Managing Security With SAP Solution Manager
SAP Solution ManagerManaging Security with SAP Solution ManagerMay 2015Table of Contents3Security in Three Phases: Build, Setup,Operate7The Role of ITSOM Tools for Security16 Conclusion: The Center of a SecureSystem Landscape 2015 SAP SE or an SAP affiliate company. All rights reserved.17 Additional Information and References
Running a secure system landscape requires more than just secure software.System setup and operation are key to protecting against and detecting attacksto prevent downtime. IT services and operations management (ITSOM) tools playan important role for security, collecting information about a system landscape,providing alert mechanisms, and helping distribute security patches. The SAP Solution Manager application management solution is the ITSOM product ofchoice for SAP software landscapes.and activities and provide them as efficiently aspossible, at the right time and in the right place.This paper introduces the various aspects ofbuilding, setting up, and operating a securesystem landscape and shows how SAP SolutionManager supports these tasks.Running and maintaining secure landscapesrequires a strategy. And with the increasing needto collaborate with customers, partners, andemployees anytime and anywhere, you need astrategy that makes things simpler to use andmanage. A strategy requires an overall plan andwith it a central controlling element that executesthe plan or at least keeps it up-to-date for everyone to refer to. If you fight many small battlesagainst vulnerabilities in a new setup, you maywin some, but you will lose in the long run. Thinkof the well-meant but uncoordinated actionstaken by individual citizens during fires, threats topublic security, or natural disasters: these maybe useful on the spot, but they will never keep anentire infrastructure or social system safe overtime or be able to rebuild it. A central headquarters is necessary to coordinate all the measuresThis paper argues for such a headquarters forIT landscapes in the form of a central solutionfor IT services and operations management –particularly in SAP software landscapes, whichare similar in complexity to the real-world socialsystems and infrastructures mentioned above.With complex systems, security is always a concern, primarily in the areas of monitoring andalerting, the software lifecycle, and softwarelogistics. In large part, security requires knowingwhat is going on and knowing the landscape andits processes, so you can identify issues and fixthem quickly when they first arise – and automate these functions as much as possible.In the following sections, we will examine therole of ITSOM tools, particularly SAP SolutionManager, in software security, along with the process of implementing, configuring, and operatingsecure solution landscapes. 2015 SAP SE or an SAP affiliate company. All rights reserved.2 / 17
Security in Three Phases:Build, Setup, OperateThere are numerous ways to approach and subdivide the extensive topic of software, system,and landscape security.1 This paper will follow thehigh-level process: you need to first build securesoftware, then set up secure systems andsystem landscapes in which this software runs,and finally keep these landscapes secure duringoperations.Within these three phases, we will focus on thoseareas in which ITSOM tools make a strong contribution to securing system landscapes – particularly the many areas supported by SAP SolutionManager.Figure 1: Three Main Phases Helping to Ensure orted by SAP tools and services1. A nother possibility is to structure the topic with security ofdata, channels and interactions, and identities on the firstlevel, as shown in SAP CIO Guide: IT Security in Cloud andMobile Environments. 2015 SAP SE or an SAP affiliate company. All rights reserved.3 / 17
BUILD SECURE SOFTWARESecurity for software systems obviously startswith what developers do. They are the onesresponsible for delivering secure code. They alsodeliver security fixes and prepare interfaces forsecure communications, monitoring, and alerting. Developers need to answer questions suchas these: Is the code well protected againstmanipulations or injections? Are interfacesdesigned for secure use? Are there no credentialshard-coded anywhere? Have the proper interfaces for monitoring, methods for alerting, and soforth been implemented? SAP developers followthe secure software development lifecycle shownin Figure 2.This paper focuses on ITSOM tasks to keep landscapes secure, but the section “Secure Code”will also briefly examine some tools to validatecoding with respect to security.SET UP SECURE SYSTEMSSetting up secure systems, system interactions,and thus system landscapes is the first step insubsequently operating a secure environment.Many tasks that must be performed once duringsetup reoccur, periodically or continuously, in theoperations phase to ensure security, managed byan ITSOM solution. Setup is a highly criticalphase, as missing security tends to be invisible,especially in a yet-unused system landscape. Ifthe configuration is not checked actively, thedetection of security flaws usually happensduring operations – often when some damagehas already been done. Fixing security issuesduring ongoing operations is usually expensiveand often heavily restricted by the risk of breaking business-critical processes in productiveenvironments.Figure 2: Secure Software Development Lifecycle from onseCompliant to ISO 27034-1.1 2015 SAP SE or an SAP affiliate company. All rights reserved.4 / 17
