Click here to load reader

SAP HANA Security - SAP CH HANA SolMan BW SCM CRM BW on HANA ... Define own guidelines for ... Security for SAP HANA (solution kernel) 20.04.2015

  • View
    234

  • Download
    8

Embed Size (px)

Text of SAP HANA Security - SAP CH HANA SolMan BW SCM CRM BW on HANA ... Define own guidelines for ......

  • Real Life Experience SAP HANA Operations, Permissions and Security

    SAP Forum Basel 2015

    Marcus Bhme, T-Systems International GmbH Systems Integration

  • Systemintegration, SAP-Full-Service und darber hinaus

    Tochtergesellschaft der T-Systems Schweiz

    Hauptsitz in Kreuzlingen mit Niederlassungen in Zrich, Zollikofen und Basel

    Schweizer Wurzeln - weltweite Lieferfhigkeit

    Mehr als 100 Mitarbeiter

    Full-Service-Provider mit den Schwerpunkten SAP, Datenmanagement und Software-Entwicklung

    Kunden diverser Branchen und jeder Grsse

    umfassende Expertise und methodisches Vorgehen

    fhrender Anbieter fr SAP-CRM-Projekte

    T-Systems International

    Deutsche Telekom

    T-Systems Schweiz AG

    T-Systems Data Migration

    Consulting AG

    T-SystemS data migration consulting ag

  • Unsere Historie

    2014 Umfirmierung in T-Systems Data Migration Consulting AG 2013 Integration DMC und TS-CH SI 2011 T-Systems erwirbt weltweite JiVS-Vertriebspartnerschaft 2011 Data Migration Consulting AG als Mitglied der T-Systems 2010 Data Migration AG konzentriert sich auf Produktgeschft (JiVS) 2010 Abspaltung des SAP-Beratungsgeschftes in die DMC 2005 Produktentwicklung JiVS 2000 Einstieg in neue SAP-Themen wie CRM, Mobility, NetWeaver, ... 1996 Grndung Data Migration AG

    heute

    1996

  • T-Systems SAP Kompetenz und Lieferfhigkeit.

    Berlin

    Madrid

    Sankt Petersburg

    Bern

    Kapazitten fr Onsite in Schweiz

    Kapazitten fr Nearshore

    3400 SAP Mitarbeiter weltweit ca. 1000 SAP Mitarbeiter DACH >CHF 360 Mio Umsatz in DACH Global Competence Center SAP in DE SAP Partner - E2E Gold Provider Status SAP Partner Port in Walldorf - DE Nearshore-Standorte mit Fokus auf

    Applikationsentwicklung

    Ausgewiesenes SAP Partnernetzwerk Wien

    ~ 100 FTE

    ~ 900 FTE

    ~ 80 FTE

    ~ 30 FTE

    ~ 50 FTE

    Fakten

    4

  • General Thoughts

    20.04.2015 General Thoughts LANDSCAPE EVOLUTION ACCESS CONTROL Auditing und Hardening SUMMARY ASK ROUND

  • Benefits and risks of SAP HANA. Facts on the table

    In-memory processing allows real-time access to vast amounts of data

    Personalized views for reports and dashboards

    Evaluation on high Quality and transactional data

    Fusion of OLAP und OLTP

    How do I keep the control over the data?

    Loss of confidentiality for data in transfer

    Lack of access protection

    Supporting mobile devices

    Unauthorized manipulation of data in transfer

    Security breaches are not identified in time

    Paradigmen in authorization concept

    Security concept in a hosting scenario

    More users and different audiences on a platform

    Direct access to sensitive information in real time

    Different terminals & connections

    20.04.2015

  • Challenges. some thoughts

    Adequate protection of the (mobile) devices

    Segregation of duty in user and server

    administration stronger authentication

    Secure network communications and data confidentiality

    Access control information for each

    user group

    Risk assessment

    cost estimation

    20.04.2015

  • Landscape Evolution

    General Thoughts LANDSCAPE EVOLUTION ACCESS CONTROL Auditing und Hardening SUMMARY ASK ROUND

  • CLassic SAP-Landscape without SAP HANA

    SCM

    CRM

    BW Analytics

    SolMan

    ERP

    Ext. Source

    Yesterday

    20.04.2015

  • The way to a Real-Time Enterprise

    Analytics

    HANA Studio Ext. Source

    ERP

    SAP HANA

    SolMan

    BW SCM

    CRM

    BW on HANA

    HANA XS App

    20.04.2015

  • SAP HANA AS a central Platform

    SCM

    CRM

    BW Analytics

    SolMan

    Ext. Source HANA Studio

    SAP HANA

    Excel

    Ext. Source

    SAP IQ (NLS)

