Back by popular demand from last year’s TechEd, the internal SAP Security Department will again participate at SAP TechEd in Las Vegas and Amsterdam.

SIS202 SAP Runs SAP – Remote Function Call: Gateway Hacking and Defense

As RFC Gateway security is such crucial for SAP systems, once again live hacking of an SAP system will be showed by musing the RFC Gateway. Afterwards, SAP’s own internal security department will provide recommendations on how to protect the RFC Gateway.

The RFC Gateway is the technical component of the SAP NetWeaver Application Server that manages the communication for all SAP Remote Function Call (RFC) based functionality. It runs on every SAP NetWeaver Application Server – ABAP and Java.  SAP Global IT successfully implemented the protection measures for the RFC Gateway in a large enterprise environment. As protecting the RFC Gateway can be a challenging task for SAP customers, SAP Global IT wants to demonstrate how “SAP Runs SAP”. We will share information about the internal project and our experience gathered during real-life implementation. Furthermore, ways how to design and roll out the RFC Gateway protection will be discussed.

MOB103 SAP Runs SAP – How SAP securely runs its mobile apps infrastructure

Security is one of the essential topics if companies enter the mobile world. SAP itself is one of the biggest adopters of mobile technology and the SAP’s own internal security department will share valuable insights how mobile and mobile security was introduced.

SAP is one of the world largest adopters of mobile technology running about 40,000 iOS, 16,000 BlackBerry and 5,000 Android devices with more than 50 business apps, of which 30 apps are enabled via SAP Mobile Platform. This session will share experiences from the Global IT Security and operations team including e.g. connectivity from the Internet, used infrastructure, software upgrades and IT processes and device management using Afaria. Additionally, the session will demonstrate how SAP’s own internal security departments enabled “Bring your own device (BYOD)” for corporate usage, balancing security vs. business requirements.

EXP10351 EXP10353 SAP Runs SAP Security in SAP HEC

SAP launched a new offering SAP HANA Enterprise Cloud (HEC). SAP HEC is a new offering that gives customers the full power of SAP HANA in a managed cloud environment so that customers

do not have to implement it on-site. SAP’s own internal security department will give an insight in the HEC security strategy and concepts on the various layers. Security architecture will be discussed besides topic like security certifications, processes and monitoring.

Of course, the SAP internal security department is working closely together with SAP Product Development. Though, more interesting SAP security sessions will be presented jointly with SAP Product Development.

SIS260 – RFC Security – Good Bye to SAP_ALL and S_RFC Wild Cards!

Creating roles for remote function call (RFC) scenarios using the old system trace is tedious and error prone. Technical users in RFC destinations therefore often have full system access with SAP_ALL. There are also many users with authorizations to start all RFC function modules due to unrestricted S_RFC authorizations. This hands-on session will guide you from a set-up with SAP_ALL users in RFC destinations and multiple 10.000 exposed RFC function modules to a system set-up with properly maintained RFC authorizations. We will show you how to do this in existing releases. We will also show you how a new solution called SAP Unified Connectivity disables RFC access to function modules you do not need altogether.

SIS104 – Finding the Leak – Using Access Logging to Monitor Access to Sensitive Data

With SAP NetWeaver Application Server for ABAP 7.40, SAP ships a new compliance functionality called read access logging (RAL). With RAL, customers are now able to monitor access to sensitive or critical business data. RAL will help customers adhere to legal compliance laws, legal requirements, and industry standards, as well as to internal requirements to track access to sensitive data. This session will provide information on the use cases and features of read access logging and provide some guidance on how to configure the feature in a customer scenario.

And here a list of more security related sessions which must not be missed by any person interested in SAP Security – from my personal point of view!

SIS201 – Security in Different SAP HANA Scenarios – An Overview

SIS204 – Compliant User Provisioning and Segregation of Duties Checks for SAP HANA-Based Environments

SIS265 – Single Sign-On for the ABAP World Using SAP NetWeaver Single Sign-On

SIS206 – IT Security Governance with SAP Solution Manager and SAP Process Control

And last, but not least, also make sure to visit the SAP Runs SAP booth at the TechEd Showfloor for great discussions how SAP Runs SAP internally! More details can be found in Eileen’s Blog.

Looking forward to seeing all of you at TechEd Las Vegas!

Bjoern Brencher

Please connect with me on Twitter for more updates.

To report this post you need to login first.

8 Comments

You must be Logged on to comment or reply to a post.

Leave a Reply