KEEP LANDSCAPES SECUREIn the operations phase, powerful ITSOM toolsbecome mission critical. This holds true for manyoperations tasks, which play important rolesin keeping the operated landscape secure. Aninitially secure configuration is important, butyou also need to ensure that changes to thisconfiguration are deployed in a structured andmonitored way. And security fixes alone will notbe very useful if you do not know where to applythem or what their possible impact might be.These, among many other things, are recurringtasks for ITSOM – the central management ofinformation pointing to possible vulnerabilitiesand attacks, as well as the coordination androuting of the corresponding fixes and defensivemeasures.From the security perspective, timing is a criticalfactor, because the elapsed time between when anew threat or vulnerability occurs and when it isfixed defines the likeliness of damage. The easeand speed of fixing security issues is thereforecrucial, and the security of a system landscaperises with the speed at which fixes can bedeployed to the entire landscape.The speed at which threats and vulnerabilitiescan be fixed increases with a number of factors,some of which are: Homogeneity of the landscape Completeness and consistence of informationabout the landscape Consistency of the fixing method(s) Completeness and quality of information aboutchanges to the landscape Continuity of security maintenanceOn the business side of the equation, time is alsoa critical factor. Security breaches and subsequent service downtime often cost organizationsmillions in lost revenue. Preventive network andsystems security management can avoid theselosses and make the difference in whether abusiness is profitable or not.These effects are boosted by today’s trendtoward the cloud, combining cloud and onpremise landscapes, and providing more andmore solutions for remote and mobile access.Many of the same mechanisms apply acrossthese deployment scenarios, so we will not differentiate between them here.Security requires knowing what is going onand knowing the landscape and its processes,so you can identify issues and fix them quicklywhen they first arise. 2015 SAP SE or an SAP affiliate company. All rights reserved.5 / 17
SECURE OPERATIONS MAP FROM SAPSAP provides a Secure Operations Mapthat covers the three phases mentioned aboveand serves as a reference (see the final section ofthis paper) to match the capabilities of ITSOMtools to the requirements for a secure system.Phase 1 – secure build – maps to “secure code”in Figure 3. Phases 2 and 3 – secure setup andsecure operation – are named the same inFigure 3. Phase 3 also covers the contribution ofITSOM tools to infrastructure security. “Securitycompliance” in Figure 3 applies to all phases andis typically not the focus of ITSOM tools.The following section will introduce SAP SolutionManager as a comprehensive ITSOM tool andmap some of its features to tasks in this SecureOperations Map.Figure 3: Secure Operations Map from SAPSecurity gencyconceptSecure operationUsers andauthorizationsAuthenticationand singlesign-onSupportsecuritySecurityreview andmonitoringSecure setupSecure codeInfrastructure curity maintenanceof SAP codeNetwork securityData securityCustom codesecurityOperating systemand databasesecurityFront-end security 2015 SAP SE or an SAP affiliate company. All rights reserved.6 / 17
The Role of ITSOM Tools for SecurityWe can define ITSOM tools covering the tasks ofthe three phases of security as follows: ITSOMtools are any products and services that help tomonitor an IT landscape and all services thereinand to detect any abnormal behavior. Theyalso include any products that improve controlover the IT infrastructure (asset management,change management, and configuration management), over processes (job scheduling and workflow management), and over service workflows(service and support desk, service-level management, and business service management).SAP Solution Manager is SAP’s well-recognizedoffering for ITSOM. With respect to security, it isaccompanied by a set of services offered in theSAP Service and Support portfolio, which areoften based on or controlled by SAP SolutionManager. In the following discussion, the tasks ofthe secure operations map in Figure 3 aremapped to the capabilities of SAP SolutionManager.Setting up secure systems, system interactions, andthus system landscapes is the first step in subsequentlyoperating a secure environment. 2015 SAP SE or an SAP affiliate company. All rights reserved.7 / 17
