Download   Report
  1. technology and computing
  2. networking
  3. vpn and remote access

_________________________________

_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
A How-To Guide
for Putting Your
Self-Service and
Other HR Functionality
y
on the Web
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Jacob Crane
EPI-USE America
_________________________________
_________________________________
© 2012 Wellesley Information Services. All rights reserved.
_________________________________
In This Session …
•
•
•
•
•
•
_________________________________
Learn what it means to Web-enable your self-service functionality
See what can be put online and what can be gained by doing so
Learn about the complexities and support challenges associated
with
ith running
i an Internet-facing
I t
t f i portal
t l
See what kinds of architectural changes are needed to realize a
solution
Learn about making SAP available on mobile devices and the
changes involved
Learn about things
g to consider when designing
g g yyour solution
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
1
_________________________________
What We’ll Cover …
•
•
•
•
•
•
_________________________________
What is an Internet-facing portal?
What are people putting on the Internet and why?
What challenges arise from implementing an Internet-facing
portal?
t l?
What are the technical components and steps involved?
Mobility solutions
Wrap-up
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
2
_________________________________
What Is an Internet-Facing Portal?
•
•
•
•
_________________________________
A portal solution that is accessible from outside of your
company’s network via the Internet
Portal can be accessed by a URL without VPN or special access
All
Allows
external
t
l users to
t connectt remotely
t l
Allows employees to connect from home
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
3
_________________________________
How Is an Internet-Facing Portal Realized?
•
_________________________________
Technically, this is very simple
ΠOpen a port up to allow your portal to be accessed from outside
of the network
ΠRegister
R i t an address
dd
andd associate
i t it tto your portal
t l
f www.myportal.com
ΠYou are now on the Internet
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
4
_________________________________
How Is an Internet-Facing Portal Realized the Right Way?
•
_________________________________
In practice, this is actually challenging
ΠSecurity concerns
f Architecture
f Policies
ΠLegal implications and compliance
f Data privacy laws and policies
f Laws and policies affecting your system design
ΠDeciding what to offer online
f Scope
S
off services
i
f Ways of accessing systems
ΠSupport
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
5
_________________________________
Putting Your Portal on the Internet
•
•
•
•
_________________________________
SAP provides an External-Facing Portal solution
ΠLightweight framework for improved Web performance
ΠKM integration for sharing documents and pages
Employee and Manager Self-Service are not compatible with the
External-Facing Portal
Until recently, only a handful of companies had internet-facing
solutions for ESS and MSS
Today an increasing number of companies are making their
portals accessible over the Internet
p
ΠMore benefits
ΠBetter technology
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
6
_________________________________
Reasons Businesses Put the Portal on the Internet
•
•
•
•
_________________________________
Return on Investment
ΠThere are several services that can quickly provide a
measurable ROI
ΠGreater
G t exposure gives
i
companies
i th
the bi
biggestt bang
b
for
f
their buck
Convenience
ΠAllow working from home
Improved service
ΠAllow greater access to information to more users
Reduced support costs
ΠIn some cases costs can be reduced by providing a more costeffective way to support users
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
7
_________________________________
What We’ll Cover …
•
•
•
•
•
•
_________________________________
What is an Internet-facing portal?
What are people putting on the Internet and why?
What challenges arise from implementing an Internet-facing
portal?
t l?
What are the technical components and steps involved?
Mobility solutions
Wrap-up
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
8
_________________________________
What Are Businesses Putting on the Portal?
