SystemProfiler 3.0

Bridging the gap to IT security

3

Challenges for SAP Security

Organizational

SAP department ≠ IT department

SAP security ≠ IT security

Technology

Fast technology evolution: HANA, Cloud, mobile

Increased complexity for SAP landscapes

External

Increased awarenes about SAP vulnerabilities within hacker community

Regulative pressure (SOX, PCI DSS, …)

SystemProfiler: optimal protection for SAP systems

4

SYSTEMPROFILER

enables you to secure and

monitor your entire SAP

system landscape to ensure

frictionless system operations

Benefits

Saves effort in validating and

correcting security relevant settings

Prevents issues arising from

insecure or unstable configurations

Increased compliance to internal

and external standards for the

entire SAP system landscape

The 3-phased process

The SystemProfiler strategy follows a simple approach:

Assess – Clean Up – Monitor

Assess – record status:

SystemProfiler identifies risks and issues and

provides a comprehensive overview of the

configuration status of the entire SAP system

landscape.

Clean Up – f rame and enforce rules:

Security polices for each indiviual system can easily

be configured and enforced using SystemProfiler.

Monitor – full transparency:

SystemProfiler continuously monitors SAP

environments, integrates with external and internal

reporting and SIEM solutions and reports each

newly found issue proactively.

Security, Compliance

& Quality

1. Assess

2. Safeguard 3. Optimize

SystemProfiler 3.0

SIEM Integration

SIEM coverage

SIEM

SIEM covers many devices / information:

Network data

Identity Management

Security devices

Firewall

Routers

Databases

…and yes, there‘s application data, but:

SIEM systems do not cover SAP systems

SystemProfiler bridges the gap to IT security

SIEM

Security

Config

Code

Roles

SIEM interface

9

SystemProfiler enables an intelligent processing of critical events from the entire

SAP system landscape by external SIEM solutions

Default integration

Test Cases of category “forensics” are pre-defined for SIEM processing

Additional Test Cases can be added easily

Important features

Intelligent pre-qualification of events

Immediate processing

Central approach

Detection of duplicates & status management

Extendable content

10

Example:

Processing of SystemProfiler events in splunk

SystemProfiler 3.0

HANA security

12

Challenges HANA Security & Quality

HANA is an attractive target for hackers

New technology – little experience – probability of security misconfigurations

Many known and new risks apply to HANA

R-Serve

RAM-Scraping

Web applications

Custom developments

Complexity of SAP system landscapes increases with HANA

For an optimal use,of HANA many settings need to be adjusted

13

Virtual Forge HANA Security Suite

Optimzing ABAP-Code for HANA Usage (CodeProfiler)

HANA Test Cases(HANA Readiness & Optimization)

Automated Correction („Quick Fix“ and Bulk)

Securing HANA configuration (SystemProfiler´)

Additional platform for SystemProfiler

Test Cases, e.g. communication security, authorization, others

CodeProfiler for HANA

Eclipse and WebIDE Integration

First HANA Code Scanner ever

Securing HANA configurations with SystemProfiler

Target system SAP HANA

15

HANA integration

Connection through database connection

installation on HANA-Proxy only (SAINT/SPAM)

Test Cases execute in ABAP implemented SQL Statements

Checking HANA development in real time

…there‘s more

Reporting Dashboards

Reporting API

SystemProfiler provides data for any type of reporting solutions

Features

API consists of four function modules

The most recent result of all chosen results will be provided, including master

data and description

Standardized API for all Virtual Forge solutions

Outlook

Reporting Dashboard (Browser / Mobile Devices)

API can be called externally (Webservice)

19

SP 3.0 At a Glance

20

Inspections of SAP HANA

Extensible SIEM Interface

Reporting API

Collectors and Metrics

Customer Test Cases on NW AS Java

New Test Cases

Thank you! Feel free to write or call for any questions and requests

25

Patrick Boch

info@virtualforge.com

Blog Whitepapers Twitter

www.virtualforge.com