THE ROLE OF SAP SOLUTION MANAGERAs shown in Figure 4, SAP Solution Manager playsa central role in managing the system landscape.In addition to many other tasks, SAP SolutionManager is involved in the installation, update, andmanagement of all systems of a local system landscape. Operating under the guiding principle of asingle source of truth, SAP Solution Managerstores information about the system landscapeand software versions. It also connects to the SAPService Marketplace extranet to retrieve patches,support packages, and security updates. Furthermore, SAP Solution Manager monitors the systems on various levels – such as the operatingsystem level (such as for CPU load, memory consumption, or disk allocation), the platform level(such as for health of work processes on application servers), and the application level.To fulfill these tasks, SAP Solution Manager usesso-called agents (shown as dark rectangles in thediagram) that provide management access to themachines and the applications running on themand forward event notifications. Using this mechanism, SAP Solution Manager can also send notifications on security-related exceptions that aredetected in the system landscape and help to fixproblems where they occur.SECURE CODEAt the beginning of software system security issecure code. At the very beginning, this meansthe code as it has been shipped by SAP and isinstalled on multiple machines in the systemlandscape during setup. During the course ofcontinuous change and operations, the securityof the installed code will need to be optimizedand fixed. A strong knowledge of the landscape isrequired to manage software versions and keepthem in sync.Security Maintenance of SAP CodeThe system recommendations functionality inSAP Solution Manager determines which SAPNotes from the SAP Notes tool are valid forsystems in a landscape and is thus crucial tokeeping systems secure. SAP Solution Manageruses the information about installed componentsand their release levels for all systems in thelandscape and matches them with the availableSAP Notes in the SAP Support Portal destination(which is part of SAP Service Marketplace, asshown in Figure 4). This matching is actuallyperformed by an algorithm in the SAP supportbackbone, where SAP Solution Manager sendsthe information about configurations, releaseversions, and patch (SAP Note) levels for thesystems it manages and receives recommendedSAP Notes, including security notes, in return.Because system recommendations can directlyintegrate with change request managementthrough SAP Solution Manager, the change processes to implement the required SAP Notes canimmediately be triggered and subsequentlylogged to keep system security up-to-date at alltimes – in full compliance to the ITIL standard(see the section “Security Compliance”). 2015 SAP SE or an SAP affiliate company. All rights reserved.8 / 17
Figure 4: Overview of Managed System Landscape for SAP Solution ManagerLocal system landscapeCRMERPHCMNon-SAP solutionsSAP HANA Event notifications(business ionPortalCloud servicesInstrumentation:System/processevent notificationSAP HANACloudIntegrationExceptions.System andapplicationR maintenanceRSAP Solution ManagerSystem monitoring data(metrics, events, and so on)SystemlandscapeConfigurationand change DBSAP Service MarketplaceAlerts tprojectsSystemreports(Statistics)Software catalogSoftware(SP, EHP, andso on)Security notes.SAP support backbone 2015 SAP SE or an SAP affiliate company. All rights reserved.9 / 17
Also available in system recommendations isinformation on which objects are touched by recommended SAP Notes. The business processchange analyzer in SAP Solution Manager canuse this information to evaluate the potentialimpact of SAP Notes on business processes.Data from the usage procedure logging (UPL)framework can be used to assess whether andhow often code touched by an SAP Note is in useat all. On that basis, it is possible, for example, toget an assisted analysis of the consequences ofimplementing an SAP Note.For planning support package updates, themaintenance optimizer is the tool of choice. Itcalculates which software packages you have toload and analyzes which SAP Notes (includingsecurity notes) are needed after a system update.Custom Code SecurityFor customers, a straightforward way of extending SAP software without modification is to copycode and modify the copy. The downside is thatcopied code will not be subject to securitypatches. From a security standpoint this createsan inherent risk, because this copied – or cloned– coding often appears to add functionality to thesystem, when in reality it does not. This is whySAP Solution Manager features the clone finderand some other tools for analysis of custom codeusage, to identify redundancies in custom codeas well as unused code. This superfluous