sap security chat tips to improve sap erp security
TRANSCRIPT
© Panaya | An Infosys Company1
SAP Security ChatInfosys and Panaya
© Panaya | An Infosys Company2
Today’s Speakers
Gordon MuehlVice
Presidentat Infosys
Rasmi Swain, PrincipalRisk Management &
GRC; Information Security at Infosys
Guy VagoSAP Project
Manager at Panaya
Rafi KretchmerVice President
at Panaya
© Panaya | An Infosys Company3
The State of SAP SecurityBusiness practices for SAP securityBest practice to simplify security auditsThe Panaya solution
Demo
© Panaya | An Infosys Company
PANAYAPOLL1/ 4
PANAYA
© Panaya | An Infosys Company
The Importance of Safety95% of SAP Systems are exposed to vulnerabilities
60% feared an attack on their SAP applications would be catastrophic
$4.5 Millionis the average estimated cost of SAP systems taken offline**
24% of worldwide ERP software market share belongs to SAP, double their largest competitor***
*Based on Onapsis Research 5/2015** Ponemon Institute Research 2/16*** Forbes 5/2014
SAP - the ERP Market Leader
5
© Panaya | An Infosys Company6
The Underestimated Security Threat*
*Based on Ponemon Institute Research 2/16
ERP ranked in the top 5 SAP applications most vulnerable to attack
75% believe SAP platforms have at least one and possibly more malware infections
70% of enterprises skip security and compliance audits of their ABAP code
47% expect an increase in attacks against SAP infrastructure over the next 2 years.
Only 34% say their companies have visibility into the security of SAP Applications
© Panaya | An Infosys Company7
*Based on Ponemon Institute Research 2/16
63% say C-level execs underestimate the risk associated with insecure SAP applications
21% of senior leadership were aware or shared the concern of an attack on their SAP application
Senior Leadership andthe Security Risk
© Panaya | An Infosys Company8
Security is a hasslebut it needs to be done
© Panaya | An Infosys Company9
What you need to secure your landscapeYou need to ensure 6 areas
Access controlApplication securityInfrastructure GRCData Security On-going monitoring
PANAYA© Panaya | An Infosys Company
PANAYAPOLL2/ 4
PANAYA
© Panaya | An Infosys Company
Information Security at Infosys
© Panaya | An Infosys Company12
(iCRM) - Security Solutions and Services
© Panaya | An Infosys Company
SAP Landscape Complexity
© Panaya | An Infosys Company14
SAP Environment -SAP R/3 and SAP Business Suite - On-cloud
© Panaya | An Infosys Company
SAP Security Risks & Vulnerabilities
© Panaya | An Infosys Company16
Top 10 SAP Vulnerabilities
Authentication Bypass via Verb tampering1. Authentication Bypass via the Invoker servletBuffer overflow in ABAP KernelCode execution via TH_GREPMMC read SESSIONIDRemote ports can Encryption in SAPGUIBAPI XSS/SMBRELAYXML Blowup DOSGUI Scripting DOS
Top 10 vulnerabilitiesSource : ERPScan
Default passwords for DB accessLack of DB patch managementUnnecessary Enabled DB featuresLack of password lockout/complexity checksUnencrypted sensitive data transport / dataLack or misconfigured network access controlExtensive user and group privilegesLack or misconfigured auditInsecure trust relations Open additional interfaces
Top 10 vulnerabilitiesSource : http://www.cvedetails.com/vendor/797/SAP.html
© Panaya | An Infosys Company
Infosys iCRM & PANAYA-SAP Security Offering
© Panaya | An Infosys Company18
NetworkServer OS
Basis ControlsIT Controls
Business Process ReviewConfiguration ReviewIT Application Controls
Role & Authorization ReviewAccess ReviewSoD Review Authorizatio
n/SoD Controls
Process Controls
Infrastructure Controls
Technical Controls
Types of Controls in SAP Inherent or Default controls
Default Controls – Sales order cannot be created without a valid customer
Configurable controlsImplemented through IMG Settings.Example- Tolerance for three way match or PO Approval Hierarchy
Procedural ControlsIT dependent Controls: Review of Exception reportsSecurity ChecksReview Configuration SettingsProcedural ControlsException Reports
SAP Layers of Security & Types of Controls
© Panaya | An Infosys Company19
Infosys-Panaya- SAP Landscape Security offering
Governance Security Review and Monitoring
Review of Audit Logs Change & Transport Management
Access Control and Roles
management
Users & Authorizations Authentication and Single Sign on
Roles Management
SAP Infrastructure
Security
Operating Systems and Database Security
Network Security ( SAP Router),
Data Security
Source Code and Custom Code
Security
Secure Maintenance of ABAP Code & Custom code
Security
VA and PT Front End Security ( FIORI, SAP Enterprise
Portal, SAP-Gui )
SAP New Technologies
SAP HANA appliance & HANA Security
SAP Mobile Middleware
( MDM, MAM, )
SAP Cloud Security
Application Security
Infrastructure Security
Identity & Access Management
Data Security
Governance, Risk and Compliance
Panaya Cloud Quality Project
Infosys Security Offering
Panaya Offering
© Panaya | An Infosys Company
PANAYAPOLL3/ 4
PANAYA
© Panaya | An Infosys Company21
Panaya CloudQualityTM Suite
© Panaya | An Infosys Company
Increase ERP agility with zero riskPanaya CloudQuality™ Suite
SCOPE
TEST
ANALYZEAny ERP Change
COLLABORATIONFunctional
Security
Performance
What to fix
What to test
Manage Automate Document & Report
22
© Panaya | An Infosys Company23
Train developers to write secure code
Automate
Integrate security in ongoing ERP maintenance
Simplify Security audits
Make it simple with Panaya
© Panaya | An Infosys Company24
Ongoing seamless security
Security is integrated into ongoing change management
Secure go-live!
© Panaya | An Infosys Company25
© Panaya | An Infosys Company
PANAYAPOLL4/ 4
PANAYA
© Panaya | An Infosys Company27
Established 2006, Acquired by Infosys - 2014
Quality Automation SaaS Solution for ERP
Powered by:
ERP Domain expertise
Crowd based customer insights
Proven with over 2000+ Customers
50 HANA Migrations
Over 9,000 projects(5,000 business process implementations)
2000+ Stay-current projects (upgrade, patches)
Over 5,000,000 test scripts
© Panaya | An Infosys Company28
Information Security at Infosys
© Panaya | An Infosys Company
Get your own complimentary assessment from
upload to Panaya Code Box
ERP Health-check & simulation of your upgrade project
< 20 min. < 48 hrs.*
Upload GetRun a simple ABAP report and
* Estimate time based on business days
© Panaya | An Infosys Company