Embed Size (px)
Citation preview
Real Life Experience SAP HANA Operations, Permissions and Security
SAP Forum Basel 2015
Marcus Böhme, T-Systems International GmbH – Systems Integration
Systemintegration, SAP-Full-Service und darüber hinaus
Tochtergesellschaft der T-Systems Schweiz
Hauptsitz in Kreuzlingen mit Niederlassungen in Zürich, Zollikofen und Basel
Schweizer Wurzeln - weltweite Lieferfähigkeit
Mehr als 100 Mitarbeiter
Full-Service-Provider mit den Schwerpunkten SAP, Datenmanagement und Software-Entwicklung
Kunden diverser Branchen und jeder Grösse
umfassende Expertise und methodisches Vorgehen
führender Anbieter für SAP-CRM-Projekte
T-Systems International
Deutsche Telekom
T-Systems Schweiz AG
T-Systems Data Migration
Consulting AG
T-SystemS data migration consulting ag
Unsere Historie
2014 – Umfirmierung in T-Systems Data Migration Consulting AG 2013 – Integration DMC und TS-CH SI 2011 – T-Systems erwirbt weltweite JiVS-Vertriebspartnerschaft 2011 – Data Migration Consulting AG als Mitglied der T-Systems 2010 – Data Migration AG konzentriert sich auf Produktgeschäft (JiVS) 2010 – Abspaltung des SAP-Beratungsgeschäftes in die DMC 2005 – Produktentwicklung JiVS 2000 – Einstieg in neue SAP-Themen wie CRM, Mobility, NetWeaver, ... 1996 – Gründung Data Migration AG
heute
1996
T-Systems SAP Kompetenz und Lieferfähigkeit.
Berlin
Madrid
Sankt Petersburg
Bern
Kapazitäten für Onsite in Schweiz
Kapazitäten für Nearshore
3‘400 SAP Mitarbeiter weltweit ca. 1‘000 SAP Mitarbeiter DACH >CHF 360 Mio Umsatz in DACH Global Competence Center SAP in DE SAP Partner - E2E Gold Provider Status
SAP Partner Port in Walldorf - DE
Nearshore-Standorte mit Fokus auf
Applikationsentwicklung
Ausgewiesenes SAP Partnernetzwerk Wien
~ 100 FTE
~ 900 FTE
~ 80 FTE
~ 30 FTE
~ 50 FTE
Fakten
4
General Thoughts
20.04.2015 General Thoughts LANDSCAPE EVOLUTION ACCESS CONTROL Auditing und Hardening SUMMARY ASK ROUND
Benefits and risks of SAP HANA. Facts on the table
In-memory processing allows real-time access to vast amounts of data
Personalized views for reports and dashboards
Evaluation on high Quality and transactional data
Fusion of OLAP und OLTP
How do I keep the control over the data?
Loss of confidentiality for data in transfer
Lack of access protection
Supporting mobile devices
Unauthorized manipulation of data in transfer
Security breaches are not identified in time
Paradigmen in authorization concept
Security concept in a hosting scenario
More users and different audiences on a platform
Direct access to sensitive information in real time
Different terminals & connections
20.04.2015
Challenges. some thoughts
Adequate protection of the (mobile) devices
Segregation of duty in user and server
administration stronger authentication
Secure network communications and data confidentiality
Access control information for each
user group
Risk assessment
cost estimation
20.04.2015
Landscape Evolution
General Thoughts LANDSCAPE EVOLUTION ACCESS CONTROL Auditing und Hardening SUMMARY ASK ROUND
CLassic SAP-Landscape without SAP HANA
SCM
CRM
BW Analytics
SolMan
ERP
Ext. Source
Yesterday
20.04.2015
The way to a Real-Time Enterprise
Analytics
HANA Studio Ext. Source
ERP
SAP HANA
SolMan
BW SCM
CRM
BW on HANA
HANA XS App
20.04.2015
SAP HANA AS a central Platform
SCM
CRM
BW Analytics
SolMan
Ext. Source HANA Studio
SAP HANA
Excel
Ext. Source
SAP IQ (NLS)
ERP Step-by-Step Migration
HANA XS App
20.04.2015
Overview of potential Interfaces Conn.Nr connection
1 localhost
2 SAP HANA DR
3 SAP IQ
4 SAP HANA XS
5 SAP BO
6 SAP BW
7 SAP ECC
8 HANA Studio (server)
9 HANA Studio (local clients)
10 Solution Manager
11 BODS
12 SLT
13 SAP Router
14 Backup /Storage
… …
34 Excel
SCM ERP
CRM
BW Analytics
SolMan
Ext. Source
SAP HANA Excel
HANA Studio
SAP HANA DR
SLT
BODS SAP Router
HANA XS
Backup
Hadoop Agent
SIEM Ext. Source
Oper. Monitoring
SAP IQ (NLS)
20.04.2015
Compared with traditional databases
1 2
3
Much more interfaces
Much more application scenarios and applications
Application development directly in the database
Much more users & especially more user groups
Direct access to sensitive information in real time
1
2
3
4
5
5 SAP HANA
4
Excel
HANA Studio
20.04.2015
ACCESS CONTROL
General Thoughts LANDSCAPE EVOLUTION ACCESS CONTROL Auditing und Hardening SUMMARY ASK ROUND
orchestratiON of privileges
Access
Package Privilege
System Privilege
SEL
ECT
INS
ERT
UP
DA
TE
DE
LETE
D
RO
P
CR
EATE
AN
Y TR
IGG
ER
REF
EREN
CE
EXEC
UTE
Object Privilege
Analytic Privilege
Schemas
Tables
Views
Procedure and Function
Application Privilege
20.04.2015
APPROACH. Role based concept
Analytic Privilege
Enduser (business unit)
Information- model
Object Privilege
Schemas, tables, etc.
