It’s Coming! “February 2013” The Future is NOW! [email protected].
SCUR201 The Auditors Are Coming – What Now?
-
Upload
duongquynh -
Category
Documents
-
view
222 -
download
5
Transcript of SCUR201 The Auditors Are Coming – What Now?
SCUR201, Larry Justice & Eric Kang 1
SCUR201 The Auditors Are Coming – What Now?Cristina BuchholzProduct Security, SAP
SAP AG 2003 SCUR201, Cristina Buchholz / 2
Learning Objectives
As a result of this workshop, you will be able to:
Use currently available tools for Auditing, Logging and Intrusion Detection in SAP Solutions:
Audit Information System (AIS)
Security Audit Log
CCMS – Computing Center Management System
Understand the challenges of open process auditing and how to meet them using:
Collaborative Audit Framework
SCUR201, Larry Justice & Eric Kang 2
SAP AG 2003 SCUR201, Cristina Buchholz / 3
Agenda
Audit Information System
Security Audit Log
CCMS
Collaborative Audit Framework
Summary
SAP AG 2003 SCUR201, Cristina Buchholz / 4
Agenda
Audit Information SystemAIS reporting treeRequired roles for AISRecommendations for dealing with AISRelationship with the R/3 Security Guide
Security Audit Log
CCMS
Collaborative Audit Framework
Summary
SCUR201, Larry Justice & Eric Kang 3
SAP AG 2003 SCUR201, Cristina Buchholz / 5
Audit Information System (AIS)
SAP
Audit Information System
SAP
Target activitiesaccounting practicesinternal auditingsystem testingdata protection
SAP AG 2003 SCUR201, Cristina Buchholz / 6
Reporting Tree
SCUR201, Larry Justice & Eric Kang 4
SAP AG 2003 SCUR201, Cristina Buchholz / 7
Required Roles for AIS
Collective role: SAP_AUDITOR
Contains the individual roles …Administration / preparatory workTransaction / Menu role: SAP_BC_AUDITOR_ADMINAuthorization role: SAP_BC_CA_AUDITOR_APPL_ADMIN
System auditTransaction / Menu role: SAP_BC_AUDITOR_SA_BCAuthorization role: SAP_CA_AUDITOR_SYSTEM
SAP_CA_AUDITOR_SYSTEM_DISPLAYUser and authorisationsTransaction / Menu role: SAP_BC_AUDITOR_SA_BC_CCM_USRAuthorization role: SAP_CA_AUDITOR_SYSTEM
SAP_CA_AUDITOR_SYSTEM_DISPLAYRepository/TablesTransaction / Menu role: SAP_BC_AUDITOR_SA_BC_CUS_TOLAuthorisation role: SAP_CA_AUDITOR_SYSTEM
SAP_CA_AUDITOR_SYSTEM_DISPLAY
Business AuditTransaction / Menu role: SAP_AUDITOR_BA_*Authorization role: SAP_CA_AUDITOR_APPLData ProtectionTransaction / Menu role: SAP_AUDITOR_DS_*Authorization role: SAP_CA_AUDITOR_DS_*
SAP AG 2003 SCUR201, Cristina Buchholz / 8
Recommendations for Dealing with AIS
Define a system audit program encompassing the followingapplications:
Complete audits for implementation projectsChange audits for upgrades and end of year reportsSmall audits, which can be applied regularly
Top 10 security reports weeklyOthers as requiredE.g.: "Which user may …" after major changes to the user master data records
Use the roles imported from the Audit Information System to distribute the audit functions
UserSystemData protection…
If you would like to subdivide the audit functions into greater detail, define your own transaction roles for this purpose
SCUR201, Larry Justice & Eric Kang 5
SAP AG 2003 SCUR201, Cristina Buchholz / 9
Relationship with the R/3 Security Guide
R/3 security guideOffers a general overview of all the security servicesTechnical measures within the framework of R/3 system securityChecklists to record such measures and instructions for the checking and monitoring of same.
Audit Information SystemYou will find transactions and reports that contain security-relevant information on the result of technical measures implemented.
SAP AG 2003 SCUR201, Cristina Buchholz / 10
Wrap Up - AIS
AIS only available in an R/3 system allows system and business audit
System Audit covers aspects like what user is allowed to start which transaction, what user still has an initial password, which users are locked etc.
