systemprofiler 3systemprofiler: optimal protection for sap systems 4 systemprofiler enables you to...
TRANSCRIPT
SystemProfiler 3.0
Bridging the gap to IT security
3
Challenges for SAP Security
Organizational
SAP department ≠ IT department
SAP security ≠ IT security
Technology
Fast technology evolution: HANA, Cloud, mobile
Increased complexity for SAP landscapes
External
Increased awarenes about SAP vulnerabilities within hacker community
Regulative pressure (SOX, PCI DSS, …)
SystemProfiler: optimal protection for SAP systems
4
SYSTEMPROFILER
enables you to secure and
monitor your entire SAP
system landscape to ensure
frictionless system operations
Benefits
Saves effort in validating and
correcting security relevant settings
Prevents issues arising from
insecure or unstable configurations
Increased compliance to internal
and external standards for the
entire SAP system landscape
The 3-phased process
The SystemProfiler strategy follows a simple approach:
Assess – Clean Up – Monitor
Assess – record status:
SystemProfiler identifies risks and issues and
provides a comprehensive overview of the
configuration status of the entire SAP system
landscape.
Clean Up – f rame and enforce rules:
Security polices for each indiviual system can easily
be configured and enforced using SystemProfiler.
Monitor – full transparency:
SystemProfiler continuously monitors SAP
environments, integrates with external and internal
reporting and SIEM solutions and reports each
newly found issue proactively.
Security, Compliance
& Quality
1. Assess
2. Safeguard 3. Optimize
SystemProfiler 3.0
SIEM Integration
SIEM coverage
SIEM
SIEM covers many devices / information:
Network data
Identity Management
Security devices
Firewall
Routers
Databases
…and yes, there‘s application data, but:
SIEM systems do not cover SAP systems
SystemProfiler bridges the gap to IT security
SIEM
Security
Config
Code
Roles
SIEM interface
9
SystemProfiler enables an intelligent processing of critical events from the entire
SAP system landscape by external SIEM solutions
Default integration
Test Cases of category “forensics” are pre-defined for SIEM processing
Additional Test Cases can be added easily
Important features
Intelligent pre-qualification of events
Immediate processing
Central approach
Detection of duplicates & status management
Extendable content
10
Example:
Processing of SystemProfiler events in splunk
SystemProfiler 3.0
HANA security
12
Challenges HANA Security & Quality
HANA is an attractive target for hackers
New technology – little experience – probability of security misconfigurations
Many known and new risks apply to HANA
R-Serve
RAM-Scraping
Web applications
Custom developments
Complexity of SAP system landscapes increases with HANA
For an optimal use,of HANA many settings need to be adjusted
13
Virtual Forge HANA Security Suite
Optimzing ABAP-Code for HANA Usage (CodeProfiler)
HANA Test Cases(HANA Readiness & Optimization)
Automated Correction („Quick Fix“ and Bulk)
Securing HANA configuration (SystemProfiler´)
Additional platform for SystemProfiler
Test Cases, e.g. communication security, authorization, others
CodeProfiler for HANA
Eclipse and WebIDE Integration
First HANA Code Scanner ever
Securing HANA configurations with SystemProfiler
Target system SAP HANA
15
HANA integration
Connection through database connection
installation on HANA-Proxy only (SAINT/SPAM)
Test Cases execute in ABAP implemented SQL Statements
Checking HANA development in real time
…there‘s more
Reporting Dashboards
Reporting API
SystemProfiler provides data for any type of reporting solutions
Features
API consists of four function modules
The most recent result of all chosen results will be provided, including master
data and description
Standardized API for all Virtual Forge solutions
Outlook
Reporting Dashboard (Browser / Mobile Devices)
API can be called externally (Webservice)
19
SP 3.0 At a Glance
20
Inspections of SAP HANA
Extensible SIEM Interface
Reporting API
Collectors and Metrics
Customer Test Cases on NW AS Java
New Test Cases
Thank you! Feel free to write or call for any questions and requests
25
Patrick Boch
Blog Whitepapers Twitter
www.virtualforge.com