System Privilege
Administration
T-Systems Administrator
Object Privilege
Developer
Schemas, Tables, etc
Package Privilege
Repository Objects
1. Role based approach 2. Segregation of duty
Privilege
Principal Role
Granted to
3. Implementation
1. Consistent usage of roles as Design-Time Objects (transportable)
2. Usage of unsecure predelivered roles and critical privileges should be avoided
3. Additional segregation of duty especially in a hosting scenario to allow the customer the most possible privileges without influencing the T-Systems responsibilities
Customer Administrator
20.04.2015
Implementation of specific requirements the challenge
1. No possibilities for access to business data of the customer by T-Systems
2. Administration of the server exclusively by T-Systems to provide and ensure SLA's
3. Control access to information for end users at least at the level of business divisions
The SOLUTION – covered by standards
System Administrator role has no object privileges on schemas, tables and views of customer data
Customers roles have no critical system privileges
End-user role consists essentially of analytical privileges and dedicated access to information models and objects
the challenge
4. Self-contained and separate user administration by T-Systems and Customer
5. Providing schema mapping within design-time-roles
The SOLUTION – NOT covered by STANDARDS
Separate roles for each user and rights management for T-Systems and the customer
Significant technical controls to ensure separation by Stored Procedures
Roles exist in the essentials of object privileges to execute the stored procedure
20.04.2015
AUDITING AND HARDENING
General Thoughts LANDSCAPE EVOLUTION ACCESS CONTROL Auditing und Hardening SUMMARY ASK ROUND
Auditing and monitoring of the database
SAP tool development for monitoring and reporting is at an early STATE RIGHT NOW
Auditing
+ Variety of different events can be logged
+ Options in the definition of policies (Audit policies)
(Partial extreme) impact on performance
Options not in any combination possible in a single policy - restriction in 13 groups
Compliance Reporting
No real functionality of SAP to check the Appliance
Define own guidelines for testing the server configuration
SAP HANA-based reporting for the automated control of the Guidelines
Real time monitoring
Forwarding the syslogs to remote syslog server
Use a SIEM solutions for the processing of logs
Requires rule-based processing of Events
Security-Dashboard
timely response to alerts
Note: New SAP product (Enterprise Threat Detection)
20.04.2015
HARDENING
APPLIANCE VS. HARDENING
SAP recommendation
Follow the SuSE Linux Hardening Guide
No existing standard SAP report to check the successful implementation of guides
No statement whether the SAP appliances comply with the Guides on delivery
T-systems recommendation
+ Building your own checks
Example FINDING
+ SNMP String PUBLIC ... after coordination with SAP and the hardware manufacturer of the string is now replaced on T-Systems servers by its own secret
+ Approximately 3-4 weeks coordination period with all parties
Appliance is generally subject to various hardening rules of SAP and the hardware manufacturer. Limitation:
Any change MUST be discussed and verified with the hardware manufacturer and SAP
20.04.2015
ENCRYPTION communication channels
In the official SAP HANA documentary mentioned and named the options
An incomplete instruction in SDN
First unstable and weak documented but …
Since Revision 72 stable implementation possible
HANA Server: unified solution possible. 2 options for the technical implementation :
a. Implementation based on OpenSSL
b. Implementation based on SAP CommonCrypto Library (recommended)
Clients: Client and company-specific solution
No negative impact on the system performance of HANA server and clients measurable
T-SYSTEMS project experiences
Solution based on PKI instead of self-signed certificates
significantly reduced maintenance effort, because only one certificate (root CA) is required on all clients
Operating efforts only in the management of HANA server certificates
Design and implementation already during the HANA introduction
Saves enormous subsequent implementation efforts
Flexible decision on necessity of encryption possible per component
further recommendations
20.04.2015
SUMMARY
General Thoughts LANDSCAPE EVOLUTION ACCESS CONTROL Auditing und Hardening SUMMARY ASK ROUND
Additional OFFERING. Ready and COMING SOON
Best-Practice
security reporting
Maintaining the concept
for future SAP HANA
revisions
Automated testing of more than 130 test
cases
Upgrade compare
toolset
Graphical UI for segre-
gation of duty tasks
SMART Security for SAP HANA
(solution kernel)
20.04.2015
Experience and extract summary
SAP HANA is still a fast-moving product … so stay tuned
summary
All security requirements can be covered
Paradigm change in security area as well compared to classic database systems
Challenge: balance between cost and need for security
Integration of the safety concept in the design process reduces subsequent costs
Do not allow developers on production environments
OPEN vulnerabilities
Modelers / developers can break out
Standard Roles of SAP should be reviewed critically
No appropriate SAP tools for monitoring and validation of technical compliance available
Hardening: no final statements - only references to Guides
20.04.2015
ASK ROUND
General Thoughts LANDSCAPE EVOLUTION ACCESS CONTROL Auditing und Hardening SUMMARY ASK ROUND
Any Questions?
Marcus Böhme SAP Consultant
T-Systems International GmbH Holzhauser Straße 4-8, 13509 Berlin, Telefon +49 30 8353 23579 Mobil +49 170 9127920 E-Mail [email protected]
