Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Tool That Perform Security Checks

Tool That Perform Security Checks

|Views: 24|Likes:
Published by nagsri143

More info:

Published by: nagsri143 on Jun 20, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Subscribe today.Visitwww.SAPinsider.com.
With the onset of Web services,ITsystems that were formerly accessibleonly from within a company can nowbe accessed externally by employeesand business partners.System accesseven extends to customers,with theprevalence of online shops and Web-based customer service interfaces.Thisopenness,combined with the growingimminence of corporate regulations,requires companies to have an accuratepicture of who has access to whatsystem data,and whether that datais both valid and confidential.As a result,regular security checksare essential to maintaining secure,compliant IT systems.Companies need aclear snapshot — at any point in time —of all potential security vulnerabilitiesthat may be putting critical businessinformation at risk.So why haven’t more SAP customersmade security checks a regularly sched-uled event for their IT organization?A few factors have prevented routinesecurity checks from becoming the norm:
While IT teams have been able touse standard SAP functionality —including transactions like SUIM,reports like RSCSAUTH,and theAudit Information System — toconduct security checks on theirown,they needed senior analyst-levelexpertise to really drill down,interpret,and apply the results.
Communication gaps can make it chal-lenging for the technical security teamand functional users of mySAP ERPapplications like FI,SD,and MM tocollectively determine which transac-tions or combinations of transactionsare the most crucial to monitor.Thisbecomes even more complicated whenfunctional users are trying to deter-mine authorizations associated withcritical transactions.To help companies overcome thesechallenges,SAP has introduced the
Security Optimization Self-Service
,anew diagnostic tool that comes with thelatest release of SAP Solution Manager(see sidebar on the next page) at noadditional charge.The self-service enablesIT teams to perform regular systemchecks,diagnose security weak points,and follow specific recommendations toovercome any potential vulnerabilities.This article provides an overviewof the prerequisites and steps necessaryto begin using the Security OptimizationSelf-Service.We’ll demonstrate how asmall upfront time investment canensure that reliable,repeatable securitychecks become part of your company’sadministrative routine.We’ll also provideinformation about the full SAP SecurityOptimization Service,of which the self-service is a subset (see sidebar on page110),and explain when customersshould use this service to extend thecapabilities of the new self-service tool.
Introducing a Free NewSelf-Service Tool That RunsComprehensive SecurityChecks in Minutes,Not Days
Regulate Security Checks withthe SAP Security OptimizationSelf-Service
The SAP Security OptimizationSelf-Service is available for free with
Regular Feature
Security Strategies
Frank Buchholz, SAP AGLarry Justice, SAP AmericaMatthias Buehl, SAP AG
release 3.1 of SAP Solution Manager.With the self-service offering,securitychecks that used to take several dayscan be carried out in less than an hour.The SAP Security OptimizationSelf-Service enables you to regularlyrun the most up-to-date checks,verifythe effectiveness of implemented securitymeasures from earlier service runs,and ensure that recent configurationchanges have not introduced newsecurity holes.The tool:
Analyzes the technical configuration ofyour SAP system and indicates wherethe security risks are
Generates a ranking of the mostcrucial security vulnerabilities
Provides a summary of the currentlyimplemented security levels
Gives recommendations formitigating identified security risksAfter running the service,you’ll getan easy-to-understand and very helpfulfinal report (see
Figure 1
) that not onlydetails what checks were executed downto the current authorization object fieldvalues,but also explains what to do toremediate the findings.The report prima-rily focuses on authorizations,but it alsodelivers important information on thefundamental configuration of your SAPsystem to increase security in areas likehandling super users and maintaining secu-rity policies (see sidebar on next page).
Getting Started:CheckCustomer-SpecificAuthorizations
Once you have all system prerequisitesin place (see
Figure 2
),you’re ready tobegin customizing the self-service tool tocheck for the specific users and authori-zations in your landscape.At the start ofany security check session,you must fillout a questionnaire to indicate thespecific authorizations you want thesecurity check to monitor and whetheryou’d like certain users to be excludedfrom the report.This upfront workmakes the resulting report more read-able and ensures that its recommenda-tions are relevant.The SAP Security OptimizationSelf-Service has over 100 built-inchecks for critical authorizations,which it will perform automatically.These checks,however,pertain only tothe system administration area.Tosearch for critical authorizations inmySAP ERP applications or otherSAP solutions,you have to definethese checks yourself.To maintain your own criticalauthorizations and include them inthe final service report,select theSOS_CUSTOMER_DATA tool in
