As one of the leading business applications in the world, an SAP-system is typically a complex environment that serves many business processes and support a variety of business decisions. It is typically integrated with many other applications and tightly integrated with applications servers and networks. Like with any similar type of environment, these applications are challenging from an Information Security perspective.
During this seminar, we want to focus on the general Information Security challenges with SAP, but also with some of the particular issues typically found with companies that work with SAP environments.
Some of our experts will be able to show and share some of their experiences, from and with customer environments.

Besides, we will also zoom into some of the typical business challenges such as GRC, Identity Management, R/3 Security, Single Sign On, Compliancy issues and Web Application Security, next to typical policy challenges such as Segregation of Duties, Access Management and ICT and Business Audit and Controls.

Some of the topics that will be addressed during this seminar :
- R/3 Security, BW Security, Enterprise Portal, CUA,
- Single Sign On,
- SOX/ SoD,
- OSS,
- HR Security
- Other SAP Apps
- GRC setup
- Identity Management
- Integration with other systems such as MS or Oracle databases and other applications
- Challenges for integration due to mergers or de-mergers
- …

Download the CA SAP Security White Paper CA Technologies Improving SAP Security CA Identity 2010.pdf

Preliminary Program

9.00 : Registration & Welcome Coffee

9.45 : Introduction & Opening Notes

10.00 : Securing business information in SAP and managing user access risk effectively: Facing today’s challenges and adopting security standards with good practices, by Wouter Janssen, Axl-Trax

About : Wouter Janssen CISSP CISA CISM CGEIT CFE is a security specialist working as a director for Axl & Trax in Belgium. Working in the security consulting and audit field for many years, he has combined his technical skills and security knowledge with business insight and experience to assist customers in finding tailored solutions for security challenges.
He has over 10 years of professional experience in the areas of IT security, identity & access management, SAP security, governance, compliance and control. He has been involved in and managed large-scale IT security projects and advised various multinationals across Europe.

10.50 : Vulnerabilities of SAP systems : history and trends, by Fred van den Langenburg (ERP Security)

Abstract : A modern SAP system based on the Netweaver based architecture may employ several different software components located on different servers and is connected to the Interne. This means that a SAP Netweaver system has many more possible entry points or attack vectors1 than the older R3 systems which were not connected to the Internet. Modern SAP systems based on Netweaver are more vulnerable and prone to attacks than their R/3 predecessors.
During this presentation we will learn about the evolution of the potential threat vectors in SAP-systems, in order to get a better understanding on how we might learn from history to avoid similar mistakes in the future.

11.40 : Coffee Break & Networking

12.10 : Keynote Address : Achieving comprehensive Security for SAP in a Heterogeneous Environment with CA and SAP, Phil Allen, Director Security Practice EMEA, CA Technologies

13.00 : Walking lunch & Networking

13.00 : Walking lunch & Networking

13.45 : SAP GRC-AC implementation: challenges encountered at customer implementation, by Melissa Dielman Deloitte Enterprise Risk Services

Abstract : Segregation of Duties conflicts are an ongoing issue in audit reports, particularly in the context of SoX (Section 404) or similar legislation worldwide. SAP’s response consists of the GRC application suite “Access Control (5.3)”. A proper implementation should ensure that typical application-level fraud scenarios are identified and controlled.

Access control over key information assets and SoD compliance are among the most effective safeguards against fraud and mistakes, and a prerequisite for compliance to various regulations. SAP GRC Access Control consists of 4 modules, each with specific functionality to maximize this level of control. In our presentation, we will highlight the functionalities of the components and more important, the way they can efficiently interact together.

Where technically, AC projects contain few challenges, we know the great pitfalls lie elsewhere. The most difficult part of each implementation is the proper alignment of functionality with the enterprise’s (GRC) maturity level. Implementing a GRC application suite is not just implementing another tool, it is implementing a new culture; requiring a lot of input, effort and cooperation from the entire business.
Our best practice implementation consists of a phased approach. The goal is gradually evolving from a focus on getting clean, to remaining in control of the situation and staying clean. We will list the different phases to go through in order to simultaneously prepare business, IT and audit stakeholders for the ownership of a Risk controlled environment. We will also clarify the need for a diverse implementation team to ensure a successful implementation.
Summarizing, in this session, we (Deloitte ERS) will elaborate on our strategy of implementing a suitable customized instance of SAP GRC Access Control. We will include various lessons learned from passed implementations, focusing on the different challenges encountered and analysing root cause of both successful and failing implementation projects.