•
•
•
•
•
•
•
•
_________________________________
Employee Self-Service
Manager Self-Service
SAP E-Recruiting
SAP SRM
Identity Management
SAP CRM
KM content
Custom services
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
9
_________________________________
Employee Self-Service
•
•
•
•
_________________________________
Most all of ESS can easily be put online
ΠBiggest issue is legal and security issues
More and more proposals are asking for all of ESS to be available
Biggest focus areas are paper reduction
ΠOnline statements
ΠReduced printing costs
Biggest other driver is convenience and access to data for all
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
10
_________________________________
Employee Self-Service Pay Statement
•
•
Eliminating paper pay statements will save money and can pay for
the cost of the portal
If employees can get the statements from home, they don’t need
to receive them in the mail or as hard copies
ΠEliminates costs
f Security paper
f Printing
f Packaging
f Mailing
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
11
_________________________________
Employee Self-Service — Open Enrollment
•
•
•
_________________________________
Reduce the number of enrolment guides printed
Allow employees to enroll at home on their own time at their own
pace
ΠEasier
E i for
f employees
l
ΠLess costly for employers
Allow simple access to plan information and other enrollment
information in a central location
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
12
_________________________________
Employee Self-Service — Other Forms
•
Any situation where you have information that is regularly
checked and used by employees
ΠIncreased convenience for employees
ΠLess
L
resources spentt using
i th
the fforms on th
the jjob
b and/or
d/ printing
i ti
them at work
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
13
_________________________________
Manager Self-Service
•
•
•
Similar reasons for exposing as ESS
Biggest gains come from allowing remote access from the road or
home to non-VPN users
L l and
Legal
d compliance
li
iissues are magnified
ifi d with
ith MSS
functionality, making it necessary to take a more cautious
approach to enabling MSS
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
14
_________________________________
E-Recruiting
•
•
•
_________________________________
Allow external candidates to browse jobs
ΠPost your jobs on the internet so they can be accessed by
anyone
All external
Allow
t
l candidates
did t and
d employees
l
tto apply
l ffor jjobs
b
ΠEmployees can browse and apply on their own time
ΠAllow external users to apply and enter their data directly into
SAP without intermediate systems
SAP-provided external-facing functionality is not delivered
through
g the p
portal but instead through
g the SAP NetWeaver® Web
Application Server
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
15
_________________________________
Other Areas
•
•
•
•
_________________________________
SAP SRM Supplier Self-Service (SUS) functionality
ΠAllows suppliers to work with the SRM system, confirm
shipping, view orders
ΠParticipate
P ti i t in
i auctions
ti
ΠUpload catalogs
Identity Management
SAP CRM
ΠAllow external customers into the system
External facing portal
External-facing
ΠUse SAP to deliver content via KM
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
16
_________________________________
Why External?
•
•
•
_________________________________
Improved access
ΠHome, remote, non-integrated locations
ΠExternal candidates and partners
Cost savings
ΠReduced printing and mailing costs
Increased convenience
ΠImprovements in access mentioned above
ΠSimplicity of access
f No
N VPN
ΠAccess at any time the system is available instead of only
during onsite work hours
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
17
_________________________________
What We’ll Cover …
•
•
•
•
•
•
_________________________________
What is an Internet-facing portal?
What are people putting on the Internet and why?
What challenges arise from implementing an Internet-facing
portal?
t l?
What are the technical components and steps involved?
Mobility solutions
Wrap-up
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
18
_________________________________
What Challenges Lie Ahead?
•
•
•
_________________________________
Implementing and maintaining an Internet-facing portal brings
many additional challenges and complexities
Careful planning and execution with disciplined follow-up and
adherence to procedures are key to successfully implementing
and operating an internet-facing portal
Challenges relate to several areas
ΠSecurity
ΠLegal/compliance
ΠSupport/maintenance
pp
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
19
_________________________________
Additional Factors — Former Showstoppers
•
•
_________________________________
Bandwidth
ΠBandwidth is a concern, as ESS and MSS services are
notoriously slow and resource-intensive
ΠHowever,
H
computers
t and
d Internet
I t
t connections
ti
have
h
improved
i
d
and continue to do so, minimizing the impact
f Most users are now on broadband and can utilize rich
content and applications
User training and acceptance
ΠUser training
g is always
y a concern
ΠNew employees already have the skills to utilize Web
functionality and are ready to embrace what you can offer
ΠThe need to offer basic operational training is rapidly
decreasing
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
20
_________________________________
Security Issues
•
•
•
•
_________________________________
Exposing the portal to the Internet opens it to attack
ΠPlanning, testing, and proactive maintenance are required to
mitigate the risks
Ad i i t t mustt monitor
Administrators
it and
d actt proactively
ti l tto address
dd
security risks
Managing users becomes more complicated, especially if varying
levels of access are granted internally and externally
More work is required of the Basis team and your network
administrators to maintain the portal
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
21
_________________________________
Legal and Compliance Issues
•
•
•
•
_________________________________
Increasing attention is being paid to data privacy and security
around the world
International, National, and State laws are being passed
constantly that could affect your policies,
policies procedures
procedures,
and designs
Most companies have legal teams who may be looking at these
laws and forming corporate or organizational policies that affect
your decision to put your portal on the Internet
It is important to be aware of the laws and policies that affect your
d i i
decisions
and
d design
d i
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
22
_________________________________
Data Privacy Laws
•
•
•
•
There are numerous laws, old and new, that can affect your
design and decisions
At face value, many of these laws do not directly affect you or
may not be applicable to basic functionality like Employee
Self-Service
However, advanced functionality that can expose other
employees’ data often falls under the scope of these laws
ΠReporting
ΠAccess to the backed
Many of the laws can affect corporate policies, especially in global
companies
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
23
_________________________________
What Laws Are Out There?
