October 13, 2014  

SAP – SU24 is the blueprint for your security setup

A key element in maintaining SAP roles correctly is knowing how your transactions and authorization objects are linked. In technincal terms SU24. It is an aspect that many underestimate, mainly because it is hard to get a grip on. With this post I want to clarify why it is important to use and which aspects needs to be taken into consideration – in coming posts I will take a deep dive into each of the aspect.

1) Why is an updated SU24 base important?

The only place that transaction codes are linked to authorization objects and suggested values are in SU24. You can use this information for a number of things, but especially during maintenance of roles is an updated SU24 database important, cause how will you otherwise know which objects and values to add into your roles? If you don’t update SU24, you might as well not use PFCG and just create profiles.

The following areas emphasizes why this is an important area

2) Understand and use the authorization object status in connection with PFCG

Status on the authorization objects inside each role has a clear meaning. If you don’t understand the message each status represents you will run into problems with maintenance. Especially you need to have an eye on objects with status changed or manually – but more on this in a coming post :)

3) Build a process for reviewing roles after each SU24 update

Once you have a hold on SU24 and the authorization object status you need to have a process for reviewing all roles containing the transaction that has been updated in SU24. This includes updates you do in the daily maintenance and house cleaning, but also when you update the system. Only by reviewing and updating all affected roles will you have full control over you concept. In another coming post, I will dive into details on how to use the role maintenance options on the authorization folder in PFCG.

4) Information is king

Once SU24 is fully updated, utilize the information any way you can. I often use the information to identify currently used authorization objects, obsolete own developed objects, optimization of test and many other things. In any case the foundation is an updated SU24 data base.

October 10, 2014  

Windows security vulnerability

Yesterday I was working late, so when I tumbled into my bed I forgot to close my laptop. The next morning I was in a hurry to get out of the door, so I just used the power off button. Surprisingly enough my laptop did not turn off, it went into windows – without any password or other form of authentication!

So off course I checked my settings and the password protected screensaver was on.

Being a security nerd I had to try again later that day… surprise surprise, same result. I can open the laptop without putting in password. After some testing I found the follwoing prerequisites for enablement of the security vulnerability.

Security-Holes-Allow-for-Full-32-bit-and-64-bit-Windows-Vista-Takeover-2

  1. Windows 7 operating system
  2. A number of resource consuming programs needs to be running. I have tested while having Excel, Word, PDF, Power Point, Chrome, Outlook and Windows Explorer running simultaneously
  3. The automatic screen saver must start on its own, as soon as a single key has been clicked the security hole is closed

If all of this is in place you simple do the following to open the laptop without a password.

  1. Make sure only to click the off key – if you click any other key the laptop will be locked
  2. With the screensaver on, hold the power off button to close the laptop
  3. Once the task manager in windows opens, quickly click Cancel in the close program popup box
  4. You are now in windows without password!

To protect yourself against this, make sure to always manually secure your laptop before leaving it unattended.

June 13, 2014  

IAM Use Cases, why is “retainer” always missing?

I keep getting surprised about the 3 standard user cases everyone talks about; joiner, mover, leaver (JML). Everyone in the IAM sphere seems to have the same idea. Try and do a quick google search and you will find many many descriptions around the 3 areas. Just take the below.

It seems that joiner, mover, leaver is the foundation… or is it?

In my world it is a bid more diverse than that, especially if you also look into the time consumption within each use case. What I am trying to tell you is that usually an important and time consuming use case is missing – the retain use case

From my point of view the following use cases are needed by everyone looking into an identity & access management solution.

  1. Joiner – How new people joining your organization are granted accesses
  2. Retainer – The illegitimate child, covering especially governance activities
  3. Mover – When people move around inside your organization
  4. Leaver – How to handle people leaving the organization

The retain use case

In my world retainment of employees needs to be a separate use case area in any IAM solution. All other areas covers when something changes for the people in the organization; when they are hired, changes position inside the organization or leaves. But what happens when nothing changes for the employee?

Nothing, right?

But what if the same person has the same job over a 10 years period. Does nothing actually change for that employee? Just think what you were working on 10 years ago, not the same as today right? But if no attributes are changed for a person it is not a given that the IAM solution will capture the employees development. Hence the retainment use case becomes relevant.

What should be included in the retainment use case?

When talking about the retainment use case, I suggest that you at least evaluate the following use cases.

  • Periodic certification of accesses and SoD violations
  • Periodic certification of job role content
  • Employee development without attribute changes
June 11, 2014  

If you haven’t already seen this, do! It is absolutely fantastic

June 4, 2014  

SAP: Password wizard

Out of the box SAP only accepts password based logon as the mechanism for authentication. But the standard password wizard in SAP gives you a generic password containing about 40 characters – inlc. special characters, capital letters and other complication mechanisms.

So to use the standard password wizard is more or less impossible. Or is it…

Table PRGN_CUST gives you the possibility of customizing the rules for the password wizard. So you can now control the rules for a default generated password. Meaning that it is now usable for the administrators and the end users can understand the password.