About : Melissa is Senior Manager at Deloitte-ERS in the Security & Data Privacy department. She is responsible for the SAP Security service offerings & teamlead. Over the years Melissa has a built a solid expertise in SAP authorization management & GRC, having participated and led different size projects in Belgium and Europe. Her education, interests and working experience allow her to get a combined view on all components of the SAP Security management, from business processes, risk & control to technical implementation perspective.

14.30 : SAP Security & Systems Integration : maintaining security through interactive integrations with other applications and systems. Experiences from cases with transport, process industry and finance industries, by Chris Van den Abbeele, Atos Origin

SAP GRC Mashup; a practical solution case, by Chris Van den Abbeele, Atos Origin

Abstract ; Enterprises have made significant investments in SAP solutions. SAP GRC solutions, have proven to be a cornerstone in automating compliance, managing risk and corporate governance.... But those SAP GRC applications are limited to the SAP “domain”.  This session discusses how to leverage your investments in SAP by extending your SAP policies to other non-SAP systems.  By combining SAP GRC with the Novell Compliance Management platform and Atos Origin’s expertise, an enterprise-wide GRC solution can be build that extends the reach of SAP Access Control, SAP Process Control and SAP Risk Management to non-SAP applications.

This solution Builds Enterprise Roles by combining Roles in SAP systems with Roles in non-SAP systems, while respecting the defined restraints like Separations of Duty and business approvals.  Enterprise Roles directly control access to enterprise application (SAP and non-SAP). Another highlight is the SIEM (Security Information and Security Event Management) component which monitors transactions from whatever connected system (SAP and non-SAP).  It normalizes the event data and correlates events in real time to find violations against defined policies.  The resulting Security Alerts are fed into SAP and can trigger a SAP “Risk Assessment and Remediation” action (RAR) or a SAP Process Control (PC) request/approval.

With the modular approach presented in this session, the thought leadership and the best of breed technology, we can drive towards a consistent, enterprise-wide GRC strategy that reduces risk, lowers costs and provides improved business performance.

About : Chris Van Den Abbeele is Solution Manager for Identity and Security solutions at Atos Origin. He is responsible for defining and managing the Identity and Access Management offering at Atos Origin Belgium.  Chris has over ten years experience in designing Identity and Access Management solutions.  He has a clear view on the technology, the market and the players.  Prior to joining Atos Origin, Chris worked as a Technology Specialist at Novell for about ten years.

15.15 : Coffee Break

15.45 : SoX/ SoD or GRC setup, by Benny Bogaert, KPMG

16.30 : Aligning access rights in SAP R3 & BW through a uniform authorization concept, by Pieter Lenaerts, Deloitte Enterprise Risk Services

Abstract : Companies have been investing in increased security restriction, monitoring & ownership in their daily transaction systems due to the increased attention to Good Governance in the Data & Fraud protection area, and the growing legislative requirements (SOX, Basel II,..). To enable this drive, a SAP R3 environment offers one of the most flexible and therefore complex authorization mechanisms on the market. SAP BW adds to this complexity with an additional security layer controlling access to data.

SAP BW, being mainly a reporting tool, is easily overseen as a key information provider on business sensitive data, financial results & HR information. As a consequence SAP BW security is often perceived to be less sensitive while it is imperative that the access rights between SAP R3 and SAP BW are aligned across the different authorization environments.

This presentation intends to give a broad audience, from BW project management via BW developers to R3 authorization specialists, a conceptual overview of the main role design strategies made possible by the new BW authorization mechanisms to secure access to data, and compare these strategies in the long – operational – run. It will show some of the do’s and don’ts based on hands on experience aligning authorizations for R3, BW and SAP Portal. To ensure your BW concept works for your business we will highlight the different stakeholders and their role in this process.

About : Pieter is Senior Consultant at Deloitte-ERS in the Security & Data Privacy department. Starting as IT auditor, Pieter has expanded and increased his knowledge on SAP security & GRC to become a true expert in this area. He has conducted projects on SAP security within R3, BI & CRM and specializes in automation of SAP authorizations maintenance.

17.15 : Secure Software Development for SAP Systems : fixing code-vulnerabilities, by Dr. Markus Schumacher, Virtualforge (tbc)

18.00 : Panel Discussion

18.30 : Closing Notes, Reception & Networking

19.00 : Close of Event

Practical Details

Auditorium Kasteel, Kasteelpark Arenberg, 3001 Heverlee
Tuesday, September 7th, 2010
Day Seminar : from 10 AM until 6 PM
Free to register for enterprises and industry. Non-SAP customers, systems integrators and consultants (without operational SAP-systems) will be invoiced 150 € (ex VAT) participation fee.