•
•
•
International
ΠEU Data Protection Directive 95/46/EC
ΠUK Data Protection Act 1998
ΠPayment Card Industry Data Security Standard
National
ΠThe Health Insurance Portability and Accountability Act (HIPAA)
f Health Information Technology for Economic and Clinical
Health Act (HITECH)
ΠFederal Information Security Management Act (FISMA)
State
ΠMassachusetts 201 CMR 17.00
ΠNevada Revised Statutes 603A-Security of Personal Information
Œ Many others …
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
24
_________________________________
What Is the Scope of These Laws?
•
•
•
•
•
_________________________________
Protection of personal information
ΠPII РPersonally Identifiable Information
Protection of credit card information
ΠImportant in Travel Management
Movement of information across borders
Policies for documentation, training, and administration
Policies for storage and handling of data
ΠOlder laws are more general and provide guidelines open to
interpretation and internal policy
ΠNewer laws are starting to be more specific about architecture,
encryption, and software used
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
25
_________________________________
What Are the Implications?
•
•
•
•
_________________________________
Policies defined to cover all areas can become restrictive and
detailed
Architecture changes may be needed
ΠMandated
M d t d architecture
hit t
coupled
l d with
ith requirements
i
t to
t meett
encryption and network needs
Functionality may need to be restricted
ΠAccess to reporting may need to be limited or more carefully
controlled
Transfer of data to other countries restricted
ΠGUI access may need to be restricted and/or security
maintained by region
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
26
_________________________________
Design Mandates — The Next Step
•
•
•
_________________________________
New laws are becoming more specific in what is required
ΠNew Massachusetts law requires firewalls, hard disk
encryption, regular software updates, anti-malware software
ΠRecommendations
R
d ti
toward
t
d two-factor
t f t authentication
th ti ti and
d
password security are showing up
As data privacy and security on the Web becomes a more visible
topic and issue, more laws will start to address specific
requirements
If you intend to expose the portal and SAP to the Internet it will
become increasingly important to stay aware of the laws that
affect you in order to remain in compliance
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
27
_________________________________
How Laws Can Affect Your Design
•
_________________________________
Access to personal data
ΠReports containing data like Social Security Numbers and even
birth dates may not be able to be used over the Internet without
additional security
ΠHTML GUI access may need to be restricted to avoid
inadvertently allowing the possibility of seeing data over the
Internet
f Transactions that use the GUI can allow users to run
additional transactions which they have access to on the
b k end,
back
d causing
i an iissue when
h power users h
have access
to the portal
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
28
_________________________________
How Laws Can Affect Your Design (cont.)
•
•
•
Network design
ΠFirewalls mandated by law
ΠHTTPS mandated by law
ΠAuthentication needs may further affect design
Authentication and security
ΠThough not explicitly mandated by law yet, policies may require
different populations of users to use VPN or different
authentication methods to access data due to enhanced access
ΠThese changes could affect single sign
sign-on
on and other areas
Support and operations
ΠUpdates, antivirus software, backup storage, and other factors
are covered by laws and policies
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
29
_________________________________
Supporting an Internet-Facing Portal
•
•
•
•
_________________________________
Supporting an Internet-facing portal brings many new challenges
Users have different hardware and software combinations that
may not be supported
U
Users
will
ill bbe on th
the system
t dduring
i hhours th
they would
ld previously
i l
be absent
ΠIf users access the portal from home, they may lock records
during an off-hours payroll run
Additional factors like networks are outside of your control
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
30
_________________________________
Computers Outside of Your Control
•
•
•
_________________________________
In an enterprise environment, you can control the hardware and
software a user has
However, home users could have almost anything
ΠUsers
U
may access the
th portal
t l ffrom unsupported
t dh
hardware
d
or
software versions
ΠAutomatic updates may install software that is not yet
supported by SAP
You have no control of the network after you leave your internal
network
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
31
_________________________________
Adapting to the Challenges
•
•
•
_________________________________
Reset expectations
ΠClearly communicate to end users what is supported and what
is not supported
B flexible
Be
fl ibl
ΠPrepare to offer additional support hours or resources
ΠProvide online help materials
Be prepared
ΠKnow that your support desk will face new challenges and
ensure that the organization is prepared before go
go-live
live
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
32
_________________________________
What We’ll Cover …
•
•
•
•
•
•
_________________________________
What is an Internet-facing portal?
What are people putting on the Internet and why?
What challenges arise from implementing an Internet-facing
portal?
t l?
What are the technical components and steps involved?