Business audit allows to audit business and tax functionalities that are relevant for revision or external audits
Project to downpart the system audit part to all other SAP solutions like BW, CRM, etc.
SCUR201, Larry Justice & Eric Kang 6
SAP AG 2003 SCUR201, Cristina Buchholz / 11
Agenda
Audit Information System
Security Audit LogRecorded eventsAnalysis of the Security LogRecommendations
CCMS
Collaborative Audit Framework
Summary
SAP AG 2003 SCUR201, Cristina Buchholz / 12
Delimitation to the System Log
The files are cyclical and are overwritten again in sequence
The logs are saved locally on the server and must be archived manually
Availability of logs
The system log is always required and should not be deactivated
Can be activated and deactivated, as required. Daily monitoring of security-relevant events can be chosen at will
Flexible deploymentSystem administratorsAuditors
Target group
Records information, which indicates system problems
Records security-relevant informationTarget
R/3 System log (SM21)Security Audit Log (SM20)
SCUR201, Larry Justice & Eric Kang 7
SAP AG 2003 SCUR201, Cristina Buchholz / 13
Recorded Events
The following audit classes exist:
Dialog registrations
RFC registrations
RFC call-ups of function modules
Transaction starts
Report starts
Changes to the user master data records
Changes to the audit configuration
SAP AG 2003 SCUR201, Cristina Buchholz / 14
Log Filters
Filter SM19 - Logging Filter SM20 - Evaluation
SCUR201, Larry Justice & Eric Kang 8
SAP AG 2003 SCUR201, Cristina Buchholz / 15
Analysis of the Security Audit Log
SAP AG 2003 SCUR201, Cristina Buchholz / 16
Recommendations for the Security Audit Log
Log filter (SM19)All clientsAll users with extensive authorizations (SAP*, DDIC)Via "detailed settings"
All failed registrationsBlocking/unblocking users as a result of incorrect password entry Changes to the audit configurationSet up additional filters, if required
SAP* registrations (successful and failed)In the development systems for fault localisationComplete logging for certain users
Analysis (SM20)View the new entries at least weekly
Profile parametersUse rsau/max_diskspace/per_file and adjust to the back-up medium (e.g. 650 MB for CD-R)
SCUR201, Larry Justice & Eric Kang 9
SAP AG 2003 SCUR201, Cristina Buchholz / 17
Wrap Up - Security Audit Log
The Security Audit Log logs security-relevant events in the system
Failed registrationsTransaction call-ups
In contrast to the Audit Information System, no random sampling analysis is performed
Log runs constantly in the background
Regular (manual) analysis of the log contents by the systemadministrator
Long-term access / archiving
Target groupsSystem administratorsSecurity coordinatorsAuditors
SAP AG 2003 SCUR201, Cristina Buchholz / 18
Agenda
Audit Information System
Security Audit Log
CCMSMonitoring infrastructureAuto-reaction methodCCMS interfaces
Collaborative Audit Framework
Summary
SCUR201, Larry Justice & Eric Kang 10
SAP AG 2003 SCUR201, Cristina Buchholz / 19
CCMS – The Principle
SysLog ALE EBP
Database Data Archiving
Java Connector
IMS / IPC
SAP J2EE Server
EMC Symmetrix
Gateway
… … …… ……
……
……
……
Mon
itors
Dat
a
Security Audit Log
SAP AG 2003 SCUR201, Cristina Buchholz / 20
Advantages - Disadvantages
AdvantagesMonitoring of the entire IT environment
Flexible, universally applicableScalable, for SAP and non-SAP systems
Applicable directly after installationMonitors
Categorized display of the measured values or alertsData is displayed in a tree structureHighest alert is forwarded to the higher levels
DisadvantagesVery abstract structureHigh complexity in the structure leads to selective monitoring of individual areas and events and not to overall monitoring.Comprehensive consideration and analysis of events is not possible, particularly individual alerts originating from different systems
SCUR201, Larry Justice & Eric Kang 11
SAP AG 2003 SCUR201, Cristina Buchholz / 21
Monitoring Infrastructure
Analysis method
Local monitoring segmentsLocal monitoring segments
DB
DB OS SAP
Monitoring object
Third-party productThird-party product
Other
SAP monitorsSAP monitors
Non-SAP
Monitoring object
DatasupplierData
supplierData
supplierData
supplier
Monitoring object
Monitoring object
A P IA P IAuto-
reaction method
DatasupplierData
supplierData
supplierData
supplierData
supplierData
supplier
Monitoring object
Datarecording
Datastorage
Admin.
