DEFENSE IN DEPTH - Layer Seven Security

DEFENSE IN DEPTH AN INTEGRATED STRATEGY FOR SAP SECURITY 2IntroductionThe protection of SAP systems against unauthorized access andmanipulation demands security measures at multiple levels.According to SAP, this includes measures covering landscapearchitectures, operating systems and databases, as well as SAPtechnologies, applications and authorizations. 1This white paper outlines an integrated strategy for securing SAPsystems based on the principles of Defense in Depth. The strategyis designed to protect the confidentiality, integrity and availabilityof SAP programs and data through countermeasures appliedwithin each interconnected layer in SAP environments.These measures are applied across four distinct areas in SAPsystems: Application, Platform, Program and Client. The secureconfiguration and management of these areas lowers the risk ofsystem intrusion, protects the confidentiality of business informationand ensures the authenticity of users. Each area is reviewedin detail in the white paper.NETWORK SECURITYDefense in Depth is the only practical strategy for informationassurance in highly integrated SAP landscapes susceptible to avariety of attacks through numerous access points. The strategyrequires the implementation of multiple obstacles betweenadversaries and their targets. This is designed to lower the risk ofa successful attack, contain the impact of a network intrusion andimprove the likelihood of detection.The deployment of nested firewalls coupled with intrusionprevention represents the first line of defense and is an importantcomponent of network-level security. However, organizationsshould not rely exclusively upon such technologies. Both firewallsand intrusion prevention systems can be bypassed by skilledattackers, evidenced by recent well-publicized data breaches.Firewalls are especially vulnerable. The most common form ofnetwork firewalls, stateful packet filters, do not analyze applicationpayloads. Consequently, they are ineffective against SAPattacks. Application Gateways provide a greater level of protectionand are therefore recommended for high-integrity environments.Network controls should be balanced with appropriate policiesand procedures, physical controls and monitoring throughSecurity Information and Event Management (SIEM) solutions.They should also be supported by technical measures such asencrypted communications, hardened servers, robust programsand effective access controls, designed to protect informationresources even if a network is breached.MONITORINGAPPLICATIONCustomizationAccess GovernancePLATFORMNetWeaver ASOperating SystemDatabasePROGRAMSecure Soſtware DevelopmentDynamic and Static Code AnalysisTransport ManagementCLIENTSAP GUIWeb BrowserDesktop HardeningPHYSICAL SECURITYTable 1.1: Defense in Depth for SAP SystemsPOLICIES & PROCEDURES1 Secure Configuration of SAP NetWeaver Application Server Using ABAP, SAP AG, 2012 LAYER SEVEN SECURITY © 2013