Enterprise readiness nowadays requires access for corporate users from anywhere and on any device. Is your IT team ready to answer properly all auditor’s questions related to business data security when it comes to granting access from outside the corporate network? Or access to business applications on mobile devices? There is always room for improvement when we talk about security. Below you find advanced security solutions, available with the SAP Single Sign-On product, that will help you to improve your corporate security for these challenging topics.
Two-Factor Authentication
With two-factor authentication you can implement a strong form of authentication for access to corporate resources – for example, for especially critical systems or securing access from outside the company. SAP Single Sign-On 2.0 supports two-factor authentication via time-based one-time passwords (TOTP) generated by the SAP Authenticator mobile app. Alternatively, out-of-band transport of tokens, including one-time passwords sent via SMS or email or RSA/RADIUS, are supported.
More information:
Strong Two-Factor Authentication with One-Time Password Solution
One-Time Password Authentication
Risk-Based Authentication
SAP Single Sign-On 2.0 (since SP5) offers risk-based authentication. This means that an authentication process can dynamically adapt to the context of an individual authentication request based on custom-defined access policies. First, you check the context information of an authentication attempt. This could be the IP address of the client, location, date/time, device information, or user attributes such as groups, for example. Secondly, based on this context information you then make a dynamic decision on whether you accept or deny access, or alternatively enforce two-factor authentication in case the context indicates a higher risk. You could even reduce the privileges of the person accessing the backend system, thus limiting the business functionality available to this user.
More information:
Risk-Based Authentication for Your Critical Business Processes
Stronger Security for Your Business Data at Risk
Access Policies Implementation Guide
SAP Note 2151025: User Management Engine Support for Dynamic Authorizations
SAP Note 2057832: Web Access Policy API
RFID-Based Identification
For scenarios where users need quick access to a system to perform short tasks, you can use fast user identification via radio-frequency identification (RFID). The user is identified via an RFID token, such as a company batch card. RFID authentication is ideally suited to warehouse and production scenarios with dedicated kiosk PCs for authentication.
More information:
RFID-Based Identification of SAP Applications Using Employee Badges
Identification Using RFID Tokens
Digital Signatures
Digital signatures uniquely identify the signer, protect the integrity of the data, and provide the means for a binding signature that cannot be denied afterwards. SAP Single Sign-On supports digital signing using the Secure Store and Forward (SSF) interface. The Secure Login Client for SAP GUI can use X.509 certificates for digital signatures in an SAP environment. Server-side digital signatures are supported by the SAP Common Cryptographic Library. In addition, SAP Single Sign-On includes support for server-side digital signatures via hardware security modules, offering increased security and performance.
More information:
Digital Signing with Secure Store and Forward (SSF)
Digital Client Signature (SSF)
Digital Signatures in SAP GUI with One-Time Passwords
Digital Signatures (SSF) with a Hardware Security Module
SAP Note 1973271: Secure Login Library 2.0 HSM Configuration for SSF
Certificate Lifecycle Management for ABAP Application Servers
SAP Single Sign-On 2.0 (since SP6) supports automated renewal of X.509 certificates for SAP NetWeaver Application Server ABAP using Secure Login Server. This reduces manual efforts and prevents downtime.
More information:
Certificate Lifecycle Management Using Secure Login Server
SAP Note 2194174: Certificate Lifecycle Management with Secure Login Server – ABAP reports