For many years, companies have often been required to allow access to critical business data from outside their corporate network. For example, employees go on business trips or work remotely, or partner consultants need to gain access because of a new project. In addition to this security challenge, a new and more complicated scenario has been in high demand for the last several years: Mobile access. Easy and flexible, it allows users to connect and work from anywhere and on any device. All these challenges require a revision of corporate security policies as well as new security tools for an effective mitigation of the newly defined risks.
With the latest support package (SP04) for SAP Single Sign-On, released on Nov. 03, 2014, SAP offers a solution that will help companies to mitigate such risks by implementing Risk-Based Authentication, improving security for all critical business processes.
Risk-based authentication helps companies capture and evaluate centrally the authentication circumstances based on custom-defined access policies. As a result, you can allow or forbid the access, or if necessary enforce Two-Factor Authentication mechanism based on One-Time Password (OTP).
Sample scenario:
Security policy of Company “A”: Access to HR systems, when requested from outside the corporate network and/or outside normal working hours, is considered a very high risk.
Such a risk could be easily mitigated with the implementation of risk-based authentication: When the user tries to access the systems from outside the corporate network/or when the time is between 6:00 PM and 9:00 AM of the respective for the user time-zone, two-factor authentication will be enforced.
How Risk-Based Authentication Works:
The solution is based on custom-defined access policies. Many companies develop a set of access policies, based on their corporate security standards. The access policies are implemented in a configuration UI or in the SAP NetWeaver Administrator by writing the logic in JavaScript. The access policy logic is based on a set of contextual information (for example: time, origin, authentication method, device, and others) and the risk, defined by the company with regard to the values of this contextual information.
The Access Policies are available as implementation for two authentication methods:
When a user tries to log-in to a resource, where the Risk-Based Authentication has been implemented, the authentication request is sent to the Access Policies Engine, running on the SAP NetWeaver AS Java.
The Access Policies Engine performs the following steps:
How to Implement Risk-Based Authentication:
Risk-Based Authentication requires installation of the SSO AUTHENTICATION LIBRARY 2.0. and configuration, dependent on the authentication method.
If you choose to implement authentication with Time-Based One-Time Password Login Module (TOTPLoginModule), you need to:
For more details, see Access Policies Implementation Guide. Here you will find an example access policy script.
You can find example scripts also in the SAP Note 2225027 - Policy Scripts for Risk-Based Authentication
If you choose to implement authentication through an Identity Provider (IdP) you have two options:
Implementation steps include:
For more details, see Configuring Access Policies for Identity Provider Extensions
Risk-Based Authentication with SAP Single Sign-On:
The new SAP solution that helps companies to offer access from anywhere and on any device by controlling and mitigating risk successfully!
See also:Stronger security for your business data at risk (sample access policies included)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
35 | |
25 | |
14 | |
7 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |