SCUR201 The Auditors Are Coming – What Now?

SCUR201, Larry Justice & Eric Kang 1

SCUR201 The Auditors Are Coming – What Now?Cristina BuchholzProduct Security, SAP

SAP AG 2003 SCUR201, Cristina Buchholz / 2

Learning Objectives

As a result of this workshop, you will be able to:

Use currently available tools for Auditing, Logging and Intrusion Detection in SAP Solutions:

Audit Information System (AIS)

Security Audit Log

CCMS – Computing Center Management System

Understand the challenges of open process auditing and how to meet them using:

Collaborative Audit Framework



Agenda

Audit Information System

Security Audit Log

CCMS


Summary


Agenda

Audit Information SystemAIS reporting treeRequired roles for AISRecommendations for dealing with AISRelationship with the R/3 Security Guide

Security Audit Log

CCMS


Summary




SAP


SAP

Target activitiesaccounting practicesinternal auditingsystem testingdata protection


Reporting Tree



Required Roles for AIS

Collective role: SAP_AUDITOR

Contains the individual roles …Administration / preparatory workTransaction / Menu role: SAP_BC_AUDITOR_ADMINAuthorization role: SAP_BC_CA_AUDITOR_APPL_ADMIN

System auditTransaction / Menu role: SAP_BC_AUDITOR_SA_BCAuthorization role: SAP_CA_AUDITOR_SYSTEM

SAP_CA_AUDITOR_SYSTEM_DISPLAYUser and authorisationsTransaction / Menu role: SAP_BC_AUDITOR_SA_BC_CCM_USRAuthorization role: SAP_CA_AUDITOR_SYSTEM

SAP_CA_AUDITOR_SYSTEM_DISPLAYRepository/TablesTransaction / Menu role: SAP_BC_AUDITOR_SA_BC_CUS_TOLAuthorisation role: SAP_CA_AUDITOR_SYSTEM

SAP_CA_AUDITOR_SYSTEM_DISPLAY

Business AuditTransaction / Menu role: SAP_AUDITOR_BA_*Authorization role: SAP_CA_AUDITOR_APPLData ProtectionTransaction / Menu role: SAP_AUDITOR_DS_*Authorization role: SAP_CA_AUDITOR_DS_*


Recommendations for Dealing with AIS

Define a system audit program encompassing the followingapplications:

Complete audits for implementation projectsChange audits for upgrades and end of year reportsSmall audits, which can be applied regularly

Top 10 security reports weeklyOthers as requiredE.g.: "Which user may …" after major changes to the user master data records

Use the roles imported from the Audit Information System to distribute the audit functions

UserSystemData protection…

If you would like to subdivide the audit functions into greater detail, define your own transaction roles for this purpose



Relationship with the R/3 Security Guide

R/3 security guideOffers a general overview of all the security servicesTechnical measures within the framework of R/3 system securityChecklists to record such measures and instructions for the checking and monitoring of same.

Audit Information SystemYou will find transactions and reports that contain security-relevant information on the result of technical measures implemented.


Wrap Up - AIS

AIS only available in an R/3 system allows system and business audit

System Audit covers aspects like what user is allowed to start which transaction, what user still has an initial password, which users are locked etc.

Business audit allows to audit business and tax functionalities that are relevant for revision or external audits

Project to downpart the system audit part to all other SAP solutions like BW, CRM, etc.



Agenda


Security Audit LogRecorded eventsAnalysis of the Security LogRecommendations

CCMS


Summary


Delimitation to the System Log

The files are cyclical and are overwritten again in sequence

The logs are saved locally on the server and must be archived manually

Availability of logs

The system log is always required and should not be deactivated

Can be activated and deactivated, as required. Daily monitoring of security-relevant events can be chosen at will

Flexible deploymentSystem administratorsAuditors

Target group

Records information, which indicates system problems

Records security-relevant informationTarget

R/3 System log (SM21)Security Audit Log (SM20)



Recorded Events

The following audit classes exist:

