You are on page 1of 41

SECUDE Solutions & Implementation Plan of Secure Single Sign-on for SAP

4/30/13

2007 SECUDE International AG, Lucerne

Agenda
Solution Capabilities Implementation Plan Proof of Concept Impact on the Business Support Service Summary Q & A.
2007 SECUDE International AG, Lucerne

SAP Applications are the Basis for Automating and Managing Business Processes
confidentiality of data in SAP compliance with laws and regulations successful audits protect reputation of company

trusted business processes availability of SAP application

Controls and security mechanism for SAP are required to ensure smooth execution of business processes and optimized business results
2007 SECUDE International AG, Lucerne

Data and Processes in SAP that Need to be Protected

Financial information
(costs, revenue, profit)

HR data Production data Customer data Price lists R&D projects Partnerships

Order entry Online business Production control Supply chain Financial transactions Employee self service

2007 SECUDE International AG, Lucerne

Need for Security in SAP Applications is Increasing


More regulations Global business Network and Internet security more and more unter control Extended network of customers and partners SAP server & instance consolidation trend Increased need for proper risk management and controls for compliancy Compliance also with foreign laws/regulations Changing attack profiles; business application are more often target of attacks Increased security risks through external access Impact of security violation increases
2007 SECUDE International AG, Lucerne

Data integrity:
SAP SNC uses the GSS-API V2 (Generic Security Services Application Programming Interface Version 2) interface to communicate with the external security products. SECUDEs solution as market-leading offering for secure SSO to SAP certainly fulfills this. We provide the broadest offering in regards to platform support, support authentication mechanisms, and support of multiple cryptographic algorithms. SECUDE securelogin uses the x.509 certificate to provide integrity. To guarantee the integrity of the data the message is hashed and digitally signed so that it cannot be modified once sent.

Confidentiality:
SECUDE solution provides confidentiality and integrity of all communication including the communication of the authentication of data. There are three level of security for SAP system Authentication only Authentication & integrity Authentication, integrity and privacy = confidentiality SECUDE solution needs not to change the Crypto Library of the SAP, because the Crypto Library in SAP system is from SECUDE. All client-to-server and server-to-server communication is encrypted, thus ensuring that company data remains confidential on the network.
2007 SECUDE International AG, Lucerne

Authentication:
SECUDE solution enables customers to implement alternative user authentication mechanisms for SAP, even in a mixed mode. SECUDE securelogin support a variety of alternative mechanisms, including Windows logon info, Windows Kerberos, One-Time Password Tokens (e.g. from RSA or Secure Computing), Smart Cards (from various vendors) and Soft Tokens. Organization can choose the mechanism that fits best to their requirements (convenience / productivity / security). SECUDE securelogin provides Single Sign-On to SAP R/3 Enterprise Platform, SAP Enterprise Portal, and SAP Web Application Server.

2007 SECUDE International AG, Lucerne

Potential Attacks on SAP Environments (1)


Password File

Internet

ITS/WebAS Server

HR Server

Web Browser SAPGUI

Unencrypted transfer of business data

CRM Server

Database Server + disk

User name and password on the network Message alteration

BW Server

Database server + Disk

Identity assumption

LAN Rogue server ??? Server FI Server Internet


2007 SECUDE International AG, Lucerne

Potential Attacks on SAP Environments and Protection Mechanisms (2)


Attack
Man-in-the-middle attack Unauthorized modification of data Impersonation Listenting on the network

Protection Mechanism
authentication of sender digitally signed data proof of origin / identity encrypted communication

2007 SECUDE International AG, Lucerne

Cost Drivers around SAP Sign-on


Users SAP user name and password have to be entered again and again in a large distributed SAP environment Different user names and password have to be memorized for different SAP systems Passwords have to be changed on a regular basis User often try unsuccessfully to remember forgotten passwords Requests to the IT help desk about forgotten passwords IT effort to maintain consistent password policies across different SAP versions & products

IT

2007 SECUDE International AG, Lucerne

Solution Capabilities
SECUDE Solutions for Secure Single Sign-on for SAP
SECUDE Solution Frontend
SAP Business Applications SAP Technology Basis SAP User Interfaces

Market-leading solutions for secure single sign-on for SAP


Support of most SAP applications, SAP user interfaces, SAP versions, and operating systems Support of many authentication mechanisms and Smart Card providers Efficient and convenient use of security functions Designed for use in enterprise environments of any size

Single Sign-on SECUDE Solution Backend


High Availability Flexible Mix & Match Policy-based Configuration Enterprise Operations

Secure Communication
(Confidentiality, Integrity, Proof of Origin)

Windows Username/Password SDK for Custom Authentication RSA Authentication Radius SAP Username/Password Externally Provided Certificates

Improved user and IT productivity through single sign-on Protection of confidential data Control against fraudulent transactions Compliances with laws and regulations
2007 SECUDE International AG, Lucerne

