SAP Anywhere Security Guide

Transcription

1 SAP Anywhere Security Guide

2 1. Document history Version Date Change Initial version for SAP Anywhere Added Personal Data Protection Information for SAP Anywhere Introduction 2.1. About this Document The Security Guide provides an overview of the security-relevant information that applies to SAP Anywhere Why is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, demands on security are also on the rise. When using a distributed system, you must ensure that your business processes do not permit unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These security requirements apply equally to SAP Cloud solutions. To assist you in ensuring the security of your SAP Cloud solution, we provide this Security Guide Document Structure The Security Guide contains the following sections: Technical System Landscape This section describes the technical components and communication paths that are used in the solutions. User administration and Authentication This section describes the user administration tools, and the system access and authentication concept that applies to the solutions. Authorization This section describes the authorization concept of the solution. Mobile Applications This section describes mobile applications. Front-End Security This section describes the security mechanisms that apply to the front end. Security of Data Storage and Data Centers This section describes critical data that is used by the solutions, and the security mechanisms that apply. Other Security-Relevant Information This section contains information about service composition security, and internal and external audits. Security-Relevant Logging and Tracing This section describes trace and log files that contain security-relevant information, allowing you to reproduce activities if a security breach occurs.

3 3. Technical System Landscape SAP Anywhere solution is hosted in AWS US for US and UK customers, and China Telecom data center for CN customers. All data centers serving for SAP Anywhere are ANSI/TIA/EIA- 942 Tier III or Tier III+ rated facilities, and certified by ISO 9001 and ISO They provide a solid foundation to SAP Anywhere by plenty of WAN/LAN connection bandwidths and redundancies, and shield against electrical power fault, fire, natural disasters and whether shifts. They are also guarded by CCTV and access control system, ensuring unauthorized people not being able to touch computers used by SAP Anywhere. Since SAP Anywhere deal with business data from your core business processes, Sap adheres to the highest security and quality requirements, as follows: The business data is stored securely in world class data centers. Customers share physical hardware, but their data is separated into tenants. Users who require access to the business data must authenticate themselves, and their identity must be verified by user and access management. Customer data always belongs to the customers. You can access your SAP Anywhere tenant in the following ways: Desktop computer: browser-based Internet access from any network with internet access Portable computer: browser-based Internet access from any network with internet access Mobile devices: Native Apps (for details please refer to chapter 7). Industry best practices and state-of-the-art open cryptographic standards secure and protect communications between customer devices and the system landscapes of your SAP Anywhere solution in the cloud. 4. Security Aspects of Data, Data Flow and Processes 4.1 Communication Channels The table below shows the communication channels used by SAP Anywhere solutions, the protocol used for the connection, and the type of data transferred. Communication Path Web browser acting as frontend client to access the hosted SAP Anywhere system File based import and export of master data and transactional data Protocol Used HTTPS Technology Used OData & REST services Type of Data Transferred Application data HTTPS File transformation Master data, e.g. products, customers, vendors, price lists, etc. Data Requiring Special Protection User IDs, passwords Personal information on customers, vendors, etc.

4 Apple ipad applications (SAP Anywhere for ipad and SAP Anywhere Show and Sell), iphone application (SAP Anywhere Activity Stream) API based communication and application integration HTTPS OData & REST services Transactional data, e.g. sales orders, purchase orders, inventory counting, etc. Application data Business details on sales, purchase, etc. User IDs, passwords, application data SMTP, APIs SMTP server, APIs Application data Confidential data HTTPS REST services Application data Application data and API access token Note SAP Anywhere solutions use port 443 for HTTPS connectivity. 4.2 API based Communication and Application Integration API based communication and application integration refers to the exchange of businessrelated data across administrative domains. SAP Anywhere API enables you to configure the application data exchange between your tenant and a communication partner, who can be a business partner in a B2B/B2C communication scenario or an external system that is used for application integration. SAP Anywhere API provides communication scenarios for both inbound and outbound. Inbound communication defines how business documents are received from a communication partner, whereas outbound communication defines how business documents are sent to a communication partner. SAP Anywhere APIs relies on industry-standard OAuth 2.0 protocol for authentication and authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phone and living room devices.

