Soteria Security Baseline

Soteria Security Baseline

Soteria Security Baseline is a rigorous and comprehensive inspection of your SAP ® system landscape and configuration, across your IT estate. We examine configuration across all of the SAP ® technology stack. We also look at the underlying database and operating system, and then we review security on the network devices. We pay special attention to potentially dangerous admin accounts, and known points of system weakness like gateways servers, RFC connections and mobile devices. We check how your data encryption is configured, to see if there are any vulnerabilities and whether the encryption algorithms are fit for purpose. We look at application, network and database logging to find the best balance of performance, security and traceability. Combining SAP ® best practice with that of the UK security industry we strive to reduce the attack surface, harden the operating system, database and application, and ensure that the right balance of preventive, corrective and detective controls are in place.

We focus our attention broadly on the following 21 controls:

Control #NameControl Description or typical actions
1Configuration of network zonesReview and configure the use of DMZ's and firewalls
2Network AccessSAP Routers, message services, external access using ACLS
3Data encryption on networksSNC and SSL
4Attack surface minimisationClose down unnecessary ports and services, close external access to FMs
5Gateway server securitySec_info and reg_info parameter values
6RFC destination securityConfigure RFC use for user and system accounts
7Management of users and profilesReviews standard ABAP users and change passwords. Removal of SAPALL.
8Lock down access to user, role and authorisations maintenance Control assignment of UME roles, and RFC admin privileges
9System admin accessReview assignments of S_BDC_MONI, S_BTCH_ADM and S_BTCH_JOB
10Table maintenanceAuthorisation for SE16, SM30, and data dictionary
11Transport maintenanceRemove developer keys from production
12Network activity loggingEnable SAP Router logging
13System event loggingEnable gateway server logging
14Table change loggingLogging changes to sensitive tables
15Document change loggingLogging changes to sensitive documents
16User action logggingLogging UME events
17Maintain authentication parametersConfigure SAPGUI client settings
18System configurationEstablish configuration evaluation and set up daily check
19Software patch managementMaintain ABAP_NOTES config store in Configuration validation
20Mobile securityMobile device configuration and remote wiping & device encryption
21Website specific E-commerce securityOWSAP Top 10, attack vector appraisal

The two main deliverables of Soteria’s Security Baseline are the Security Baseline Report, and the Configuration Security Document. These two documents highlight the important security configuration areas of attention, and a step-by-step implementation guide that covers all recommended changes. As a guideline Soteria’s Security Baseline takes 7-8 weeks to complete these two documents. Thereafter the time-scale for Soteria implementing the required changes will depend on the complexity of the technical environment and availability of resources.