codecan then be suggested for deletion.In addition to SAP Solution Manager, SAP and ourpartners offer further products and services tohelp customers check their code. Among theseis the SAP NetWeaver Application Server component, add-on for code vulnerability analysis,which covers the ABAP programming languageand helps detect critical code patterns, injectiondangers, hard-coded credentials, and so forth. ForJava and C , there is SAP Fortify software byHP, which identifies and addresses software security vulnerabilities across the software lifecycle.From the security perspective, timing is acritical factor, because the elapsed timebetween when a new threat or vulnerabilityoccurs and when it is fixed defines thelikeliness of damage. The ease and speedof fixing security issues is therefore crucial. 2015 SAP SE or an SAP affiliate company. All rights reserved.10 / 17
SECURE SETUPSimply having secure code is not sufficient to runa secure system. After deploying software, it isimportant to set up the system’s configuration tobe secure right from the beginning. Some security problems have their origin in the setup phasewhen system parts are deployed but not used(and therefore not checked). Secure setup alsoincludes the definition of security standards forsystems against which later changes can be verified (see the section “Secure Operations”).Secure ConfigurationA set of services to help ensure secure configuration during initial system setup is based on information gathered in SAP Solution Manager. Thegeneral (not completely security specific) SAPEarlyWatch Alert service (security-related content described in SAP Note 863362) and themore detailed security optimization services(SOS) compare customer settings (configurationsand critical basis authorizations) with SAPrecommended standards. Based on thesechecks, a customer-specific security baselinecan be derived that also takes into accountcustomer-specific conditions and securityregulations. Any changes during operations cansubsequently be monitored with the help ofchange diagnostics and be compared againstthis customer-specific security baseline usingconfiguration validation, to help ensure thatno unwanted change goes unnoticed (see thesection “Secure Operations”).On top of regular monitoring, SAP advises runningthe complete set of reports from SOS or SAPEarlyWatch Alert periodically to help ensurecompliance of the landscape, since not only maysystems change, but also the threat landscapearound the systems will likely evolve and newrecommendations from SAP may come upover time.Within the customer’s operations center,SAP Solution Manager can be operatedas a central instance for all monitoringand alerting information. 2015 SAP SE or an SAP affiliate company. All rights reserved.11 / 17
Figure 5: Checking and Monitoring Secure ConfigurationLocal system landscape.Users andauthorizationsEvent notifications(business processes,system)TriggerconfigurationcheckSystem andapplicationRmaintenanceSAP Solution ManagerRNotificationSAP IdentityManagement.SAP EarlyWatch AlertSecurityoptimizationservice tion andchange DB (CCDB)SAP secureconfigurationstandardsCustom securityprofileDerive from 2015 SAP SE or an SAP affiliate company. All rights reserved.12 / 17
Communication SecurityJust as SAP Solution Manager watches overchanges and configurations, it watches interfacesas well, and it helps in assessing the proper configurations for network communications withconfiguration validation in conjunction with SAPsupport professionals. However, SAP SolutionManager does not play a role in classic networksecurity questions.SECURE OPERATIONSOngoing operations and their security are themain focus of SAP Solution Manager. It assistsoperators in all of their main task areas. It provides an overview of the system landscape andits status. It also manages and monitors releaseand patch levels as well as configuration changesfrom the compliant and secure baseline configuration defined by the compliance activities(see the section “Security Compliance) andestablished during setup (see the section“Secure Setup”). An overview of its connectionsto this system and landscape information isshown in Figure 5. In addition, SAP SolutionManager manages problems and incidents andmakes recommended actions (or “guided procedures”) for these issues available in a contextsensitive manner. This makes SAP SolutionManager an important security component.Users and Authorizations, Authentication,and Single Sign-OnUser identities are typically managed by theSAP Identity Management component. However,the
Compliant to ISO 27034-1.1 Preparation Development Transition Utilization Security training Security measures planned Secure develop- ment Security testing Security validation Security response Figure 2: Secure Software Development Lifecycle from SAP. KEEP LANDSCAPES SECURE In the operations phase, powerful ITSOM tools become mission critical. This holds true for many operations tasks, which .