5 The access token should be generated and included in the HTTP request header to access SAP Anywhere API. OAuth 2.0 access token has a validity period and expire at a defined point in time, as is 12 hours in SAP Anywhere. Note For more information about OAuth 2.0, please see Integration with Private App Private app is the integration channel, that allows you to interact with SAP Anywhere API representing your own tenant. Before using application data exchange for business process, you must create a private app for corresponding communication scenario. To authenticate with SAP Anywhere API using a private app, you need to generate the app with API key, API secret and the refresh token in Apps -> Private Apps page of the backend console, and exchange for the access token according to the guideline. The access token has a validity period of 12 hours. Before expiration, they must be renewed with above credentials. It s the customer s responsibility to protect the access token of the private app, since it reflects the specific details of their integrations scenarios and business data. Note The refresh token of the private app will expire in 3 years, which means you need to create a new app to support your business integration Integration with Public Apps Public apps are the out of the box integration applications built by 3 rd party partners, that re published to SAP Anywhere App Center. Public apps provide extensive integration scenarios to benefit customers business, interacting with SAP Anywhere API for both outbound and inbound communication. You can grant a public app to access your business data via API, by clicking the Install button upon the app to authorize; the public app will exchange for an access token with your authorization and the API key, API secret assigned to it. You can also choose to uninstall a public app in Apps -> Public Apps page, to revoke its access to your application data via API s You can use this function for communication between your system and your customers, in scenarios provided by SAP (for example, order confirmation, online shop registration). In Communication -> Predefined Templates page, you can specify which scenarios you want to use and customized the templates sent to your customers. The SMTP settings or API connection to your service should be configured in advance, in Communication -> Transactional s page. For SMTP settings, you should provide the SMTP server address, port, username and password of your service, enabling SAP Anywhere to send s from your address. You can also authorize SAP Anywhere to connect to your provider API with OAuth protocol as a more secure approach, without inputting your credentials to SAP Anywhere. If SMTP is used, try to use TLS communication protocol which is much secure than PLAIN protocol.

6 5. User Administration and Authentication 5.1 User management User management for SAP Anywhere is in the Users and Roles tab. The following table provides an overview of all activities related to user administration that you can perform as tenant administrator. View Subview Activity Roles & Create and delete roles Authorizations Define access rights in roles Setting (SAP Anywhere) Users and Roles (SAP Anywhere) Users Create and delete users Lock and unlock users Change user password Assign business roles to users Make user be and not be administrator Make user be and not be technical support user 5.2 User Type SAP Anywhere provide the following user types: User Type Description Key User The first user of a tenant, who is responsible for managing the tenant s configuration and user/role etc. Normal User A user type for normal business operation. Key user is able to create normal user as per business needs. Normal users must change their initial password during the first logon. The complexity of the password is determined by the assigned security policy. Support User A user type temporarily used by SAP Support team to access the system as part of incident processing. This kind of user can only be created from SAP Anywhere cloud operation console, and will be expired in 4 hours by default. By default support user has only readonly permission in the tenant. 5.3 User management Every user type must authenticate itself to SAP Anywhere for regular browser-based frontend access, as well as for electronic data exchange, such as Business-to-Business communication. SAP Anywhere does not support anonymous access. When a new user is created in your SAP Anywhere tenant, for example, during the hiring process of a new employee, a user ID is created. The user ID is usually the address of the new user, as SAP Anywhere will send an activation mail to the address, and new user is prompted to set logon password to SAP Anywhere.

7 5.4 Logon Using User ID and Password Users log on to SAP Anywhere with their and password. By default, users must set their initial password during the first logon. You as an tenant key user can set an initial password per the security requirements of your company. If a user has forgotten the password, he or she can request a new one by using the forgot password on the logon screen. A dialog box is displayed where the user must enter the address. Provided address has already been entered for corresponding employee in your tenant, an containing a reset password link is sent to this address. The system then allows user to reset password after clicking the link in the . The password reset link can only be used once. 6. Authorizations 6.1 Authorization Assignment Key user can assign authorizations to each normal user in same tenant of SAP Anywhere. Normal users are assigned to different roles defined by key user. The roles determine functions that the user can use. Based on these functions, business object views are proposed for the users. Some business processes require approval from employees with specific roles. If you work as a key user, you have full functions in SAP Anywhere solution. 6.2 Access Restriction key user can define whether a role has read or write access to a business object, and even create/delete new roles in role setting view. Roles have to be assigned to users in user view so that users get the authorizations. 6.3 Approval process Key user can define approval process in user and roles view. In sales order, purchase order and channel account creation process, key user can define at which stage and how to trigger approval, also who is able to approve the process of the documents. 7. Mobile Applications 7.1 General Information The following table provides information about the mobile devices on which you can run SAP Anywhere. SAP Anywhere Apps SAP Anywhere for ipad SAP Anywhere Show and Sell Device/Operating System iphone/ipad BlackBerry Android Windows Phone Y only for ipad N N N N Y only for ipad N N N Y Offline Support