Improved business results

Solution Capabilities
Secure Communication for SAP
personal security environment SNC SSL SAP server

SAP user interfaces

single sign-on

user workstation

data integrity, confidentiality proof of origin

SECUDE enables the convenient and efficient use of secure communication for SAP high user acceptance
2007 SECUDE International AG, Lucerne

Solution Capabilities
Single Sign-on for SAP - An Example for Windows Logon / ADS
1 SECUDE secure login server 2 Microsoft Active Directory server

4 5 personal security environment SAP server SNC SSL

1 2

Send Windows logon data Authentication request

3 4

Authentication successful New user credential (certificate)

Mangement of credential on user workstation


2007 SECUDE International AG, Lucerne

Solution Capabilities
Single Sign-on for SAP - An Example for Windows Logon / ADS

2007 SECUDE International AG, Lucerne

Implementation

Time Line

2007 SECUDE International AG, Lucerne

Implementation
Operations in Enterprise Environments (1) Mass Installation and Configuration on Thousands of User Workstations
personal security environment
configuration policies

policy server
MS Active Directory (group policies) SECUDE secure login server

policy-based configuration for:


User specific authentication mechanisms Management of expired credentials installation package in msi format and much more

Low cost of ownership through efficient installation and configuration of the software on a large number of user workstations in enterprise environments and through integration with existing standard tools & processes
2007 SECUDE International AG, Lucerne

Implementation
Operations in Enterprise Environments (2) High Availability, Logging, Backup,
Authentication request from user workstation SECUDE secure login server 1 SECUDE secure login server 2
failover

authentication server

enterprise operations
backup, logging, startup / shutdown,

SECUDE secure login server runs as web application on standard environments like Tomcat, BEA WebLogic, SAP NetWeaver

Reliable use in large enterprise environments, with support of typical enterprise operations features
2007 SECUDE International AG, Lucerne

Web-based Administration / Configuration


Remote initialization and configuration User guidance via wizards and info screen Quick access to operations status and troubleshooting information Easy migration of data from previous SECUDE versions Integraiton in company-wide consoles possible Low total cost of ownership through efficient administration of SECUDE secure login servers via a web-based administration console, that can be integrated in company-wide consoles
2007 SECUDE International AG, Lucerne

Administration Console

2007 SECUDE International AG, Lucerne

SNC Settings on the SAP Server


snc/enable = 1 snc/data_protection/min = 2 snc/data_protection/max = 3 snc/data_protection/use = 3 snc/accept_insecure_gui = 1 snc/accept_insecure_cpic = 1 snc/accept_insecure_r3int_rfc = 1 snc/r3int_rfc_secure = 0 snc/r3int_rfc_qop = 3 snc/permit_insecure_start = 1 snc/gssapi_lib = c:\program files\secude\secude.dll snc/identity/as = p:CN=SAP CA, O=SECUDEMEA, L=Dubai, C=AE ssf/ssfapi_lib = c:\program files\secude\secude.dll ssf/ssf_md_alg = SHA1

2007 SECUDE International AG, Lucerne

Distinguish Name for User

2007 SECUDE International AG, Lucerne

SNC Settings for User in SAP

2007 SECUDE International AG, Lucerne

How SNC Works


Supported processes:
SAP work processes
" " " " " " " " SAP server processes SAPGUI for Windows SAPGUI for Java SAP lpd SAP Router Integrations DIAG RFC

SAP
compression protocol SNC

Protocols:

SECUDE
Windows/ ADS SAP

SECUDE Library
RSA

2007 SECUDE International AG, Lucerne

But Secure Single Sign-on of SECUDE also Works with SAPs Web-based Applications
Supported applications:
" " " " SAP Portal SAP ITS SAP WebAS Java other HTTPS-based applications SSL

Protocol
"

2007 SECUDE International AG, Lucerne

Implementation
Integration with Identity Management Solutions
Support of different LDAP servers (ActiveDirectory, OpenLDAP, Sun Java System Directory Server) as identity and credential store RSA partnership Extensibility through open JAAS interface Integration with user provisioning workflow possible

2007 SECUDE International AG, Lucerne

Proof of Concept

2007 SECUDE International AG, Lucerne

Proof of Concept

2007 SECUDE International AG, Lucerne

Proof of Concept
1. Installation for the Proof of Concept will take 2 days 2. Requirements for Proof of Concept are: Hardware Intel Based System 3.0 GHz Processor 2 GB Ram 80 GB Hard Disk 1 Network Interface Software Microsoft Win 2000, 2003 Server / Linux / Sun Solaris (SECUDE securelogin Server can be installed on the mentioned platforms) but for proof of concept we prefer windows platform JAVA 1.4.1 Servlet Engine 2.3 (Tomcat 4.x) Internet Explorer 5.5 or latest Latest Service Pack Connection to Active Directory
2007 SECUDE International AG, Lucerne