Following parameters can be used within table PRGN_CUST:

  • GEN_PSW_MAX_DIGITS
  • GEN_PSW_MAX_LENGTH
  • GEN_PSW_MAX_LETTERS
  • GEN_PSW_MAX_SPECIALS

…. at the same time remember to review the rules for illegal passwords. They are implemented in table USR40  :)

June 2, 2014  

IAM temperature check by Deloitte

maximum-service-temperature_largeBased on 19 current IAM projects around the globe Deloitte Australia create a temperature check on the IAM market. It’s not a very comprehensive report, but it gives a good indication of how the IAM market and the current projects are dealing with the growing challenges of identity and access management.

I can 3 see three important conclusions from the report.

  1. Even though many organizations are trying to involve the line of business IAM remains an IT challenge. Especially the CISO has IAM within his domain of responsibility. Just as interesting IT is also the main area for funding the IAM projects
  2. IAM is still a matter of getting users on to the system, governance around e.g. SoD is only true for about 50% of the IAM projects
  3. When looking at the software solutions we are still looking at a very diverse landscape. No supplier really has a tight hold on the clients. The study shows that all of the main IAM suppliers all have more or less the same number of projects

http://www2.deloitte.com/dk/da/pages/risk/articles/Temperaturmaaling-paa-Identity-Access-Management-omraadet.html

April 20, 2014  

I just had to show this cool Deloitte video – it’s so awesome

April 17, 2014  

I am an E N F P!!!

I just finalized my second Myers-Briggs type indicator test. It turns out that I am an E N F P. Nice to know, but what does it mean to be an E N F P… I found the below description on the myersbriggs.org site:

Warmly enthusiastic and imaginative. See life as full of possibilities. Make connections between events and information very quickly, and confidently proceed based on the patterns they see. Want a lot of affirmation from others, and readily give appreciation and support. Spontaneous and flexible, often rely on their ability to improvise and their verbal fluency.

I also found this amazing description on the www.personalitypage.com/ENFP.html site:

ENFPs are warm, enthusiastic people, typically very bright and full of potential. They live in the world of possibilities, and can become very passionate and excited about things. Their enthusiasm lends them the ability to inspire and motivate others, more so than we see in other types. They can talk their way in or out of anything. They love life, seeing it as a special gift, and strive to make the most out of it.

All in all it sounds great!!!… but

Then I started thinking who else has the same type as me and how do they compare? I found a great collection of “personality friends“. Bill Cosby, Ellen DeGeneres, Robin Williams, Walt Disney and Will Smith just to mention a few. More interesting is that I found other interesting people like Hugo Chavez, Muammar Gaddafi and Fidel Castro

So to sum up I share personality trades with the guy who invented Mickey Mouse a talk show host and at least one dictator… hmmmm

 

If you know your MBTI type please add it as a comment – maybe we are more than one E N F P…

April 16, 2014  

How many RFC connections do you have and which users authorize the connections?

Management of RFC usually lives its own life – sometimes under stringent control, but more often without any or highly limited control or documentation.

In a new environment it is easy to start in the right way with a controlled solution. But how to start the analysis of which RFC connections actually exists and from a security perspective, which are the users authorizing the connection?

Good news, SAP actually offers a standard report to collect and present all the information. The report can be executed using the standard transaction code RSRFCCHK.

Once you have executed the report on every system, you have a good starting point for aggregating the information across your entire SAP environment. The combined information will allow you to gain a unique inside into not only which connections actually exists, but also which users authorize the connections and thereby the authorizations for each of them.

Happy RCF hunting!

March 31, 2014  

Oracle and IAM

Last week I have had the pleasure of participating in the Oracle partner forum for Identity Management in Berlin. A number of exiting solutions and roadmaps where presented. It was very impressive to see the full IAM package that Oracle has put together.

Of course some topics were more interesting than others. Especially mobile security and Internet of Things in an IAM perspective was interesting.

On the mobile site Oracle has with the acquisition of Bitzer Mobile, gotten a good approach to mobile security, incl. app control. Their approach differs from the normal VPN approach, where the entire phone is locked down, with this solution you build an app tunnel, to secure only the cooperate apps. So you can now continue using Facebook or LinkedIn, without those apps gaining access to your cooperate data. It looks and sounds very interesting and I am hoping soon to see it live.

Link to Oracle Mobile security site:
http://www.oracle.com/us/products/middleware/identity-management/mobile-security/overview/index.html

 

The other new thing and definitely a buzz word that we will hear a lot more of in the coming years is Internet of Things or IoT.

So what is IoT. Well the definitions I have heard is that a large number of devices (or things) will be coordinating and talking together over the internet, thereby adding new functions and added value for the consumer. For example when you are driving in your car, the cars ahead of you can warn you of traffic jams etc.

By 2020 it is expected that 50 billion devices will be talking together

So the question is now, how do we build end-to-end security to ensure that only the relevant people get access to only my information? Well, one thing is to have tight control with your IAM scope, why not leverage IAM to build a secure end-to-end solution? Some of the technology already exists, but I am sure that we have only seen the start of clever access management IoT solutions.

So if IAM can successfully position itself in this new sphere, IAM will stay a central player and future build on the importance for years to come. In any case, it is going to be very interesting – at least for a security nerd – to see solutions on IoT.

« Older Posts