SAP Security Optimization Services Portfolio

SAP Security Optimization Service Portfolio ensures smooth operation of your SAP solution by taking action proactively, before severe security problems occur.

Best Practices

Keeping the security and availability of your SAP solution high is a tremendous value to your business. Analysis will:

  • Decrease the risk of a system intrusion
  • Ensure the confidentiality of your business data
  • Ensure the authenticity of your users
  • Substantially reduce the risk of costly downtime due to wrong user interaction

This SAP Security Optimization Services Portfolio topics:

This area is best if you are interested in general SAP Security Optimization Services and want an overview.

This area gives you an entry point into different topic areas such as “Security Patch Management” or “Security Configuration Analysis”.

provides you with an overview and links to further information on service offerings, including information and best practices, tools and self-services, remote and on-site service offerings, and more systematic engagement models.

Advisories

SAP Security Notes Advisory (November 2017)

Security Notes Webinar  (October 2017)

Security Overview

Please, select...

SAP Solution Security Overview

To get an overview on the status of the security of your SAP solution, the recommended first steps are:

More information on our tools, services and recommendations can be found in our SAP CoE Security Services Master Slide Decks:

Getting an overview on the Secure Operations Map

The Secure Operations Map structures the overall topic of secure operations into 5 areas, further broken down into 16 tracks. Each of these tracks gives an overview on the respective topic and on key activities important for secure operations.

The tracks of the Secure Operations Map cover the following topics:

Security Compliance

  • Security Governance: Adopt security policies for your SAP landscape, create and implement an SAP Security Baseline
  • Audit: Ensure and verify the compliance of a company’s IT infrastructure and operation with internal and external guidelines
  • Cloud Security: Ensure secure operation in cloud and outsourcing scenarios
  • Emergency Concept: Prepare for and react to emergency situations

Secure Operation

  • Users and Authorizations: Manage IT users and authorizations including special users like administrators
  • Authentication and Single Sign-On: Authenticate users properly – but only as often as really required
  • Support Security: Resolve software incidents in a secure manner
  • Security Review and Monitoring: Review and monitor the security of your SAP systems on a regular basis

Secure Setup

  • Secure Configuration: Establish and maintain a secure configuration of standard and custom business applications
  • Communication Security: Utilize communication security measures available in your SAP software
  • Data Security: Secure critical data beyond pure authorization protection

Secure Code

  • Security Maintenance of SAP Code: Establish an effective process to maintain the security of SAP delivered code
  • Custom Code Security: Develop secure custom code and maintain the security of it

Infrastructure Security

  • Network Security: Ensure a secure network environment covering SAP requirements
  • Operating System and Database Security: Cover SAP requirements towards the OS and DB level
  • Frontend Security: Establish proper security on the frontend including workstations and mobile devices

The goal of this Secure Operations Map is not to try to replace the wealth of security related information from SAP but to provide an overview and guides through all this information by referencing to more detailed information, e.g. from the SAP Help Portal, the SAP Support Portal, the SAP Community Network or SAP Notes whenever possible.

The goal of the SAP Secure Operations Map is to introduce the reader to activities being important for the secure operation of SAP solutions. The focus on activities (instead of technologies) shall help to pragmatically answer questions like "I am in charge of operations ... what shall I do to manage security?”

SAP Security Engagement and Security in the Enterprise Support Academy

A SAP Security Engagement is a joint approach of SAP Active Global Support with a customer over a period of several months to improve and increase the security of the customers SAP landscape with focus on the most relevant security topic areas in the specific situation. It is an offering especially available to MaxAttention, Safeguarding and ActiveEmbedded customers.

Such a SAP Security Engagement typically starts with a Security Workshop to discuss the topic areas to be tackled during the engagement. During a subsequent engagement period SAP accompanies the customer to ensure that not only the Security Workshop delivered good results but during the engagement period also provable positive impact to the security of the customers SAP landscape gets achieved. Finally a Security Verification Workshop wraps-up the results of the engagement phase, verifies the achieved security impact and summarizes recommended next steps for the time after this SAP Security Engagement.