Persons from SAP group


For our Proof of Concept for SAP we need someone from SAP, who is experienced in: Giving us access to the needed SAP servers / instances Active Directory Server for securelogin software SAP Client / users Deployment Software for the clients Giving us all necessary information about existing hardware, software and organization structure
2007 SECUDE International AG, Lucerne

Impact on Business
Single Sign-On (SSO) improves usability and productivity of SAP users by providing or leveraging a single authentication service (e.g. Windows logon) that allows users to logon once and transparently access all SAP applications on different servers. No further logon is being required until after the user logs out. Alternatively, customers can define policies that define after what time interval a user has to re-authenticate.
Improved SAP user productivity Reduced password administration effort Reduced effort for recovering passwords Reduced number of calls to IT help desk due to forgotten passwords

2007 SECUDE International AG, Lucerne

Impact on Business
ROI of Single Sign-on: Single Sign-on investments typically have a very quick return on investment. For an environment with 1000 users, the cost savings can easily add up to multiple 100000 $ per year. Most cost savings come from the improvement in user productivity. With a reduction from an average of 6 logins per day to 1 login, the rate of incorrect logins and subsequent efforts to recover the password or to contact the help desk to reset the password is reduced significantly. Estimations point to more than 100 $ savings per month through improved user productivity. The cost savings for the IT help desk are also significant. With an estimated 35% of help desk calls being related to password reset, the IT help desk can expect about 700 calls per month for a 1000 user environment. Cost savings for avoiding these kinds of calls can easily be more than 10000 $ per year.
2007 SECUDE International AG, Lucerne

Impact on Business
Improved Security An Additional Business Value
Besides the cost savings through single sign-on, companies can also benefit from improved IT security in SAP environments. If IT security risks are not managed properly, a companys valuation will likely be affected at some point in time. According to recent analyst studies, companies with publicized IT security breaches experienced an above-average loss in valuation. This is not only caused by direct cost for managing the security breach, but also by the negative impact on the companys reputation. Many successful companies rely on SAP business software to automate their business processes, making the SAP system the central IT solution to store company-critical information and automate business processes. For many businesses, a problem with the SAP environment or a leak of company confidential data would result in a significant loss of revenue and profit. Single sign-on helps to improve security, because authentication via user name and password is inherently less secure than other mechanisms.
2007 SECUDE International AG, Lucerne

Impact on the business


After the configuration to enable SNC on the SAP server, it has to be restarted once. After the installation of Securelogin client the client machine have to be restarted once. No need to install or modify Active Directory Server, so there is no impact on the business

2007 SECUDE International AG, Lucerne

Impact on Business

2007 SECUDE International AG, Lucerne

Support & Services


There are 3 ways of supporting SAP in case of problem: Email (If the problem is small with no impact on productivity Phone (If the problem required immediate response with low impact on productivity)

There are 2 Level Support for SAPin case of problem: First Level Support local SUPPORT in Saudi is the first level support Second Level Support SECUDE is the second level support
2007 SECUDE International AG, Lucerne

Support & Services


Priority 1 Description System is down There is a critical system condition, which affects the Licensees business processes There is no critical effect on the Licensees business processes There is a workaround solution and the customer can use the product with some restrictions General support questions about product use and handling. There are no (or only minor) limitations on using the system.

Priority

Reaction Time

Escalation Level

Department Manager 1 2 3 1h 4h 8h 3h 3d 10 d

Senior Management 8h

2007 SECUDE International AG, Lucerne

SAP Recommendation
... To transfer data in encrypted form, use our Secure Network Communications (SNC) and an external security product. SNC enables user authentication that is not based on passwords, which means that no password data needs to be sent using the network. For production scenarios, we strongly recommend the use of SNC.

SAP Note 39029 - SAP GUI protocol

2007 SECUDE International AG, Lucerne

SECUDE and SAP a strong cooperation with benefits for our joint customers
SECUDE is a spin-off from a joint development project between SAP and Fraunhofer Institute Close R&D cooperation since 1996 SECUDE is official software partner of SAP SECUDE is a founding member of the SAP Global Security Alliance SAP certified solutions

Global Security Alliance

2007 SECUDE International AG, Lucerne

Just some of our Satisfied SECUDE Customers

2007 SECUDE International AG, Lucerne

Summary: SECUDE and SAP


Values for Customer
secure access to SAP cost savings through single sign-on for SAP

Unique functionality
Easy migration from soft tokens to hard tokens Web administration Choice of authentication methods

Proven, flexible solutions with low cost of ownership Adaptable to SAP environments

SECUDE makes access to SAP secure, efficient, convenient, and easy to integrate into existing customer environments. We enable smooth business process execution and optimized business results.
2007 SECUDE International AG, Lucerne

Thank You

2007 SECUDE International AG, Lucerne