Dialog registrations

RFC registrations

RFC call-ups of function modules

Transaction starts

Report starts

Changes to the user master data records

Changes to the audit configuration


Log Filters

Filter SM19 - Logging Filter SM20 - Evaluation



Analysis of the Security Audit Log


Recommendations for the Security Audit Log

Log filter (SM19)All clientsAll users with extensive authorizations (SAP*, DDIC)Via "detailed settings"

All failed registrationsBlocking/unblocking users as a result of incorrect password entry Changes to the audit configurationSet up additional filters, if required

SAP* registrations (successful and failed)In the development systems for fault localisationComplete logging for certain users

Analysis (SM20)View the new entries at least weekly

Profile parametersUse rsau/max_diskspace/per_file and adjust to the back-up medium (e.g. 650 MB for CD-R)



Wrap Up - Security Audit Log

The Security Audit Log logs security-relevant events in the system

Failed registrationsTransaction call-ups

In contrast to the Audit Information System, no random sampling analysis is performed

Log runs constantly in the background

Regular (manual) analysis of the log contents by the systemadministrator

Long-term access / archiving

Target groupsSystem administratorsSecurity coordinatorsAuditors


Agenda


Security Audit Log

CCMSMonitoring infrastructureAuto-reaction methodCCMS interfaces


Summary



CCMS – The Principle

SysLog ALE EBP

Database Data Archiving

Java Connector

IMS / IPC

SAP J2EE Server

EMC Symmetrix

Gateway

… … …… ……

……

……

……

Mon

itors

Dat

a

Security Audit Log


Advantages - Disadvantages

AdvantagesMonitoring of the entire IT environment

Flexible, universally applicableScalable, for SAP and non-SAP systems

Applicable directly after installationMonitors

Categorized display of the measured values or alertsData is displayed in a tree structureHighest alert is forwarded to the higher levels

DisadvantagesVery abstract structureHigh complexity in the structure leads to selective monitoring of individual areas and events and not to overall monitoring.Comprehensive consideration and analysis of events is not possible, particularly individual alerts originating from different systems



Monitoring Infrastructure

Analysis method

Local monitoring segmentsLocal monitoring segments

DB

DB OS SAP

Monitoring object

Third-party productThird-party product

Other

SAP monitorsSAP monitors

Non-SAP

Monitoring object

DatasupplierData

supplierData

supplierData

supplier

Monitoring object

Monitoring object

A P IA P IAuto-

reaction method

DatasupplierData

supplierData

supplierData

supplierData

supplierData

supplier

Monitoring object

Datarecording

Datastorage

Admin.


Entering Transaction RZ20

SAP monitor sets:- Immediately usable- Can not be changed- Template

SAP monitor sets:- Immediately usable- Can not be changed- Template

SAP monitors:- Different predefined

views on the same data- Immediately usable- Can not be changed- Template

SAP monitors:- Different predefined

views on the same data- Immediately usable- Can not be changed- Template

Monitoring segmentMonitoring segmentMonitoring

objectMonitoring

objectMonitoring

object



CCMS Alert Monitor

MTEAll tree nodes

Represent a physicalor logical objectAlerts are collatedand passed onto super ordinate nodes

Receipt of data andcreation of alertsThe data is used foranalysis alerts

Monitoring objects

Monitoring attributes

Start of analysis methodStart of analysis method


Auto-Reaction Method

What happens in the event of an alert?

Options:- ABAP report- Function module- Program call-up

Auto-reaction method

Runs at regular intervals

Sapmssy8 orbatch modeR/3 system



SAP instance 4.X

RZ20Dispatcher

CCMS agent

Jmon APIJmon API

SAP CCMS Interfaces

Text file

JAVA API

RFC

XML by means of BC

XML by means of ICM


Wrap Up - CCMS

Monitoring of the entire IT environmentFlexible, universally applicableScalable, for SAP and non-SAP systems

Applicable directly after installation

AlertsForwarded to an administratorAutomatic actions on alerts configurableForwarded to an External Intrusion Detection SystemImport of alerts from External Intrusion Detection Systems

MonitorsCategorized display of the measured values or alertsData is displayed in a tree structureHighest alert is forwarded to the higher levels



Agenda


Security Audit Log

CCMS

Collaborative Audit FrameworkAuditing Web ServicesArchitecture and interfaceRoadmap