SAP AG 2003 SCUR201, Cristina Buchholz / 22
Entering Transaction RZ20
SAP monitor sets:- Immediately usable- Can not be changed- Template
SAP monitor sets:- Immediately usable- Can not be changed- Template
SAP monitors:- Different predefined
views on the same data- Immediately usable- Can not be changed- Template
SAP monitors:- Different predefined
views on the same data- Immediately usable- Can not be changed- Template
Monitoring segmentMonitoring segmentMonitoring
objectMonitoring
objectMonitoring
object
SCUR201, Larry Justice & Eric Kang 12
SAP AG 2003 SCUR201, Cristina Buchholz / 23
CCMS Alert Monitor
MTEAll tree nodes
Represent a physicalor logical objectAlerts are collatedand passed onto super ordinate nodes
Receipt of data andcreation of alertsThe data is used foranalysis alerts
Monitoring objects
Monitoring attributes
Start of analysis methodStart of analysis method
SAP AG 2003 SCUR201, Cristina Buchholz / 24
Auto-Reaction Method
What happens in the event of an alert?
Options:- ABAP report- Function module- Program call-up
Auto-reaction method
Runs at regular intervals
Sapmssy8 orbatch modeR/3 system
SCUR201, Larry Justice & Eric Kang 13
SAP AG 2003 SCUR201, Cristina Buchholz / 25
SAP instance 4.X
RZ20Dispatcher
CCMS agent
Jmon APIJmon API
SAP CCMS Interfaces
Text file
JAVA API
RFC
XML by means of BC
XML by means of ICM
SAP AG 2003 SCUR201, Cristina Buchholz / 26
Wrap Up - CCMS
Monitoring of the entire IT environmentFlexible, universally applicableScalable, for SAP and non-SAP systems
Applicable directly after installation
AlertsForwarded to an administratorAutomatic actions on alerts configurableForwarded to an External Intrusion Detection SystemImport of alerts from External Intrusion Detection Systems
MonitorsCategorized display of the measured values or alertsData is displayed in a tree structureHighest alert is forwarded to the higher levels
SCUR201, Larry Justice & Eric Kang 14
SAP AG 2003 SCUR201, Cristina Buchholz / 27
Agenda
Audit Information System
Security Audit Log
CCMS
Collaborative Audit FrameworkAuditing Web ServicesArchitecture and interfaceRoadmap
Summary
SAP AG 2003 SCUR201, Cristina Buchholz / 28
Collaborative Processes – Collaborative Audit
Intra-EnterpriseCo-operation
Enterprise Resource Planning
CollaborativeBusiness
Collaborative processes
Collaborative Audit
Distributed Processes (inhouse)
Distributed Audit
Single Database
Local Audit(for example, Audit
Information System)
SCUR201, Larry Justice & Eric Kang 15
SAP AG 2003 SCUR201, Cristina Buchholz / 29
Auditing Web Services
Business Server
Business Server
User information
Authentication data
Process information
System data
Aud
it W
areh
ouse
SAP
Web
AS
Web
Dyn
pro SAP Enterprise Portal
SAP Business Information Warehouse
SAP Exchange Infrastructure
SAP NetWeaver
Audit Warehouse
SAP AG 2003 SCUR201, Cristina Buchholz / 30
Audit Framework Requirements
Basic system functionality should represent definition of risks, controls and production of audit alerts
Must meet international standard that work across systemsand corporate domains (awareness of different laws)
Deployment should characterize a central audit warehouseper business unit
Personalization of data interfaces should be possible
Transactional and workflow information must be captured, example, procurement & tracking movement of goods
SCUR201, Larry Justice & Eric Kang 16
SAP AG 2003 SCUR201, Cristina Buchholz / 31
Control Classes
Master dataMaterial and personal records in the database
Transaction dataChanges to the master data, conditions related to processing the master data
Access controlAssignment and revocation of user and system priviledgesVerification of priviledges during operation
Customizing / Change managementChanges to programs and system configuration