For Enterprise Support customers a lot of information and services including several Expert Guided Implementation Sessions (EGI) is available in our Enterprise Support Academy and our SAP Enterprise Support Value Map for Security.

Security Topics Area

Please, select...

Security Maintenance/Security Patch Management

Although SAP is investing a lot to deliver its products with secure code — see the white paper Secure Software Development at SAP — there still remains the need to also deliver security corrections to already released products due to new flaws identified or new attack patterns becoming known. The security maintenance of installed SAP software is therefore key to continuously protect also against new types of attacks or newly identified potential weaknesses.

Based on feedback from customers, partners and SAP user groups, SAP has launched a regular SAP Security Patch Day, scheduled for the second Tuesday of every month — which is by purpose synchronized with the Security Patch Day of other major software vendors. At these patch days, SAP publishes software corrections as Security Notes solely focused on security to protect against potential weaknesses or attacks. Use Security Notes in the Launchpad -> All Security Notes to get the complete list of all Security Notes. The recommendation is to implement these corrections as soon as possible. Several tools are available to help identifying, selecting and implementing those corrections.

You can find a document describing the recommended procedure for each patch day in the current presentation SAP CoE Security Services - Security Patch Process and in the olders documents Arbeitspapier SAP Security Patch Day (German) respective Working Paper SAP Security Patch Day (English) within the Media Library.

There you find the latest version of the presentation from the Security Notes Webinar and the package with the SAP Security Notes Advisory as well. Both documents get updated monthly.

Overall the generally recommended procedure for each patch day is:

  • Check the updated list of Security Notes
  • Use the tool System Recommendations in SAP Solution Manager to check which security notes are relevant for the various systems of your system landscape
  • Use available tools like the Note Assistant — transaction SNOTE — to apply individual ABAP Security Notes or the Maintenance Optimizer, which now shows a section about required Security Notes as well, to plan the implementation of ABAP Support Packages or Java Patches.

Security configuration analysis

These services and tools ensure the maintenance of security configuration settings and changes by periodically reviewing security relevant configuration settings of all systems and installed software components.

You can find a document describing the features and recommended procedures in the presentation SAP CoE Security Services - Check Configuration & Authorization.

The well-known EarlyWatch Alert report displays the most critical recommendations from SAP on security. This enables SAP customers to identify problems and take the required measures quick and easily. See SAP Note 863362 for further details on security checks in the EWA.

The Security Optimization Service is designed to check the security of your SAP system. This service comprises a system analysis and the resulting recommendations for system settings. It addresses system and customizing settings that impact your system security. It focuses on internal and external system security. To improve the internal security, many critical authorizations of the basis are checked. Moreover, you can verify the findings in your system anytime as described in the document SAP Security Optimization Service – Verifying the Findings. External security is improved by checking the accessibility of your system and the authentication methods used.

The Configuration Validation enables you to determine whether the systems in your landscape are configured consistently and in accordance with your requirements. You can check the current configuration of a system in your landscape using a defined target state (target system) or compare it with an existing system.

The SOS covers topics presented in whitepapers like Secure Configuration SAP NetWeaver Application Server ABAP.

Scope of the Security Optimization Self Service for the SAP NetWeaver Application Server ABAP:

  • Basis administration check
  • User management check
  • Super users check
  • Password check
  • Spool and printer authorization check
  • Background authorization check
  • Batch input authorization check
  • Transport control authorization check
  • Role management authorization check
  • Profile parameter check
  • SAP GUI Single Sign-On (SSO) check
  • Certificate Single Sign-On (SSO) check
  • External authentication check

Find the complete list of checks in the following documents in the Media Library:

You can use these document to compare the checks of the SOS with the checklist wich you already use to validate security configuration.

For HANA you find a description of the available services and an overview about the checks in the presentation HANA Security Remote Service Content.

In addition you can view examples showing a formatted report:

To prepare the session a questionnaire should be filled out. As part of the questionnaire you can add additional custom checks on critical authorizations. You will find an example of the questionnaire in this document Security Optimization Self-Service - Questionnaire in the Media Library.

