LSEC - Leaders in Security

As one of the leading business applications in the world, an SAP-system is typically a complex environment that serves many business processes and support a variety of business decisions. It is typically integrated with many other applications and tightly integrated with applications servers and networks. Like with any similar type of environment, these applications are challenging from an Information Security perspective.
During this seminar, we want to focus on the general Information Security challenges with SAP, but also with some of the particular issues typically found with companies that work with SAP environments.
Some of our experts will be able to show and share some of their experiences, from and with customer environments.

Besides, we will also zoom into some of the typical business challenges such as GRC, Identity Management, R/3 Security, Single Sign On, Compliancy issues and Web Application Security, next to typical policy challenges such as Segregation of Duties, Access Management and ICT and Business Audit and Controls.

Some of the topics that will be addressed during this seminar :
- R/3 Security, BW Security, Enterprise Portal, CUA,
- Single Sign On,
- SOX/ SoD,
- OSS,
- HR Security
- Other SAP Apps
- GRC setup
- Identity Management
- Integration with other systems such as MS or Oracle databases and other applications
- Challenges for integration due to mergers or de-mergers
- …

Download the CA SAP Security White Paper CA Technologies Improving SAP Security CA Identity 2010.pdf

Preliminary Program

9.00 : Registration & Welcome Coffee

9.45 : Introduction & Opening Notes

10.00 : Experiences Securing business information in SAP and managing user access risk effectively: Facing today’s challenges and adopting security standards with good practices, , by Wouter Janssen, Axl-Trax

Abstract : Organizations deploying SAP solutions to facilitate their business rely heavily upon the correct processing, manipulation and reporting on business-critical information. Due to the integrated nature of mySAP ERP as well as the interconnectivity and interaction between different components in the information architecture, risk is the keyword that must be properly addressed.
The challenge of security SAP implementations is not new and dates back from the early 90ies when the ERP-component R/3 became available. Many organizations have grown a good practice in securing what is important to them, others have learned the hard way. Business drivers, threats and risk appetite have shifted in recent years and during this presentation, the trends and good practices in managing user access risks effectively will be discussed

About : Wouter Janssen CISSP CISA CISM CGEIT CFE is a security specialist working as a director for Axl & Trax in Belgium. Working in the security consulting and audit field for many years, he has combined his technical skills and security knowledge with business insight and experience to assist customers in finding tailored solutions for security challenges.
He has over 10 years of professional experience in the areas of IT security, identity & access management, SAP security, governance, compliance and control. He has been involved in and managed large-scale IT security projects and advised various multinationals across Europe.

10.50 : Vulnerabilities of SAP systems : history and trends, by Fred van den Langenburg (ERP Security) and Joris van de Vis

Abstract : A modern SAP system based on the Netweaver based architecture may employ several different software components located on different servers and is connected to the Interne. This means that a SAP Netweaver system has many more possible entry points or attack vectors1 than the older R3 systems which were not connected to the Internet. Modern SAP systems based on Netweaver are more vulnerable and prone to attacks than their R/3 predecessors.
During this presentation we will learn about the evolution of the potential threat vectors in SAP-systems, in order to get a better understanding on how we might learn from history to avoid similar mistakes in the future.

About : Fred van de Langenberg has been working as a freelance SAP technical consultant for the past 13 years for various multi-nationals including Heineken, Shell, Ericson and Philips. His experience also includes working for IT companies such as Atos Origin, IBM and currently T-Systems. Over the years he has acquired in-depth knowledge of SAP systems through hands-on experience. In addition to being an all-round SAP Basis consultant, he is also a certified ABAP programmer. The introduction of the SAP Netweaver platform brought new challenges in the field of security which triggered his interest in SAP platform security.

About : Joris van de Vis has been working in many technical roles. Next to developing and working as a Netweaver Technical consultant his special interest goes out to the SAP Security domain. He helps customers securing their business by hardening their SAP platform. He is also a SAP vulnerability researcher. Over the past 10 years he has been working for large fortune-500 companies like Philips and Heineken and he helped several governmental departments with implementing SAP Security related solutions.