8 SAP Anywhere Activity Stream Y only for iphone N N N Y Show and Sell app and Activity Stream app support offline mode on ios devices With SAP Anywhere mobile apps, you can access many of the functions that have been tailored to business on-the-run. Changes made on mobile apps are automatically updated in the system over the internet, online, and in real time. Mobile apps connect to the SAP Anywhere solutions in the same way as personal computers do. 7.2 Mobile Apps You can download the mobile apps for SAP Anywhere solutions from the itunes Store. A notification will be displayed on-device when a new version of the app is available for download. 7.3 Authorizations When you use SAP Anywhere mobile apps, you use the same backend system and logon credentials as for desktop applications. In the Settings -> Users and Roles -> Roles & Authorizations page, ensure that the permissions on relative business objects are assigned to the mobile app users, for example: Show and Sell app: Customers, Sales Orders Price Lists, Products, etc. Activity Stream app: Opportunities, Customers, Leads, Products, etc. For more information, see the Managing Roles and Authorizations in the help document center. 7.4 Secure System Access and Authentication Access from mobile devices via the native mobile apps or the device browser(html5) is enabled by connecting to the backend system using HTTPS and the same user and password authentication used for connection from a personal computer. The offline mode for Show and Sell app and Activity Stream app is enabled by default, that no extra configuration is required. You should set up a PIN (personal identification number) code of 4 digits for Show and Sell app and SAP Anywhere for ipad app, and a pattern lock for Activity Stream app after logon using your user name and password, to accelerate your access to the apps without entering your full credentials. 7.5 Change and Reset of Password, PIN Code and Pattern Lock You can only change your password from web browser. Change password: Enter your current password firstly and create a new one in Profile page. Rest password: If you forgot your password, you must reset it using your logon for verification by clicking Forgot password link in the logon page. Password expiration: Your password will expire in 180 days, and you need to create a new one as promoted during logon process.

9 Please note that in above cases, your logon credentials in the apps are deleted; you must enter the updated password and reset the PIN code/pattern lock to use SAP Anywhere mobile apps. Your user name and password will not be persisted in the mobile apps for security concern, instead a security token is generated once your credentials are verified. The security token is stored in the apps and will be valid for 4 weeks; you need to input your user name, password and set up the PIN code or pattern lock again after it s expired. 7.6 Special Considerations Unlike stationary personal computers, mobile devices are at greater risk of being lost or stolen. Therefore, we recommend that you use the security features provided by your mobile device platform. For example: Use an additional, sufficiently long, PIN (personal identification number) to lock the device. Enable remote management software that allows you to lock the device remotely, or wipe data from it. For information on how to operate your mobile device, refer to the device manufacturer s documentation. 7.7 Data Storage The mobile apps for SAP Anywhere store 3 types of data on the mobile device, as outlined below Credentials Retention When logging on to SAP Anywhere from a mobile app, the user is required to provide the user ID and system password. The mobile apps do not store this data, and instead a security token is generated from the backed once the credentials are verified, representing the user s logon session. The security token is encrypted and stored on the mobile device, using the secure storage features provided by the operating system of that device. The security token will be valid for 4 weeks, and user is required to input his user name and password again after it s expired. PIN code or pattern lock will be set up by users after logon, which are also encrypted and stored in secure storage of the mobile devices Cache Files It is sometimes possible to upload pictures and other files from the mobile device to SAP Anywhere mobile apps, for example, pictures captured on a mobile phone s camera. The pictures captured within the apps will not be stored in album of the mobile device; but the files uploaded from the album or the storage of the device are not managed through the SAP mobile apps. To protected sensitive or confidential data that such files may contain, we recommend that you take extra precautions appropriate for the specific mobile device in use. For more information, see the device manufacturer s documentation Offline Mode and Data Encryption For Show and Sell app and Activity Stream app on which offline mode is supported, data is stored on the device and encrypted using SQLCipher. Once the device is online, data is synchronized with the backend system.