The SAP Security Optimization Service is available as a Guided Self Service for ABAP based systems and as a remote service for ABAP and Java systems. In case of an "ABAP on HANA" installation you get the HANA checks automatically as a part of the SOS for ABAP. Currently we do not offer a separate SOS for HANA for a pure HANA database.

There is an interactive demo in this document Guided SOS Self Service - HowTo Guide / Demo (Flash file) within the Media Library. Alternatively you can use the executable document Guided SOS Self Service - HowTo Guide / Demo (EXE). SAP Note 1484124 describes the prerequisites to run the Guided Self Service for ABAP based systems.

It can be used at any time. It is most recommended during the end of going live phase. The service is also very useful when preparing for internal and external audits. It can be rerun to make sure that the applied changes in the system configuration were successful and that no new vulnerabilities appeared.

Additional Resources

You find the documentation including examples and best-practice on SCN:

You find the complete recording of the corresponding TechEd session from 2013 in the Media Library:

Security Services, Tools and Information

Best practices-based security services

SAP enables its customers to protect their business processes through a comprehensive security portfolio turned into services. We take the security chapter of the EarlyWatch Alert as a starting point to offer detailed services mainly around the Security Optimization Service ant the Security Notes which are published on SAP Support Portal and shown in the application System Recommendations of the SAP Solution Manager.

Combining the results of these services with the existing Security Policy of the company we define the company’s SAP Security Baseline. This document is then used do define Target Systems for the application Configuration Validation in the SAP Solution Manager. You can either use the cross-system BW reports of that application directly or you can pass results to another reporting infrastructure like a Management Dashboard within the SAP Solution Manager, to Business Objects, to GRC Process Control or any other reporting system.

References

Media Library

Title Type Changed
_SAP Security Notes Advisory ZIP 2017-11
_Security Notes Webinar PDF 2017-10
SAP CoE Security Services - Check Configuration & Authorization PDF 2017-02
SAP CoE Security Services - Overview PDF 2016-09
SAP CoE Security Services - Secure Operations Map PDF 2017-10
SAP CoE Security Services - Security Patch Process PDF 2017-02
SAP CoE Security Services - Security Baseline Template Version 1.9 (including ConfigVal Package version 1.9_CV-3) ZIP 2017-03
Arbeitspapier - SAP Security Patch Day (German) PDF 2012-08
Working Paper - SAP Security Patch Day (English) PDF 2012-08
Configuration Validation WIKI (current version see online version) PDF 2016-04
EarlyWatch Alert Report - Security Chapter PDF 2010-09
EarlyWatch Alert Sample Report PDF 2011-06
Factsheet Security Engagement PDF 2017-10
Guided SOS Self Service - HowTo Guide / Demo (EXE) EXE 2012-01
Guided SOS Self Service - HowTo Guide / Demo (Flash) SWF 2012-01
HANA Security Remote Service Content PDF 2016-10
RFC Security v1.2 (from 2004-2008) PDF 2008-07
SEC204 – Live on Stage: Monthly Security Patch Webinar about System Recommendations on SAP Solution Manager 7.2 PDF 2016-11
SIS261 Cross-System Security Validation using SAP Solution Manager 7.1 (Exercises) PDF 2014-11
SCI262 Cross-System Security Validation Using SAP Solution Manager 7.1 PDF 2014-11
SCI262 Cross-System Security Validation Using SAP Solution Manager 7.1 (Recording) MP4 2014-11
SIS264 Securing Remote Access within SAP NetWeaver AS ABAP PDF 2012-11
SOS: Get List of ALL Detected Users PDF 2015-04
Security Optimization Self Service - Overview PDF 2010-05
Security Optimization Self-Service - Questionnaire PDF 2013-02
Security Optimization Self-Service - Sample Report for ABAP PDF 2016-02
Security Optimization Self-Service - Sample Report for JAVA PDF 2016-03
SOS HANA Service Report Example PDF 2016-07
Security Optimization Service - ABAP Checks PDF 2016-03
Security Optimization Service - JAVA Checks PDF 2016-03
Security Optimization Service - Summary PDF 2010-05
Security Optimization Service - Watcher Guide PPT 2010-06
Verify Users Authorization PDF 2012-08