Mobility solutions
Wrap-up
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
33
_________________________________
How to Implement an Internet-Facing Portal
•
•
•
_________________________________
Design and build
ΠNetwork
ΠPortal options
Testing
Maintenance and operations
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
34
_________________________________
Design — The Goals
•
•
_________________________________
Provide open access to information and applications
ΠAllow the right people to see the information they need
ΠProvide unobtrusive security
f Users should know data is secure
f Users should not be unnecessarily burdened by security
Maintain the highest levels of security and compliance
ΠPrevent direct access to back-end systems
ΠPrevent unauthorized access to secure networks
ΠEliminate
Eli i t the
th possibility
ibilit off data
d t privacy
i
breaches
b
h
ΠPrevent unencrypted sensitive information from being
accessed
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
35
_________________________________
Network Design — Preventing Access
•
•
•
_________________________________
Firewalls can be used to prevent users from accessing your
network
Firewalls block traffic from flowing into and out of networks by
limiting the ports that traffic can flow through
Firewalls should be deployed on each network zone
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
36
_________________________________
How Many Firewalls?
•
•
•
_________________________________
At minimum, you need two firewalls to form the demilitarized
zone (DMZ)
ΠOne between the Internet and your DMZ
ΠOne
O b
between
t
th
the DMZ and
d your secure area
SAP recommends at least an inner and outer DMZ
ΠOuter DMZ holds reverse proxy
ΠInner DMZ holds the portal application servers
f Some recommend putting the portal in the secure area
ΠSecure area holds the back end
Often, people use additional firewalls
ΠBetween portal and back end
ΠBetween back end and database
ΠOthers
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
37
_________________________________
Preventing Direct Access — Reverse Proxies
•
•
•
_________________________________
Reverse proxies are used to obscure the destination of requests
ΠCalls to back-end systems can be routed through a reverse
proxy so that servers are never directly exposed
R
Reverse
proxies
i should
h ld be
b usedd in
i front
f t off any production
d ti
SAP server
Commonly used proxies include
ΠSAP Web Dispatcher
f Often chosen to combine load balancing with proxy
functionalityy
ΠApache
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
38
_________________________________
Other Network Devices
•
•
•
_________________________________
Many additional network devices exist that handle firewall and/or
reverse proxy requirements while providing additional protection
Filtering with whitelists and blacklists
ΠMaintain
M i t i lists
li t off allowed
ll
d URL
URLs and
d blocked
bl k d URL
URLs
f Whitelists are used for allowing only access to desired
applications
ƒ All other traffic is blocked
f Blacklists are used to block access to URLs
ƒ Useful for blocking sensitive servers or applications
ΠSAP Web Dispatcher supported
Learning firewalls
ΠFirewalls that analyze traffic and block abnormal requests
f Useful for preventing hacking attempts
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
39
_________________________________
A Simple Example — Exposing Portal Applications
•
_________________________________
Only firewalls and a reverse proxy are needed, at minimum, in
front of a portal when only portal applications are exposed
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
40
_________________________________
Exposing the SAP NetWeaver Application Server
•
•
•
_________________________________
When exposing the SAP NetWeaver Application Server, it
becomes more important to add layers of protection because the
back end is now exposed
The backed is exposed anytime something running on SAP ERP
is used in the portal
ΠTransaction iViews
ΠABAP Web Dynpro applications
Be sure to consider the way URLs are configured and generated
for your applications when using a proxy
ΠThe address of the proxy must replace the address of the WAS
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
41
_________________________________
Enhancement Pack 5 and Beyond
•
•
•
•
_________________________________
Enhancement Pack 5 moves more functionality to Web Dynpro
ABAP
ΠUsers are connected to the back-end WAS instead of the portal
F t applications
Future
li ti
will
ill also
l use more W
Web
bD
Dynpro ABAP
Plan for securing the WAS when running EHP5 or later, or
performing an upgrade to an existing Internet-facing solution
Check out SAP’s guide on best-practices for securing the WAS
(link in the resources slide)
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
42
_________________________________
Securing the Web Application Server
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
43
_________________________________
Additional Considerations
•
•
_________________________________
Blade servers
ΠSegregation of network zones across blades
f It is important to ensure that different blades in different
zones have
h
iindependent
d
d t subnets
b t
ΠNetwork interfaces
f Often additional network hardware must be installed on the
blade server to ensure blades and networks are isolated
Virtualization
ΠNever put reverse proxies or firewalls on virtual machines
f If one is compromised, all are compromised
ΠNever host servers that are on different zones on the same
virtual machine
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
44
_________________________________
SAP E-Recruiting
•
•
_________________________________
E-Recruiting needs to be on the Internet to allow candidates to
access jobs
ΠEspecially problematic when E-Recruitment is running on the
SAP ERP HCM instance
SAP offers an external front end for exposing E-Recruitment to
the Internet
ΠSeparate WAS for SAP E-Recruiting functionality
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
45
_________________________________
E-Recruiting (cont.)