10 8. Front-End Security SAP Anywhere front ends consist of Web application user interfaces based on HTML5 technology. HTML is a markup language for the Web. HTML allows you to format text, add graphics, create links, input forms, frames and tables, and save it all in a text file that any browser can read and display. The following features that HTML5 supports are used in SAP Anywhere: X-Frame-options response header to avoid clickjacking attacks Cross-site request forgery (CSRF) protection Cross-site scripting (XSS) protection during rendering For more information, see the security information for HTML5. 9. Other Security-Relevant Information 9.1 Security Management and Continuous Improvement of Security Security Management at SAP Cloud Solutions aims towards the continual improvement of the information security framework. SAP conducts several external audits to make sure that these aims are reached. Certificate/Report Interval Conducted By External penetration test Once a year Third-party security company Internal validation Quarterly SAP security validation Code Scan Daily Industry standard scanning tools PCI DSS Level 1 Once a year Accredited auditing company 10. Personal Data Protection Information 10.1 What is Personal Data? Personal data shall mean any information relating to an identified or identifiable natural person ('data subject'). An identifiable person is one who can be identified, directly or indirectly, according to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, or social identity. Personal data in the SAP Anywhere solution is configured on the Customizing Business Objects page (Settings -> Setup -> Customizing Business Objects). To categorize a field as personal data, in the CRM area, select the relevant module (Lead, Contact, or Customer) and click Fields. In the list of fields, click the relevant field, and in the Edit System Field page, indicate if the particular field contains personal data or not. Only fields with Text type can be marked as personal data. This functionality is available only to Key Users Identifying a Natural Person in the System The Search functionality can be used to identify a natural person in the system. The functionality is available to all system users. The search is performed on the following fields across all business objects: First Name

11 Last Name Remark Phone Cellphone Fax Website Created By / Updated By When searching for a natural person, additional information such as the date of the specific order and amount on the specific order can help narrow down the search. For further actions, the customer identifier that can be found in the Customers page is required Maintaining Personal Data in the CRM Menu Personal data of leads, customers, and contacts can be maintained in the CRM menu, in the following modules: Leads Contacts Customers The fields in these modules allow you to update personal data, such as the delivery address or mobile phone number, based on a customer request. Personal data can also be deleted by leaving the field blank. Documents already issued retain the personal data that was valid at the time of document creation. The association between the customer and document is maintained even after the personal data is deleted Reports on Personal Data According to the data protection initiative, a natural person should be able to obtain a report of all the personal data related to the natural person stored in the system. In SAP Anywhere, this information is provided in the Personal Data Report, which displays all personal data stored in business objects with fields marked as personal data. The report is accessible to Key Users only and can be found in Settings -> Customer Service -> Customer Personal Data Reports. Created reports can also viewed in the Personal Data Reports page. After opening the report, personal data can then be erased Personal Data Retention Period The retention period on a business object specifies how long the business objects will retain the personal data after the data is deleted from the CRM menu. If a natural person initiates the deletion of personal data, the data will be retained until the retention period for the business object expires. The retention period setting can be found in Settings > Customer Service -> Customer Personal Data Retention Rule. The feature is accessible to Key Users only. The retention period is specified in days in numeric format and the default value is 0 days for all business objects. The retention period can be set for the following business objects: Credit Memo Invoice Payment Prepayment Sales Delivery Sales Order

12 Sales Return Shipment 11. Important Disclaimers on Legal Aspects This document is for informational purposes only. Its content is subject to change without notice, and SAP does not warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. Coding Samples Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence. Accessibility The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP specifically disclaims any liability with respect to this document and no contractual obligations or commitments are formed either directly or indirectly by this document. Gender-Neutral Language As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the thirdperson singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible. Internet Hyperlinks The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. Regarding link classification, see: help.sap.com/disclaimer.