Guidelines for Securing Fiori Solutions

19 October 2014BENIMBL.COM

Gary Prewett– Practice Lead SAP SecuritySarah Lottman – Practice Lead SAP User Experience

our Curriculum vitae

2009 14x

1Year Founded

Supporting both the Fortune 500 and Midmarket

Growth since inception

SAP Specialized – No other ERP

5280Headquartered in the Mile-High City –Denver, Colorado

174+ Amazing Customers… and counting!!

100+

7+

Consultants Strong

Average years of SAP Expertise per consultant

15+Market Verticals Supported

98%Client

Satisfaction

2

Our Services

Enhanced and consistent SAP User Experience across Computer, Tablet, and Smartphone.

Fiori Denver-based SAP delivery for Break/Fix Enhancement, and Project.

SAP AMSHarness the power of SAP HANA with the SAP Business Suite on HANA.

hana

Empower your workforce and business via SAP mobilization.

MobilityEnd-to-end SAP and HP Testing services across HP ALM, UFT, LoadRunner, and StormRunner.

SAP + HP testingRun IT like a Factory thru Solution Manager’s ITIL ALM Product Suite.

Solution Manager

Classic Basis, TDMS, LVM, EHP, Netweaver, and landscape consulting.

ADMIN + INFRASTRUCTURE

Comprehensive SAP risk mitigation via Audit, toolset, or pure consulting services.

securityDelivery from idea thru hypercare whether laser-focused or complete project.

projects

Connect systems via PI, PO, WebServices, 3rd party Middleware, etc. via seamless connectivity.

integration

Maximize your SAP investment with SAP’s latest and greatest functionality via EHP application.

Enhancement pack

Easily replicate data whenever you want from source to target system (Prod > QA, Prod > Training)!

tdms

4

FIORI and Security Overview1

AGENDA

Endpoint Security2

Architecting for Security3

Security Configuration4

Authentication and Authorization5

Secure Software Development6

More Information7

Fiori And Security Overview

55

SAP’s new user experience technology

Fast Facts

Heavy investments made in SAP Fiori and UI5 and providing a next generation user experience 300+ prebuilt applications that run on ERP, CRM, SRM, HANA and more

SAP’s UI of the future

Run Anywhere Fiori allows you to run anywhere – Desktop, Tablet and Mobile Devices Full security of Netweaver: Runs on Mobile Portal, Sybase Unwired Platform and Web Browser

Flexibility Enhancement Framework allows for modification to suit customer’s needs Fiori is built on open-source SAPUI5; which gives us the ability to build fully customized Fiori

applications

Easy branding The new SAP UI Add-on allows for Company Brands and customer themes easily Built on open web standards such as HTML5 and CSS3, which allows for full modification

Customizable Apps for a Customized Experience

Security Framework: Security Program Scope

8

Network Architecture

Secure Configuration

Encrypted Communication

Endpoint Security

Secure Software

Development

Vulnerability Management

Authorization

Authentication

Track and Monitor

Regularly Test

Monitoring

Maintain Policy

Security Framework: Security Program Scope

9

Network Architecture

Secure Configuration

Encrypted Communication

Endpoint Security

Secure Software

Development

Vulnerability Management

Authorization

Authentication

Track and Monitor

Regularly Test

Monitoring

Maintain Policy

Endpoint Security

10

Security Overview – Mobile Threat Trends

Remote Access Trojans (RATs) started appearing in 2013, increasingly sophisticated in 2014 Delivered by packaging with legitimate app Java-based delivery via spear phishing attacks

Mobile Malware

Track user (30%) Steal information (28%) Traditional threats (backdoors and downloaders) 20%

Mobile Threat Classifications (2013)

Apple iOS iPhone / iPad – 108 Android – 17 Blackberry - 1 Nokia - 1

Mobile Vulnerabilities (2013)

Source: Internet Security Threat Report 2014. Symantec, 2014. http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf

Mobile Security Management Options

SAP Afaria – Mobile Device Management Device and Security Management Incident Management Capabilities Device Configuration and Support tools Fiori Client App Provisioning and Management Granular Mobile Device Security Policies

Existing MDM tools can also be leveraged:• AirWatch• Good Technology• McAfee• Symantec

SAP Mobile App Protection by Mocana A compelling option in a “BYOD” environment Treats the mobile device as semi-trusted Data at rest encryption for SAP Fiori Client application Restrictions on device cut and paste functionality Encrypted 256-bit encrypted tunnel (to the Fiori Client) Remote application wipe capabilities