    ERP Step-by-Step Migration

    HANA XS App

    20.04.2015

  • Overview of potential Interfaces Conn.Nr connection

    1 localhost

    2 SAP HANA DR

    3 SAP IQ

    4 SAP HANA XS

    5 SAP BO

    6 SAP BW

    7 SAP ECC

    8 HANA Studio (server)

    9 HANA Studio (local clients)

    10 Solution Manager

    11 BODS

    12 SLT

    13 SAP Router

    14 Backup /Storage

    34 Excel

    SCM ERP

    CRM

    BW Analytics

    SolMan

    Ext. Source

    SAP HANA Excel

    HANA Studio

    SAP HANA DR

    SLT

    BODS SAP Router

    HANA XS

    Backup

    Hadoop Agent

    SIEM Ext. Source

    Oper. Monitoring

    SAP IQ (NLS)

    20.04.2015

  • Compared with traditional databases

    1 2

    3

    Much more interfaces

    Much more application scenarios and applications

    Application development directly in the database

    Much more users & especially more user groups

    Direct access to sensitive information in real time

    1

    2

    3

    4

    5

    5 SAP HANA

    4

    Excel

    HANA Studio

    20.04.2015

  • ACCESS CONTROL

    General Thoughts LANDSCAPE EVOLUTION ACCESS CONTROL Auditing und Hardening SUMMARY ASK ROUND

  • orchestratiON of privileges

    Access

    Package Privilege

    System Privilege

    SEL

    ECT

    INS

    ERT

    UP

    DA

    TE

    DE

    LETE

    D

    RO

    P

    CR

    EATE

    AN

    Y TR

    IGG

    ER

    REF

    EREN

    CE

    EXEC

    UTE

    Object Privilege

    Analytic Privilege

    Schemas

    Tables

    Views

    Procedure and Function

    Application Privilege

    20.04.2015

  • APPROACH. Role based concept

    Analytic Privilege

    Enduser (business unit)

    Information- model

    Object Privilege

    Schemas, tables, etc.

    System Privilege

    Administration

    T-Systems Administrator

    Object Privilege

    Developer

    Schemas, Tables, etc

    Package Privilege

    Repository Objects

    1. Role based approach 2. Segregation of duty

    Privilege

    Principal Role

    Granted to

    3. Implementation

    1. Consistent usage of roles as Design-Time Objects (transportable)

    2. Usage of unsecure predelivered roles and critical privileges should be avoided

    3. Additional segregation of duty especially in a hosting scenario to allow the customer the most possible privileges without influencing the T-Systems responsibilities

    Customer Administrator

    20.04.2015

  • Implementation of specific requirements the challenge

    1. No possibilities for access to business data of the customer by T-Systems

    2. Administration of the server exclusively by T-Systems to provide and ensure SLA's

    3. Control access to information for end users at least at the level of business divisions

    The SOLUTION covered by standards

    System Administrator role has no object privileges on schemas, tables and views of customer data

    Customers roles have no critical system privileges

    End-user role consists essentially of analytical privileges and dedicated access to information models and objects

    the challenge

    4. Self-contained and separate user administration by T-Systems and Customer

    5. Providing schema mapping within design-time-roles

    The SOLUTION NOT covered by STANDARDS

    Separate roles for each user and rights management for T-Systems and the customer

    Significant technical controls to ensure separation by Stored Procedures

    Roles exist in the essentials of object privileges to execute the stored procedure

    20.04.2015

  • AUDITING AND HARDENING

    General Thoughts LANDSCAPE EVOLUTION ACCESS CONTROL Auditing und Hardening SUMMARY ASK ROUND

  • Auditing and monitoring of the database

    SAP tool development for monitoring and reporting is at an early STATE RIGHT NOW

    Auditing

    + Variety of different events can be logged

    + Options in the definition of policies (Audit policies)

    (Partial extreme) impact on performance

    Options not in any combination possible in a single policy - restriction in 13 groups

    Compliance Reporting

    No real functionality of SAP to check the Appliance

    Define own guidelines for testing the server configuration

    SAP HANA-based reporting for the automated control of the Guidelines

    Real time monitoring

    Forwarding the syslogs to remote syslog server

    Use a SIEM solutions for the processing of logs

    Requires rule-based processing of Events

    Security-Dashboard

    timely response to alerts

    Note: New SAP product (Enterprise Threat Detection)

    20.04.2015

  • HARDENING

    APPLIANCE VS. HARDENING

    SAP recommendation

    Follow the SuSE Linux Hardening Guide

    No existing standard SAP report to check the successful implementation of guides

    No statement whether the SAP appliances comply with the Guides on delivery

    T-systems recommendation

    + Building your own checks

    Example FINDING

    + SNMP String PUBLIC ... after coordination with SAP and the hardware manufacturer of the string is now replaced on T-Systems servers by its own secret

    + Approximately 3-4 weeks coordination period with all parties

    Appliance is generally subject to various hardening rules of SAP and the hardware manufacturer. Limitation:

    Any change MUST be discussed and verified with the hardware manufacture

Search related