11.40 : Coffee Break & Networking

12.10 : Building an enterprise-wide GRC solution with the SAP environment at the core, by Chris Van den Abbeele, Atos Origin

Abstract : Session abstract:
Organizations today are looking for ways to leverage their investments in SAP by extending their SAP policies to other non-SAP systems.
This session present how to extend the reach of SAP Access Control, SAP Process Control and SAP Risk Management to build an enterprise-wide GRC solution that includes non-SAP applications.

In particular, this session covers a solution which spans SAP- and non-SAP applications, that enforces Roles Based Access Control, alerts in near-real-time if access to enterprise systems violates business policies, shows how roles granted in SAP can be easily mapped to non-SAP systems, and how roles granted in non-SAP systems can be mapped back into SAP, while respecting the defined restraints like Separations of Duty and business approvals.

All too often, we see enterprises take a siloed approach to solve tactical issues. When new compliance regulations, eg PCI, arise, a new project is put into place to solve that specific need.

At TechEd on October 13, 2009, SAP and Novell announced the expansion of their global partnership to include the delivery of integrated governance, risk, and compliance solutions. As a dedicated integration partner of both SAP and Novell, Atos Origin is in a privileged position to turn this vision into a working ensemble.

The modular approach presented in this session shows how to drive towards a consistent, sustainable enterprise-wide GRC strategy that reduces risk, lowers costs and provides improved business performance.

About : Chris Van Den Abbeele is Solution Manager for Identity and Security solutions at Atos Origin. He is responsible for defining and managing the Identity and Access Management offering at Atos Origin Belgium.  Chris has over ten years experience in designing Identity and Access Management solutions.  He has a clear view on the technology, the market and the players.  Prior to joining Atos Origin, Chris worked as a Technology Specialist at Novell for about ten years.

13.00 : Walking lunch & Networking

13.45 : Keynote Address : Achieving comprehensive Security for SAP in a Heterogeneous Environment with CA and SAP, Phil Allen, Director Security Practice EMEA, CA Technologies

Abstract : Abstract: CA and SAP have been long term partners. This talk will explore how you can achieve comprehensive and effective security for SAP environments that are implemented in a heterogeneous environment.

14.35 : SAP GRC-AC implementation: challenges encountered at customer implementation, by Melissa Dielman Deloitte Enterprise Risk Services

Abstract : Segregation of Duties conflicts are an ongoing issue in audit reports, particularly in the context of SoX (Section 404) or similar legislation worldwide. SAP’s response consists of the GRC application suite “Access Control (5.3)”. A proper implementation should ensure that typical application-level fraud scenarios are identified and controlled.

Access control over key information assets and SoD compliance are among the most effective safeguards against fraud and mistakes, and a prerequisite for compliance to various regulations. SAP GRC Access Control consists of 4 modules, each with specific functionality to maximize this level of control. In our presentation, we will highlight the functionalities of the components and more important, the way they can efficiently interact together.

Where technically, AC projects contain few challenges, we know the great pitfalls lie elsewhere. The most difficult part of each implementation is the proper alignment of functionality with the enterprise’s (GRC) maturity level. Implementing a GRC application suite is not just implementing another tool, it is implementing a new culture; requiring a lot of input, effort and cooperation from the entire business.
Our best practice implementation consists of a phased approach. The goal is gradually evolving from a focus on getting clean, to remaining in control of the situation and staying clean. We will list the different phases to go through in order to simultaneously prepare business, IT and audit stakeholders for the ownership of a Risk controlled environment. We will also clarify the need for a diverse implementation team to ensure a successful implementation.
Summarizing, in this session, we (Deloitte ERS) will elaborate on our strategy of implementing a suitable customized instance of SAP GRC Access Control. We will include various lessons learned from passed implementations, focusing on the different challenges encountered and analysing root cause of both successful and failing implementation projects.