Summary


Collaborative Processes – Collaborative Audit

Intra-EnterpriseCo-operation

Enterprise Resource Planning

CollaborativeBusiness

Collaborative processes

Collaborative Audit

Distributed Processes (inhouse)

Distributed Audit

Single Database

Local Audit(for example, Audit

Information System)



Auditing Web Services

Business Server

Business Server

User information

Authentication data

Process information

System data

Aud

it W

areh

ouse

SAP

Web

AS

Web

Dyn

pro SAP Enterprise Portal

SAP Business Information Warehouse

SAP Exchange Infrastructure

SAP NetWeaver

Audit Warehouse


Audit Framework Requirements

Basic system functionality should represent definition of risks, controls and production of audit alerts

Must meet international standard that work across systemsand corporate domains (awareness of different laws)

Deployment should characterize a central audit warehouseper business unit

Personalization of data interfaces should be possible

Transactional and workflow information must be captured, example, procurement & tracking movement of goods



Control Classes

Master dataMaterial and personal records in the database

Transaction dataChanges to the master data, conditions related to processing the master data

Access controlAssignment and revocation of user and system priviledgesVerification of priviledges during operation

Customizing / Change managementChanges to programs and system configuration

Process controlFlow control, process optimization


AuditWarehouse

Access to Audit Data

Push + Store

Applications write the relevant data in a central audit data pool

Pull + Store

The audit warehouse regularly collects and stores the data

Online Request

Relevant data is obtained online at the time of the audit

Pull+Store

Push+Store

Online

Request

Audit Pool



Analysis

Audit Knowledge Technical

Control Objectives

Risk Analysis

Control Classes/Controls

Evidence

Auditing

Scope of framework

Specification

Data Types/Elements

Data Gathering

Storage, Presentation,

Analysis

Interfacespecification

XAudML


Audit Framework Architecture

Audit Warehouse

Auditedsystem Extract Process Analyze View

StandardizedInterfaceXaudML



Why XML

Portability – Platform, Database and Operating System independent

StandardizationProcessingSemanticsSyntax

Flexibility and Usability

Scalability


Schema: Audit Report Format

Data Element

Data Class

Audit Test

Risk

Control ClassAttributes

Process Step Control SolutionProcess



CAF – A Phased Approach

Consolidate interface proposal (Target Q3/2003)

Data catalog for the interface prototypeContact OASIS and XBRLGet feedback from EAI producers

1

Standard submission (Target Q4/2003)XML prototype for the interfaceFirst tests with evaluation toolsAdvocates for standardization submission

2

Standard implementation (Long term project)

Interface implementation in all applicationsAvailability of evaluation toolsInteroperability and completeness tests

3

XAudML


Wrap Up - CAF

Customers need the Audit Framework

Standardizing the interface lowers TCO for customers

Auditing cross systems becomes reality



Agenda


Security Audit Log

CCMS


Summary


Summary

Currently available for Auditing, Logging and Intrusion Detection in SAP Solutions are:


Security Audit Log

CCMS – Computing Center Management System

Collaborative Audit Framework will provide:

Process audit

Audit of interoperating landscapes

Audit across solutions from multiple vendors



Further Information

Public Web:www.sap.com/netweaver Key Capabilities Security SAP Customer Services Network: www.sap.com/services/

Related SAP Education Training Opportunitieshttp://www.sap.com/usa/education/WNA210 R/3 for AuditorsADM960 Security in SAP System Environment

Consulting ContactFrank Rambo, NetWeaver Security Consulting ([email protected])


Q&A

Questions?



Please complete your session evaluation anddrop it in the box on your way out.

Feedback

Thank You !

The SAP TechEd ’03 Basel Team


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.

IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.

ORACLE® is a registered trademark of ORACLE Corporation.

UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.

Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.

HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

JAVA® is a registered trademark of Sun Microsystems, Inc.

JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.

SAP, R/3, mySAP, mySAP.com, xApps, xApp and other SAP products and services mentioned herein as well astheir respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies.

Copyright 2003 SAP AG. All Rights Reserved

SCUR201 The Auditors Are Coming – What Now?

Documents

Transcript of SCUR201 The Auditors Are Coming – What Now?