Soteria Security Baseline is a rigorous and comprehensive inspection of your SAP ® system landscape and configuration, across your IT estate. We examine configuration across all of the SAP ® technology stack. We also look at the underlying database and operating system, and then we review security on the network devices. We pay special attention to potentially dangerous admin accounts, and known points of system weakness like gateways servers, RFC connections and mobile devices. We check how your data encryption is configured, to see if there are any vulnerabilities and whether the encryption algorithms are fit for purpose. We look at application, network and database logging to find the best balance of performance, security and traceability. Combining SAP ® best practice with that of the UK security industry we strive to reduce the attack surface, harden the operating system, database and application, and ensure that the right balance of preventive, corrective and detective controls are in place.
Soteria Security Baseline
We focus our attention broadly on the following 21 controls:
| Control # | Name | Control Description or typical actions |
|---|---|---|
| 1 | Configuration of network zones | Review and configure the use of DMZ's and firewalls |
| 2 | Network Access | SAP Routers, message services, external access using ACLS |
| 3 | Data encryption on networks | SNC and SSL |
| 4 | Attack surface minimisation | Close down unnecessary ports and services, close external access to FMs |
| 5 | Gateway server security | Sec_info and reg_info parameter values |
| 6 | RFC destination security | Configure RFC use for user and system accounts |
| 7 | Management of users and profiles | Reviews standard ABAP users and change passwords. Removal of SAPALL. |
| 8 | Lock down access to user, role and authorisations maintenance | Control assignment of UME roles, and RFC admin privileges |
| 9 | System admin access | Review assignments of S_BDC_MONI, S_BTCH_ADM and S_BTCH_JOB |
| 10 | Table maintenance | Authorisation for SE16, SM30, and data dictionary |
| 11 | Transport maintenance | Remove developer keys from production |
| 12 | Network activity logging | Enable SAP Router logging |
| 13 | System event logging | Enable gateway server logging |
| 14 | Table change logging | Logging changes to sensitive tables |
| 15 | Document change logging | Logging changes to sensitive documents |
| 16 | User action loggging | Logging UME events |
| 17 | Maintain authentication parameters | Configure SAPGUI client settings |
| 18 | System configuration | Establish configuration evaluation and set up daily check |
| 19 | Software patch management | Maintain ABAP_NOTES config store in Configuration validation |
| 20 | Mobile security | Mobile device configuration and remote wiping & device encryption |
| 21 | Website specific E-commerce security | OWSAP Top 10, attack vector appraisal |
The two main deliverables of Soteria’s Security Baseline are the Security Baseline Report, and the Configuration Security Document. These two documents highlight the important security configuration areas of attention, and a step-by-step implementation guide that covers all recommended changes. As a guideline Soteria’s Security Baseline takes 7-8 weeks to complete these two documents. Thereafter the time-scale for Soteria implementing the required changes will depend on the complexity of the technical environment and availability of resources.