizations for Inspection Procedures
614
21.3.9 Customized Authorization Checks
614
21.3.10 Indirect Role Assignment through the Organizational Structure
615
21.3.11 Additional Transactions Relevant to Internal Controls
615
21.4 Technical Security
617
22 SAP Strategic Enterprise Management
619
22.1 Introduction and Functions
619
22.2 Risks and Controls
620
22.3 Application Security
622
22.4 Technical Security
623
23 SAP Customer Relationship Management
625
23.1 Introduction and Functions
625
23.2 Risks and Controls
626
23.3 Application Security
628
23.3.1 Authorizations in SAP CRM
629
23.3.2 Authorizations for Portal Roles
635
23.4 Technical Security
636
23.4.1 Technical Protection of the Mobile Application
636
23.4.2 Important Additional Components
636
24 SAP Supply Chain Management
639
24.1 Introduction and Functions
639
24.2 Risks and Controls
640
24.3 Application Security
641
24.3.1 Authorizations for the Integrated Product and Process Engineering (iPPE) Workbench
642
24.3.2 Authorizations for Supply Chain Planning
642
24.3.3 Authorizations for SAP Event Management
643
24.4 Technical Security
644
25 SAP Supplier Relationship Management
647
25.1 Introduction and Functions
647
25.2 Risks and Controls
649
25.3 Application Security
651
25.3.1 Important Authorizations
651
25.3.2 Rules-Based Security Checks Using Business Partner Attributes
659
25.3.3 User Management
663
25.4 Technical Security
664
25.4.1 Security Environment Based on SAP NetWeaver
664
25.4.2 Security Environment for RFC Communication
665
26 Industry-Specific SAP Solution Portfolios
667
26.1 Introduction and Functions
668
26.2 Risks and Controls
668
26.3 Application Security
671
26.3.1 SAP MaxSecure Support
671
26.3.2 SAP Role Manager
672
26.4 Technical Security
675
27 Database Server
677
27.1 Introduction and Functions
677
27.2 Risks and Controls
678
27.3 Application Security
681
27.4 Technical Security
683
27.4.1 Changing Default Passwords
683
27.4.2 Removing Unnecessary Database Users
686
27.4.3 Limiting Database Access
686
27.4.4 Creation and Implementation of a Database Backup Concept
686
27.4.5 Filtering Database Queries
687
27.4.6 Creation and Implementation of an Upgrade Concept
688
28 User Interfaces
689
28.1 SAP GUI
689
28.1.1 Introduction and Functions
689
28.1.2 Risks and Controls
690
28.1.3 Application Security
693
28.1.4 Technical Security
698
28.2 Web Browser
701
28.2.1 Introduction and Functions
702
28.2.2 Risks and Controls
702
28.2.3 Application Security
704
28.2.4 Technical Security
704
28.3 Mobile Devices
706
28.3.1 Introduction and Functions
706
28.3.2 Risks and Controls
707
28.3.3 Application Security
712
28.3.4 Technical Security
712
Appendices
717
A Bibliography
717
B The Authors
719
Index
721