Security Considerations and Certificate Requirements SAP Business One Cloud Landscape Workshop
Section Objectives This section of the course will enable you to: Understand the security issues that need to be considered in a SAP Business One Cloud Landscape Understand the role of certificates in the SAP Business One Cloud Landscape 2013 SAP AG. All rights reserved. 2
An Introduction to Security in the SAP Business One Cloud Landscape As we are creating an environment that will store the sensitive, financial data of your customers, we need to take some security precautions to ensure the integrity and security of that data. To do this you should: Ensure the correct configuration of any firewalls that protect your SAP Business One Cloud Landscape and only open ports that are absolutely required. Ensure a suitable password policy is set for cloud users Employ HTTPS/SSL for all network communication Control access to shared folders strictly and without exception Set SAP Business One Managed Authentication in the Cloud Landscape to ensure no direct access to the encrypted SQL database Ensure that employee s of customers have access revoked when their employment terminates (put a policy in place with the customer) 2013 SAP AG. All rights reserved. 3
Firewalls and Ports Firewalls form a barrier between the internet and computers on your network: Can be software or hardware It filters information coming through and only allows it to pass if it isn t flagged by the filters it uses. Filtering can be configured by: IP Addresses Domain Names Protocols, e.g. HTTP, FTP, SMTP etc. Ports With firewalls turned on (either within the network or externally) we will need to configure it for certain SAP Business One Cloud functionality 2013 SAP AG. All rights reserved. 4
Business One Port Diagram 2013 SAP AG. All rights reserved. 5
Password Policies It is crucial to set a suitable password policy for the data that is being accessed: For financial data such as that held in SAP Business One Cloud a strong password policy should be used to ensure the security and integrity of the data. We are using Active Directory to manage our users which allows for many options when it comes to password policies What does a strong password policy consist of? How often the password must change Characters used, length and complexity of the password Minimum and maximum password age Password history enforcement Be careful with the SAP Business One Cloud Service User, it is used across the landscape and password will need to be replicated. 2013 SAP AG. All rights reserved. 6
SSL SSL (Secure Socket Layer) provides security for online communications SSL is designed to establish encryption and identity assurance It creates an encrypted link between a server and a computer that is accessing it Ensures that all data passing over the link is private and secure Computer requests secure socket Server responds with SSL certificate Session key is encrypted with SSL Public Key and sent to server Server indicates all future transmissions are encrypted Server and and computer can can send encrypted messages 2013 SAP AG. All rights reserved. 7
Certificates in the SAP Business One Cloud Landscape To protect communication within the SAP Business One Cloud landscape, and communication to the users the following certificates are needed: Certificates for Windows Remote Desktop Services Required for certain RDS components to operate Certificates for the System Landscape Directory (SLD) On install you can configure the SLD to communicate using the HTTPS (Hypertext Transfer Protocol Secure) 2013 SAP AG. All rights reserved. 8
Security Configuration Recommendations Deploy all network communication using HTTPS/SSL Protects all communication to prevent man-in-the-middle attacks (MITM) Install certificate on all components and enable HTTPS/SSL for all services, e.g. SLD, RDS/Citrix, B1i etc. Only expose the RDS and Mobile/Office Integration scenarios (if using) services to the outside network (using SSL) Expose the least amount of services outside the network as possible to reduce possible entries Install certificate on all RDS/Citrix services, use a Remote Desktop/Citrix Gateway Only allow access to the System Landscape Directory (SLD) from the internal network. 2013 SAP AG. All rights reserved. 9
Security Configuration Recommendations Restrict all administration access to internal network access Use third-party hardware/software to enable a VPN to allow internal access to the SAP Business One Cloud landscape Strictly control shared folder permissions Any mistake in shared folder permissions could mean users would accidentally be able to see other users data. Set and verify folder permissions at the OS level. Select SBO Managed DB authentication approach for tenants in the Cloud Control Center Using SAP Business One managed database authentication provides the most secure option and prevents direct access to the database 2013 SAP AG. All rights reserved. 10
Summary In this section we have: Understood some of the basic principles of security in a cloud landscape Understood the role of certificates in the SAP Business One Cloud Landscape Explored some recommendations for the configuration of the SAP Business One Cloud Landscape 2013 SAP AG. All rights reserved. 11
2013 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/vm, z/os, OS/390, zenterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, purescale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the United States and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries. Oracle and Java are registered trademarks of Oracle and its affiliates. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc. HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Apple, App Store, ibooks, ipad, iphone, iphoto, ipod, itunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc. IOS is a registered trademark of Cisco Systems Inc. RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited. Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc. INTERMEC is a registered trademark of Intermec Technologies Corporation. Wi-Fi is a registered trademark of Wi-Fi Alliance. Bluetooth is a registered trademark of Bluetooth SIG Inc. Motorola is a registered trademark of Motorola Trademark Holdings LLC. Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, ianywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company. Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. 2013 SAP AG. All rights reserved. 12