Failure to protect your information assets can lead to financial loss and seriously dent your corporate image. To operate securely in today’s business environment, companies must take an integrated, holistic approach to security. In addition to securing computer systems, this approach also involves taking responsibility for security at all levels of your organization – from CEO to the shop floor or back office. Issues such as risk management and network security along with securely programmed solutions, such as those provided by SAP, all play a vital role in protecting your valuable assets.
Whatever measures you take must be proportional to the risk involved. Although many risks will differ depending upon the industry sector or country you operate in, or the size of your enterprise, the main elements to be addressed remain the same. In terms of IT, these elements are:
- Software life-cycle security
- Infrastructure security
- Application security
- Secure user access
- Secure collaboration
Software Life-Cycle Security
The concept of software life-cycle security involves developing, implementing, and running software with security in mind. Without secure development processes such as those supported by SAP NetWeaver, companies face the risk of building weaknesses into software during its design, or worse, leaving back doors open for third parties to plant malicious code. The risks apply to SAP applications and to customer code. You can make your systems less vulnerable to manipulation by activating only those services or functions you intend to use, and by following a change-management process that allows careful control of any amendments to your productive environment.
Securing your IT infrastructure involves many things traditionally associated with security, such as setting up and maintaining firewalls, and encrypting communications across the network. To protect against eavesdropping and anyone tampering with information in transit, it’s best to divide your system landscape into zones. This means using a demilitarized zone (DMZ) and firewalls to separate applications accessed from outside the company from sensitive back-end systems. SAP NetWeaver provides a cryptographic library to enable authentication and encryption of communications between servers, which is particularly important in Internet scenarios that connect to live back-end systems. You can also use SAP’s system-management tools to integrate intrusion-detection systems that record irregular activities and detect unauthorized entry.
At the application level, the focus of security is likely to center on regulatory compliance in general, and considerations such as data protection and auditing in particular. SAP provides effective auditing capabilities that enable you to comply with the Sarbanes-Oxley Act of 2002, a U.S. law that prescribes better corporate governance, including auditability. These capabilities are provided by the Audit Information System (AIS), which consists of system and application-auditing reports and a framework for customers and consultants to add tools and reports.
Increasingly, however, companies will have to inspect not only the security of their own architecture, but also that of their business partners, because contracts and laws often require proof of a secure environment. That’s why SAP is developing a more comprehensive auditing solution based upon an open framework. This collaborative auditing framework will allow you to audit processes in distributed application landscapes and perform comprehensive audits of various applications and systems.
Secure User Access
Wherever people come into contact with your IT systems, as end users or administrators, access must be regulated. At one extreme, unregulated access presents the opportunity for manipulation. At the other extreme, overregulation can incur huge administrative costs and unnecessarily hamper employees in their daily work. The two main objectives – preventing unauthorized access and providing ease of access for legitimate users – are somewhat contradictory. However, SAP NetWeaver enables you to achieve the right balance between security and ease of use. It does this by providing you with centralized user management functionality, enabling you to concentrate your administrative resources, and functions such as authentication delegation and single sign-on that make life easier for all your employees by saving time and reducing the number of passwords they have to remember.
Collaborative business processes generally take advantage of existing technologies, such as the Internet, that are potentially insecure. Accordingly, it is important to protect individual messages. Using digital signatures, as supported by SAP in cooperation with its network of certified partners, is one way to guarantee the integrity, authenticity, and non-repudiation of individual documents. Moreover, this approach can help save costs by accelerating transaction times and replacing paper-based processes.
One prerequisite for collaborative business is enabling companies to share information about their users and the rights these users have. Another prerequisite involves sharing information at the process level without compromising security. The way to achieve both goals is through industry standards.
SAP is involved in promoting and complying with industry standards, such as Security Assertion Markup Language (SAML) and Web Services Security (WS Security), to ensure broad interoperability on the security front. SAP is also a sponsor member of the Liberty Alliance Project (www.projectliberty.org). Using security technology based upon widely accepted industry standards is not only likely to increase the level of trust placed in your company, but can also help reduce the total cost of ownership (TCO) by simplifying maintenance and lowering the cost of training your employees.
The Weakest Link
Security is like a chain, and a chain is only as strong as its weakest link. There is no point in making some parts of your chain out of cast iron, only to have the links made of tin break under the slightest pressure. This analogy can be helpful when reviewing your security policy and allocating your security budget – to ensure that you don’t over-invest in one area at the expense of another.
Making sure that your IT systems are not unnecessarily vulnerable is an important part of the security equation – a part that you can achieve with SAP’s support. But other parts, such as developing a cohesive security policy and educating employees to take responsibility for their part in the chain (for example, by not writing down their passwords) should be neglected at your peril.