Architecting for Security

1313

Infrastructure considerations

Afaria Back End

Bac

ken

d D

ata

So

urc

es

ERP

CRM

DMZ

Fir

ew

all

Afaria Server

Fir

ew

all

We

b A

pp

licat

ion

Fir

ew

all

Web Dispatcher

NetWeaver Gateway

You always want to terminate

connections and enforce business

logic here!Good idea to have

42

Key Architectural Design Considerations

Use firewalls to minimize application attack surface areas Useful for scoping from an audit perspective

Firewalls

Location to terminate connection originating outside of your four walls Some business logic should be enforced here Systems here should be treated as semi-trusted

DMZ

Give you real-time visibility into attacks and attack trends Can be leveraged to

Web Application Firewalls

Reverse Proxy only! Offers absolutely no protection for common application-specific attacks

Injection XSS XSRF

Web Dispatcher

Security Configuration

1616

42

Security Configuration Considerations

Endpoint Security

Authentication (can leverage all NetWeaver 7.4 authentication options) Standard application server hardening Implement gateway services hardening Minimize ICF services enabled (can restrict if needed internally using the Web Dispatcher) RFC security hardening Ensure encryption is enabled for:

Web traffic SSO tickets (if in scope) RFC connections

NetWeaver gateway Security

Application Security

Authentication and Authorization

1818

1919

ERP

DMZ

Web Dispatcher

NetWeaver Gateway

Authentication and Authorization Example

Fir

ew

all

We

b A

pp

licat

ion

Fir

ew

all

Fir

ew

all

Todd Witter

Gateway Credentials:

TWITTER

ERP Asserted Credentials:

TWITTER

Credentials asserted

2020

Authentication and Authorization Assignment Workflow

Credentials Asserted to

Gateway

Gateway Application

Role Assigned

Auth types supported:• Basic• SAML• X.509

Certificates

Accepted?Credentials Asserted to

ERP

• Trusted RFCs used• With trust

relationship, ERP maps credentials on Gateway to ERP Credentials

• Security posture for Gateway needs to equal the security posture on the backend!

ERP ODATA Roles

Assigned

• ABAP Roles, copied from SAP-delivered roles and modified (PFCG)

• ABAP Roles, copied from SAP-delivered roles and modified (PFCG)

Yes

Secure Fiori Development

2121

OWASP – A Great Resource to Stay Current

A1 – Injection A2 – Broken Authentication and Session Management A3 – Cross Site Scripting A4 – Insecure Direct Object Reference A5 – Security misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross Site Request Forgery A9 – Using Components with Known Vulnerabilities A10 – Unvalidated Redirects and Forwards

OWASP – Top ten Web Application Vulnerabilities (2013)

Follow ABAP best practices (avoid call transaction, kernel don’t pass user input into opensql statements without validation, etc.)

Use Code Inspector to catch ABAP-specific vulnerabilities

Educate Fiori developers on common web application vulnerabilities (train on “Protecting SAP Applications” guide

Best Practices for Fiori Apps

https://support.sap.com/content/dam/library/support/support-programs-services/support-services/Protecting-SAP-Apps.pdf

Nimbl does Fiori

2323

42

Fiori roadmap

Endpoint Security

Authentication (can leverage all NetWeaver 7.4 authentication options) Standard application server hardening Implement gateway services hardening Minimize ICF services enabled (can restrict if needed internally using the Web Dispatcher) RFC security hardening Ensure encryption is enabled for:

Web traffic SSO tickets (if in scope) RFC connections

NetWeaver gateway Security

Application Security

Fiori Roadmap

Ideal for those customers who want specific pain points addressed

80 hours – mix of onsite/offsite delivery

Outcome:• Personalized Fiori Demo – hands on• Architecture Document• Recommendations for Fiori Applications to be delivered• Custom Fiori Application suggestions – with wireframes• Specifics on theming and branding to increase usability

Fiori jumpstart package

Ideal for those customers who want to rapidly deploy Fiori

6 weeks – mix of onsite/offsite delivery

Outcome:• Two NetWeaver 7.4 ABAP Installations• Ten SAP delivered Transactional Fiori Applications• Gateway Configuration and Security Hardening• Configuration of Fiori Launchpad• Configuration guides with screenshots for each activity• Fiori Development Workstation installation guide

ConnectGary Prewett

+1 970 372 9719gary.prewett@benimbl.com garyprewett

24