About : Melissa is Senior Manager at Deloitte-ERS in the Security & Data Privacy department. She is responsible for the SAP Security service offerings & teamlead. Over the years Melissa has a built a solid expertise in SAP authorization management & GRC, having participated and led different size projects in Belgium and Europe. Her education, interests and working experience allow her to get a combined view on all components of the SAP Security management, from business processes, risk & control to technical implementation perspective.

15.15 : Coffee Break

15.45 : SoX/ SoD or GRC setup, by Paul Albertini, Manager, KPMG

Abstract : Understand and resolve the insecurities with your ERP system. Understand the basic security threats and see a live demo of how insecure some sytems can be. Learn how to protect your vulnerabilities and find some solutions that can help protect you also further in the future.

About : Paul is a manager in the Antwerp practice of KPMG Advisory. He is specialized in advisory services in the fields of ERP Advisory. Over the last years Paul was involved in several SOD projects. For these engagements he assisted clients in their strategy, building the business case and performing project management activities as well as developing security policies and procedures. Paul is also a member of the Information System and Control Association (ISACA) and a certified information system auditor (CISA). Other main certifications that he obtained in his career can be summarized as follows: SAP Solution Architect and Prince2.

16.35 : Aligning access rights in SAP R3 & BW through a uniform authorization concept, by Pieter Lenaerts, Deloitte Enterprise Risk Services

Abstract : Companies have been investing in increased security restriction, monitoring & ownership in their daily transaction systems due to the increased attention to Good Governance in the Data & Fraud protection area, and the growing legislative requirements (SOX, Basel II,..). To enable this drive, a SAP R3 environment offers one of the most flexible and therefore complex authorization mechanisms on the market. SAP BW adds to this complexity with an additional security layer controlling access to data.

SAP BW, being mainly a reporting tool, is easily overseen as a key information provider on business sensitive data, financial results & HR information. As a consequence SAP BW security is often perceived to be less sensitive while it is imperative that the access rights between SAP R3 and SAP BW are aligned across the different authorization environments.

This presentation intends to give a broad audience, from BW project management via BW developers to R3 authorization specialists, a conceptual overview of the main role design strategies made possible by the new BW authorization mechanisms to secure access to data, and compare these strategies in the long – operational – run. It will show some of the do’s and don’ts based on hands on experience aligning authorizations for R3, BW and SAP Portal. To ensure your BW concept works for your business we will highlight the different stakeholders and their role in this process.

About : Pieter is Senior Consultant at Deloitte-ERS in the Security & Data Privacy department. Starting as IT auditor, Pieter has expanded and increased his knowledge on SAP security & GRC to become a true expert in this area. He has conducted projects on SAP security within R3, BI & CRM and specializes in automation of SAP authorizations maintenance.

17.00 : ABAP backdoors and compliance killers, by Andreas Wiegenstein, Managing Director & CTO Virtualforge

Abstract : based upon the experience of having reviewed many SAP / ABAP applications, Andreas will present an overview of some of the most common and some of the more interesting security issues, being them real threats, leaks, backdoor channels, ... simply from the missing or incorrect authority checks, bypass mechanisms and other.

Andreas Wiegenstein has been working as a professional SAP security consultant for 8 years. He performed countless SAP code audits and has been researching security defects specific to SAP / ABAP applications. Andreas has spoken at SAP TechEd on security on several occasions and is co-author of the first book on ABAP security (SAP Press 2009).

17.50 : Panel Discussion

18.30 : Closing Notes, Reception & Networking

19.00 : Close of Event

Practical Details

Auditorium Kasteel, Kasteelpark Arenberg, 3001 Heverlee
Tuesday, September 7th, 2010
Day Seminar : from 10 AM until 6 PM
Free to register for enterprises and industry. Non-SAP customers, systems integrators and consultants (without operational SAP-systems) will be invoiced 150 € (ex VAT) participation fee.

You can also register at : the Eventbrite registration prages