Figure 1
The Security Optimization Self-Service Final Report Details AllPotential Problems in the Security Landscape
Why Sound Security Depends on SAP Solution Manager
SAP Solution Manager,SAP’s application management platform,offersyou a complete view and central command of all management activitiesassociated with your SAP solutions.We strongly encourage all customersto implement SAP Solution Manager,as it is a prerequisite for the SecurityOptimization Self-Service.SAP Solution Manager is also helpful for synchro-nizing production support between existing and new release landscapesthrough the use of customizing distribution,project issue management,and help desk functionality.It further serves as a repository for project-related documentation.For more information about SAP Solution Manager,see “Looking forWays Your IT Organization Can Contain Costs Without Sacrificing Services?An Introduction to SAP Solution Manager Tools”by Cay Rademann in theJanuary-March 2005 issue of
SAP Insider 
Subscribe today.Visitwww.SAPinsider.com.
The SAP Security Optimization Self-Service performssecurity checks to ensure that these requirements are met:
Systems are operational and functional atany given moment.When the target system is up andrunning,the self-service checks for critical authorizationsthat might influence the availability of the system.
Data is valid and cannot be compromised.Theself-service checks for critical authorizations that mightbe misused to compromise data (using the developer ordebugging authorization,for example).
Users are who they claim to be.The self-service checks the secure handling of super users and thequality of the password policy to ensure that every personcan only use his personal logon.
Only authorized users access informa-tion.The self-service checks for critical authorizations toensure that direct table access is extremely limited.(Toensure confidentiality of application data,however,thecustomer has to run additional tests.)
The system security setup is in accordancewith established guidelines.The Security OptimizationSelf-Service can be used as part of the checks andbalances needed to ensure that regulatory compliancerequirements are and continue to be met.
A complete check for corporate governance and compliance — determining,forexample,if a system is Sarbanes-Oxley compliant — is not within the scope ofthe self-service,as topics outside the security area would also need to be checkedto guarantee full compliance to these requirements.
What Exactly Does the Self-Service Check For?
Figure 3
Transaction ST13 to Maintain Specific Critical Authorizations
Central System
The system where the self-servicetool resides
Target System
The CRM, ERP, SCM, or other systemwhere you are running the security check
SAP Solution Manager (release 3.1or higher),with a system landscapedefinition that includes the targetsystem to be checked
ST-SER plug-in,release 2005 1
ST-A/PI plug-in,release 01F
,inorder to collect the data in thesystem to be checked
Must be connected to SAP SolutionManager
Current ST-PI plug-in
Current ST-A/PI plug-in
Implementation of SAP Note696478,namely creating a specialauthorization for the user whoperforms the ST14 data collection,and installing the ST-A/PI plug-in,version 01D
The asterisks next to 01F and 01D represent the relevant SAP application.Because there is only one ST-A/PIplug-in for each system,you must be careful to install the correct version.
Figure 2
System Prerequisites for Executing the Security OptimizationSelf-Servicetransaction ST13.For every criticalauthorization,you can enter up to fourdifferent authorization objects,includingrelevant authorization values (see
).In addition,you can add any numberof transactions to a critical authoriza-tion.This means that for every criticalauthorization,you can select all usersthat either have all of the authorizationsspecified or that are authorized for atleast one of the transactions specified.For example,if a user were authorizedto maintain any table,you would enterthe following critical authorizations:
Authorization object:S_TABU_DISwith field ACTVT value “02”and fieldDICBERCLASS value “*”The key challenge here is determiningwhich critical authorizations in mySAPERP are most important for your system.To help,we recommend using the
SAP Compliance Calibrator by VirsaSystems
in addition to the full SecurityOptimization Service (see sidebar on thenext page) to analyze your completeauthorization concept.The ComplianceCalibrator is sold by SAP,comes with anextensive database of predefined critical
Subscribe today.Visitwww.SAPinsider.com.

Activity (3)

You've already reviewed this. Edit your review.
1 hundred reads
salmamoon liked this
BOBBILI liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->