Process controlFlow control, process optimization
SAP AG 2003 SCUR201, Cristina Buchholz / 32
AuditWarehouse
Access to Audit Data
Push + Store
Applications write the relevant data in a central audit data pool
Pull + Store
The audit warehouse regularly collects and stores the data
Online Request
Relevant data is obtained online at the time of the audit
Pull+Store
Push+Store
Online
Request
Audit Pool
SCUR201, Larry Justice & Eric Kang 17
SAP AG 2003 SCUR201, Cristina Buchholz / 33
Analysis
Audit Knowledge Technical
Control Objectives
Risk Analysis
Control Classes/Controls
Evidence
Auditing
Scope of framework
Specification
Data Types/Elements
Data Gathering
Storage, Presentation,
Analysis
Interfacespecification
XAudML
SAP AG 2003 SCUR201, Cristina Buchholz / 34
Audit Framework Architecture
Audit Warehouse
Auditedsystem Extract Process Analyze View
StandardizedInterfaceXaudML
SCUR201, Larry Justice & Eric Kang 18
SAP AG 2003 SCUR201, Cristina Buchholz / 35
Why XML
Portability – Platform, Database and Operating System independent
StandardizationProcessingSemanticsSyntax
Flexibility and Usability
Scalability
SAP AG 2003 SCUR201, Cristina Buchholz / 36
Schema: Audit Report Format
Data Element
Data Class
Audit Test
Risk
Control ClassAttributes
Process Step Control SolutionProcess
SCUR201, Larry Justice & Eric Kang 19
SAP AG 2003 SCUR201, Cristina Buchholz / 37
CAF – A Phased Approach
Consolidate interface proposal (Target Q3/2003)
Data catalog for the interface prototypeContact OASIS and XBRLGet feedback from EAI producers
1
Standard submission (Target Q4/2003)XML prototype for the interfaceFirst tests with evaluation toolsAdvocates for standardization submission
2
Standard implementation (Long term project)
Interface implementation in all applicationsAvailability of evaluation toolsInteroperability and completeness tests
3
XAudML
SAP AG 2003 SCUR201, Cristina Buchholz / 38
Wrap Up - CAF
Customers need the Audit Framework
Standardizing the interface lowers TCO for customers
Auditing cross systems becomes reality
SCUR201, Larry Justice & Eric Kang 20
SAP AG 2003 SCUR201, Cristina Buchholz / 39
Agenda
Audit Information System
Security Audit Log
CCMS
Collaborative Audit Framework
Summary
SAP AG 2003 SCUR201, Cristina Buchholz / 40
Summary
Currently available for Auditing, Logging and Intrusion Detection in SAP Solutions are:
Audit Information System (AIS)
Security Audit Log
CCMS – Computing Center Management System
Collaborative Audit Framework will provide:
Process audit
Audit of interoperating landscapes
Audit across solutions from multiple vendors
SCUR201, Larry Justice & Eric Kang 21
SAP AG 2003 SCUR201, Cristina Buchholz / 41
Further Information
Public Web:www.sap.com/netweaver Key Capabilities Security SAP Customer Services Network: www.sap.com/services/
Related SAP Education Training Opportunitieshttp://www.sap.com/usa/education/WNA210 R/3 for AuditorsADM960 Security in SAP System Environment
Consulting ContactFrank Rambo, NetWeaver Security Consulting ([email protected])
SAP AG 2003 SCUR201, Cristina Buchholz / 42
Q&A
Questions?
SCUR201, Larry Justice & Eric Kang 22
SAP AG 2003 SCUR201, Cristina Buchholz / 43
Please complete your session evaluation anddrop it in the box on your way out.
Feedback
Thank You !
The SAP TechEd ’03 Basel Team
SAP AG 2003 SCUR201, Cristina Buchholz / 44
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.
IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.
ORACLE® is a registered trademark of ORACLE Corporation.
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.
SAP, R/3, mySAP, mySAP.com, xApps, xApp and other SAP products and services mentioned herein as well astheir respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies.
Copyright 2003 SAP AG. All Rights Reserved