it sec für herug 2013 (2).pptx [schreibgeschützt]...security audit log: analysis (sm20)...

Dr. Christoph Wallelectronic Administration and Services

IT-SecurityGovernance and Technology

HERUG, 23.04.2013

2

After computers got started …

IT-Security @ FU Berlin, HERUG 2013

3

… and went beyond their predicted numbers …'I think there is a world market for about five computers' Remark attributed to Thomas J. Watson (Chairman of the Board of IBM), 1943


4

… to connect people around the globe …


5

… I had a dream.VtÇ çÉâ Ñ|vàâÜx ã{tà ã|ÄÄ uxfÉ Ä|Å|àÄxáá tÇw yÜxxJim Morrison


6

But then I woke up…


7

… to find myself faced with the need for:IT-Security !


8

Europe needs it


9

Germany needs it


10

Comprehensive Offer of Information

Mobile Information

Smart Processes

Secure Data

Sustainable Use of Resources

Content Users

Quality and Flexibility for Information and Processes

The Freie Universität Berlin needs it(IT Strategy )


11

What is IT-Security?


12

Fundamental Values of IT-SecurityConfidentiality: information that is confidential must be protected against unauthorized disclosure

Availability: services, IT system functions, data and information must be available to users as required

Integrity: data must be complete and unaltered


13

Elements of an IT-Security-Management-SystemGovernanceRisk assessment or analysis: A risk analysis provides information on the probability of the occurrence of a damaging event and what negative consequences the damage would have. Security policy: In a security policy the security objectives and general security safeguards are formulated in the sense of the official regulations of a company or a public authority. Detailed security safeguards are contained in a more comprehensive security concept.

TechnicalAuthentication: When a person logs in on a system, the system runs a check in an authentication process to verify the identity of the person. The term is also used when the identity of IT components or applications is tested. Authorisation: Authorisation is the process of checking whether a person, an IT component or an application is authorised to perform a specific action. Data protection: Data protection refers to the protection of personal data against misuse by third parties.Data backup: Data backup involves making copies of existing data to prevent its loss.


14

Governance:Risk assessment for FU IT-Systems


15

Governance:Guidelines and Directives“Essentially, procedures or policies are implemented to tell people (administrators, users and operators) how to use products to ensure information security within the organization.”Wikipedia


16IT-Security @ FU Berlin, HERUG 2013

17

Stakeholders of the IT-Organization


Central IT ProvidersIT Security Officer

Data Privacy Commissioner

Co-determination council

Faculties / Departments

18IT Sicherheit 2010

Directive for handling security incidents

19IT Sicherheit 2010

Alarm chain

20

Technology:SAP Functionality to support IT-Security- Identity Management

- Event-based onboarding- Authentification

- SSO with User Name/Password- Role based Authorization

- Design of User-Roles- Workflow for role allocation

- Layers of security for Web-Portal-Access to SAP backend- Security Optimazation Self-Service (SOS Report)

- e.g. Segregation of duties- Action log for intrusion detection- Identity Management

- Automatic user deactivation- Backup and Restore SupportIT-Security @ FU Berlin, HERUG 2013

21Identity Management @ FU Berlin, Juni 2011

Identity Management


User Lifecycle Management Stage 1

modify


Create/modify (Onboarding & Berechtigung)

IdM SLcM

HR

FUDIS(FU Account)

Student

Staff

HISBusiness Partner

Student User

User

FacultyUser

Personell Data

ERP

User

SAP Web

User

Role

Rol

e

Role

Role

Studenten

Administration

Department


Cascading role design


1) AnforderungIdM role provisioning workflow

27

Single Sign On


28

Security layers for SAP access

DSAG-Technologietage 2013

Web-dispatcher

Web-dispatcher ERP 604

NW 7.3Portal

Trusted relationship

https://elsa.fu-berlin.de URL-Filter

Shibboleth-basedAuthentification

5

2

1

3

SSOZEDAT

URL-Filter

Data Access

Abap-Webdynprodnsname2.elsa.fu-berlin.de

DMZ Internal DomainInternet

ume.logon.security.relax_domain.level = 0

1 url-filtering to restrict access exclusive forelsa-portal traffic

2 Shibboleth-based single sign on3 Smart design of DNS name4 Authorization check

4

5 Certificate-based trusted relationshipbetween portal and backend

30

Future Potential: Strong Authentification


31

Security Audit Log: Configuration (SM19)


32

Security Audit Log: Analysis (SM20)


33

The SOS ReportThe SAP Security Optimization Service is a comprehensive support service that identifies security risks for your SAP system and helps you to determine the appropriate measures to protect it from these risks.

The security checks of SAP Security Optimization are performed for the following security aspects:

- Availability: ensuring that a system is operational and functional at any given moment

- Integrity: ensuring that data is valid and cannot be compromised

- Authenticity: ensuring that users are the persons they claim to be

- Confidentiality: ensuring that information is not accessed by unauthorized persons

- Compliance: ensuring that the system security set-up is in accordance with established guidelines


34

SOS


35

Risks are pointed out


37

Examples for Authentification Alerts



User Lifecycle Management:Deactivation

modify


Deactivation of Users

IdM SLcM

HR

FUDIS(FU Account)

Students

Staff

Business PartnerStudent User

User

FacultyUser

Personell Data

ERP

User

SAP Web

User

Exmatriculation

40

Business continuity:Backup and restore support


41

IT-Security-Management-System reloadedGovernanceRisk assessment or analysis: A risk analysis provides information on the probability of the occurrence of a damaging event and what negative consequences the damage would have. Security policy: In a security policy the security objectives and general security safeguards are formulated in the sense of the official regulations of a company or a public authority. Detailed security safeguards are contained in a more comprehensive security concept.

TechnicalAuthentication: When a person logs in on a system, the system runs a check in an authentication process to verify the identity of the person. The term is also used when the identity of IT components or applications is tested. Authorisation: Authorisation is the process of checking whether a person, an IT component or an application is authorised to perform a specific action. Data protection: Data protection refers to the protection of personal data against misuse by third parties.Data backup: Data backup involves making copies of existing data to prevent its loss.


42

Information policy


43

Big job to do ?


Get on with it !


Dr. Christoph WallBoltzmannstr. 1814195 BerlinGermany

[email protected]+49 30 838 58000

it sec für herug 2013 (2).pptx [schreibgeschützt]...security audit log: analysis (sm20)...

Documents