Make Your SAP System Landscape More Secure with Solution Manager 7.1!!
Past two weeks had gone very perfect, there were couple folks from business directly connected us for using solution manager for ensuring security of the entire system landscape, it’s because recently they received the information about SAP Security patch process day.
SAP Security Patch process day- What it is?
Security is the very big concern in Today’s SAP environment; we can go for secure installation but without making constant maintenance this is become big challenge, we had recently heard from SAP about SAP Patch process day, it was very simple concept; it’s a one of the very good security strategy.
As per SAP guidance, we could consider every second Tuesday of the month as “Sap Patch Process Day”. It is not kind of release schedule. It’s just creating a much disciplined regular plan for checking the security notes, patch updates, latest releases. It means, creating a dedicated day for checking security related information, review it with your landscape and take action.
SAP Security Patch Process Day – How it is?
With this feature, SAP provides clear workflow for security validation and also make us more discipline by without ignoring any latest security related notes. We have to nominate one of our representatives to sap as security patch contact, later he will be the responsible person to set the “patch day road map” for the methods and tools used for ensuring security in our entire landscape.
Role of Solution Manager
Though we have some generic options for ensuring security like security note search, SAP Solution manager is the major tool. More over Solution manger act as central security check hub for security patch process day. Entire series of security checks on the entire landscape carried out with the help of solution manager.
EWA Reports!! Always Helpful!!
EWA report has the strong recommendation for security related suggestions, like parameter change, DB Patch information; OS level security patch suggestions, Details SAP security release notes, Password risk details and much more.
We could sometime ignore the importance of EWA, but security suggestions in EWA reports are very best approach to make our environment away from security breaches but other potential threats.
Report RSECNOTE
This helps to list the status of implementation very recent sap hot news released from active global support. (Hot news are the top prio1 notes, taken consideration as system crash or major data loss ) .
Change Management- System recommendation
I really wonder, how many of the customers ignoring one of the very finest functionality in solution manager, this is very good feature and made it work and you can visibly see the advantage of missing sap notes in entire system landscape. There are couple of blogs already available to list out its features. Solution Manager System Recommendations feature review
Configuration and validation
This is another feature integrated with solution manager, using this you can compare your current system landscape settings with the SAP Standard latest release/customized target release to get the list of corrections, notes you have been missing in your landscapes. More over it helps to make sure all your the system in your landscape at the same security patch level. Other way it helps for cross system security check comparison too. There are various comparison option available like compare against security notes, hot news and patch notes. More details available here
Security Optimization session
It is one of the expert guided session provided by SAP to directly asses the security of your landscape and provide suggestion for improvement, Its available as self guided services in solution manager. More details refer here.
Other SAP Code Exchange reports for Central Security check
Security Dashboard
Solution manager 7.1 delivers the most efficient and transparent security dashboards, This is available under cross application dashboard apps, we can add to our management dashboard view for display the status.
Interesting Reads
SAP Patch Process Day White Paper
SAP Patch Process Day Over view
List of Z reports from Code Exchange behind all functionality
Lets use all the above mentioned features with in solution manager and make the landscape more secure and safe.
Hi Jansi,
this is an excellent blog and something I have been close to recently.
I'd like to add a few more links to your blog for people interested in this subject.
. Security Patch Process FAQ an excellent all encompassing blog by Frank Buchholz
. Details on SAP Security Patch Process Day are here: https://service.sap.com/securitynotes -> SAP Security Patch Day
. The RSECNOTE is detailed in OSS Note 888889 and Gowrinadh has written an excellent blog on implementing RSECNOTE here
. There is a SAP Hot Notes Priority 1 OSS Notes Service which can be setup on SMP
. SAP Security OSS Notes are now scoring/measuring the risk of vulnerabilities using the Common Vulnerability Scoring System (CVSS)
Thanks for a great blog and best regards,
Andy.
Hi Andy,
Yes, we are very seriously looking to these security supports available in solution manager.
Thanks a lot for sharing your experience and valuable links.
Best regards,
Jansi
Hi Jansi,
thanks.
The biggest lesson I have had this year on Securing SAP Infrastructure and Solutions is that:
. we all need to be more proactive regarding securing our SAP Landscapes
. and as you have blogged we need to implement proactive SAP Security strategies which will revolve around the SAP Security Patching Day, and if necessary a higher frequency of checking the Hot Priority 1 OSS Notes
Many Customers have been reactive regarding securing their SAP Landscapes and the the reactive strategy although not really acceptable, was, possible, because the majority of SAP solutions have been intranet oriented and therefore had the luxury of being inside the securest zone of the Customer's network.
The problem now is, there is really a revolution going on regarding exposing critical SAP Business Infrastructure to the Internet, for Partner connectivity and for remote User connectivity. These Business Demands to expose SAP to the Internet are coming into the SAP Architects at all Customers these days, and securing the access and the SAP systems is becoming priority number one, some of the possibilites for securing the infrastructure are discussed here.
As we can see we're going through a transition from primarily critical SAP Business Systems only being accessed within the luxury and security of the Intranet to these business demands for external Internet access and therefore we all need proactive SAP Security strategies.
Best regards,
Andy.
another thing, not so long ago I published this guidance specifically oriented towards securing SAP Portal which compliments your blog.
All the best,
Andy.
Thank you very much for this strong summary in your blog!
On http://service.sap.com/sos you can find some more detailled presentations in the Media Library:
By the way: On Teched 2013 we currently present (SIS206) about the integration between Configuration Validation and GRC Process Control. You'll find the corresponding presentation in the same media library soon.
Kind regards
Frank
Thanks Jansi, it is very useful information. Some additional features which can be very useful for the companies are the "Root Cause analysis" work center System analysis and Change analysis in End to End analyis. Which helps to figure out what changes happened in the system with mentioned period, and details the changes . This is very useful when we hace scenarios, "It was running yesterday perfectly, but today it is slow, is there any changes in the system". System analysis even can make it possible to compare different systems, for ex comparing production system to Preproduction system and see what difference it have starting from os level
Bijoy Babu
Hi Jansi and Readers,
update and alignment,
RSECNOTE
There is a strict guidance in the SAP Patch Process FAQ Blog, stating:
Do not use RSECNOTE anymore - its content is outdated and incomplete - use System Recommendations!
The same message is confirmed in SEC104 older #SAPtd material.
The recommendation is to use the System Recommendations.
And further more, crystal clear in the OSS Note:
888889 - Automatic checks for security notes using RSECNOTE (outdated)
Best regards,
Andy.
Thanks, Andy, for highlighting this.
Helpful Blog.
Regards,
Saravanan R