SAP FIORI Security Constraints
Whenever you are exposing your business application with data to the internet, that time security awareness and concern will come into picture. Now a days all customers want to use SAP FIORI application to run business processes from any where of the globe using any devices[Desktop,laptop,Mobile]. Now the question is why?
1. To reduce development and maintenance cost as its a Hybrid application.
2. Now a days SAP, from his side whole development is doing using FIORI. So customers bound to use FIORI to get the new ERP features from SAP.
3. No Licensing cost.
Now focus on my point
“You can run your business process by sitting any where of the globe using FIORI app.”
For this all business entity has to expose there business server, application and sensitive data to the internet. Once your sensitive data contained server will expose to internet then risk factor on below things will increase.
1. Data Availability.
2. Data Integrity.
3. Data Confidentiality.
Now will talk how can we provide above security to our FIORI apps. I will start from FIORI landscape architecture. SAP has given 4 types of landscape architecture.
Central Hub Deployment – This landscape you can use for only development and testing not for production environment.
Embedded Deployment – This landscape is best suite for production environment.
Central Hub Deployment & development in Hub – This landscape is for, who all are not in Netweaver 7.0 or below, generally who all are not ready to upgrade ECC.
Cloud Deployment – This is for, who all are not ready to invest for FIORI front end.
Now will go one more level of FIORI security control. You can provide security on respective level like –
Administrator, Technical and Physical. We should use some tasks to perform these level of securities like – Network Architecture, secure configuration, encrypted communication, Device security, Secure app development, authorization, authentication, tracking and monitoring, encrypt data, avoid threat injection.
Network Architecture – Use DMZ , setup firewall rules between client network and server, implement web application based firewall for untrusted network and SAP ICF service, implement web dispatcher to restrict ICF services from untrusted networks.
Secure Configuration – For FIORI configuration, activate below ICF service for frontend server.
/default_host/sap/bc/ui2/nwbc, /default_host/sap/bc/ui2/start_up, /default_host/sap/bc/ui5_ui5/sap/ar_srvc_launch, /default_host/sap/bc/ui5_ui5/sap/ar_srvc_news, /default_host/sap/bc/ui5_ui5/sap/arsrvc_upb_admn, /default_host/sap/bc/ui5_ui5/ui2/ushell, /default_host/sap/public/bc/ui2, /default_host/sap/public/bc/ui5_ui5.
don’t activate below ICF services on frontend server.
/sap/bc/FormToRfc, /sap/bc/report, /sap/bc/xrfc, /sap/bc/xrfc_test, /sap/bc/error, /sap/bc/webrfc, /sap/bc/bsp/sap/certreq, /sap/bc/bsp/sap/certmap, /sap/bc/gui/sap/its/CERTREQ, /sap/bc/gui/sap/its/CERTMAP, /sap/bc/bsp/sap/bsp_veri, /sap/bc/bsp/sap/icf, /sap/bc/IDoc_XML, /sap/bc/srt/IDoc
Implement web dispatcher to permit access for FIORI required ICF services only like – /default_host/sap/bc/ui2/nwbc, /default_host/sap/bc/ui2/start_up, /default_host/sap/bc/ui5_ui5/sap/ar_srvc_launch, /default_host/sap/bc/ui5_ui5/sap/ar_srvc_news, /default_host/sap/bc/ui5_ui5/sap/arsrvc_upb_admn, /default_host/sap/bc/ui5_ui5/ui2/ushell, /default_host/sap/public/bc/ui2, /default_host/sap/public/bc/ui5_ui5
Disable multiple logon from ICF and maintaining parameter in RZ11.
Disable unencrypted(HTTP) trafic to the ICM using firewall.
Activate HTTP Security session management just by maintaining parameters in RZ11.
Lockdown SAP* account by maintaining parameters in RZ11.
Implement web filtering on FIORI required ICF service in web dispatcher level.
Restrict SAP web dispatcher for Non-HTTPS call.
Authentication & Authorization – For authentication use BASIC Authentication, Certificate and SAML 2 authentication. Configure your gateway[FrontEnd] system for SAML 2. SSO will be the best option . For authorization build secure role – Maintain trusted RFC between frontend and backend system, if you are using traditional authorization then maintain for same user master record for different system with different password as it has trusted RFC. For your application Odata service[custom&standard] maintain service id in authorization object S_SERVICE for both custom and standard or else create separate role with default authorization along with service name.
Encrypted Communication – DMZ has to perform encrypting/decrypting network traffic before sending/receiving , to/from server from any trusted/untrusted network.
Device Security – To maintain data confidentiality use AFARIA password policies, application policies, restriction policies, WIFI policy management, secondly you can use mocana.
Using above we can reduce Risk factor up to 95% . Because as you know “All new security constraints built for new attack”. Nothing is 100% secure.
Next i will come with some interesting things on BOPF, HANA and S4HANA.