SAP ERP SAP HANA SAP CRM SAP HANA SAP BW SAP HANA SAP Runs SAP Internal HANA adoption roadmap SAP HANA as side-by-side scenario SAP BW powered by SAP HANA SAP Business Suite powered by SAP HANA Simple Finance 1.0 2011 2013 2014 2015 Simple Finance 2.0 S/4 HANA SAP ERP sFin Add-On 2.0
SAP Certification Material www.SAPmaterials4u.com SAP Certification Material for SAP Aspirants at Low cost Home Home SAP Business Objects SAP BPC CPM SAP BPC 7.0 SAP EWM SAP GTS SAP Public Sector SAP Real Estate SAP FSCM SAP FI/CO SAP AC - FI/CO SAP BI 7.0 SAP CRM 5.0
1. Introduction: SAP Solution Manager and SAP HANA 2. How to connect SAP HANA to SAP Solution Manager? 3. Monitoring of SAP HANA via SAP Solution Manager 4. Doing Root Cause Analysis of SAP HANA with SAP Solution Manager 5. Extend your Change Control Management towards SAP HANA 6. Even More Valuable Features of SAP Solution Manager
SAP Master Data Governance SAP Information Steward SAP HANA smart data integration SAP Data Hub SAP Cloud Platform Big Data Services SAP HANA, platform edition SAP Vora Customer Experience IoT Workforce Engagement SAP Cloud for Customer SAP Commerce SAP Marketing SAP Asset Intelligence Network SAP Predictive Maintenance and Service SAP .
SAP Solution Manager 7.0 and 7.1 SAP Solution Manager 7.0 and 7.1 releases cannot connect to the support backbone after January 1st 2020 and need to be upgraded to SAP Solution Manager 7.2 SPS08. SAP Solution Manager 7.2 SAP Solution Manager need to be upgraded to SAP Solution Manager 7.2 SPS07 or SPS08 to ensure connectivity. SAP Solution Manager
SAP HANA Appliance SAP HANA DB In-Memory A io BI Client non-ABAP (SAP supported DBs) SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Warehouse SAP HANA DB r In-Memory Source Systems SAP LT Replication Ser
ALE/RFC Setup 88 SAP System Type 88 SAP IDoc Version 88 Program ID (SAP to e*Gate) 88 SAP Load Balancing Usage (e*Gate to SAP) 89 SAP Application Server (e*Gate to SAP) 89 SAP Router String (e*Gate to SAP) 90 SAP System Number (e*Gate to SAP) 90 SAP Gateway Ho
Customer Roadmap to SAP Simple Finance - Example " Adopting SAP Simple Finance is a journey - start early" Side-by-side SAP HANA Acceleration SAP HANA accelerators, BW, BPC, GRC SAP Business Suite on SAP HANA SAP ERP on SAP HANA SAP ERP in SAP HANA Enterprise Cloud SAP Accounting Powered By SAP HANA Simple Finance add-on/