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
46
_________________________________
SAP E-Recruiting — What to Do?
•
•
•
•
•
_________________________________
Combining instances reduces the overall maintenance effort and
lowers costs
Separating the WAS is always more secure, but adds an
additional server to maintain
Combining SAP ERP HCM and SAP E-Recruiting simplifies the
interfaces between the systems and reduces or eliminates the
need for SAP NetWeaver Process Integration to handle
communications between the two
If there is not sensitive data in SAP E-Recruiting, SAP ER
Recruiting
iti could
ld bbe placed
l d in
i the
th DMZ
Otherwise, use the external front end
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
47
_________________________________
A Complete Solution
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
48
_________________________________
HTTP, HTTPS, and Your Network
•
•
•
•
Hypertext Transfer Protocol Secure (HTTPS) is mandatory for your
internet traffic
How far into your network do you need/want to go?
D i with
Design
ith encryption
ti iin mind
i d and
d consider
id where
h tto d
do your
Secure Sockets Layer (SSL) offloading
ΠSomewhat resource-intensive if done on the portal itself
Consider sticky sessions and the need to preserve session and
header data as traffic is routed through your network
ΠNeeded to p
preserve Java session in portal
p
ΠNeeded to determine the URL in Web Dynpro
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
49
_________________________________
Security Design Considerations
•
•
_________________________________
Sensitive content and functionality should be disabled in the
portal when exposing it to the internet
ΠSensitive data
ΠSensitive
S iti applications
li ti
and
d transactions
t
ti
ΠAdministration tools
Administration functions should be disabled
ΠUse separate IDs that are blocked from the Internet
ΠUse filtering to prevent administration functionality from being
accessed
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
50
_________________________________
Security Design Considerations (cont.)
•
•
_________________________________
Audit existing roles for issues
ΠWas S_RFC, S_SERVICE, or S_ICF left open?
ΠEnsure existing roles are really secure before opening
up access
Consider vulnerabilities in custom applications and custom code
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
51
_________________________________
Testing
•
•
•
_________________________________
Testing is the only way to be sure you are secure
Employ penetration testing and auditing to ensure security holes
are closed and policies are in place to maintain a sufficient level
of security
Penetration testing
ΠExperts attempt to hack into your system using know exploits
and by searching for new security holes
ΠTools are available for ongoing testing and auditing, but should
not be relied on as your only source of testing
f Nikto
f XSSploit
ΠMake sure to coordinate with IT before trying anything
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
52
_________________________________
Maintenance and Operation
•
•
_________________________________
Patches must be installed more frequently to maintain security
ΠThreats are constantly evolving and must be addressed
immediately
ΠWaiting
W iti for
f end-of-year
d f
or quarterly
t l patches
t h may nott be
b
sufficient to keep up with new threats
ΠDownload patches on Patch Tuesday
ΠPatch everything in the Internet-facing landscape, not just SAP
Downtime windows and testing cycles for patches will need to be
scheduled more frequently
q
y when dealing
g with an Internet-facing
g
solution
ΠProblematic when dealing with production environments
ΠIt may make sense to separate your SAP ERP HCM instance
when looking at Internet-facing ESS and MSS
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
53
_________________________________
Portal Options for Managing Content
•
•
•
It may be necessary to offer different functionality and content
inside and outside of your network
Federated portals
ΠA consumer portal
t l can be
b sett up as Internet-facing
I t
t f i th
thatt can pullll
only certain content from your Internal portal, separating the
content
Filtering
ΠSAP has new functionality available that allows content to be
filtered based on the portal desktop
ΠUsers coming from outside use a different alias and can then be
assigned a different desktop
ΠOnly roles with the matching filter value are accessible
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
54
_________________________________
What We’ll Cover …
•
•
•
•
•
•
_________________________________
What is an Internet-facing portal?
What are people putting on the Internet and why?
What challenges arise from implementing an Internet-facing
portal?
t l?
What are the technical components and steps involved?
Mobility solutions
Wrap-up
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
55
_________________________________
Mobile Access
•
•
•
_________________________________
The next step beyond opening access to Internet users is offering
access to mobile users
Many of the concerns and architectural changes brought on by
Internet access are valid for mobile access,
access as well
ΠMobile solutions are running over the Internet and interfacing
with the SAP system
SAP offers several products to allow for mobile access
and security
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
56
_________________________________
Mobile Solutions
•
•
•
_________________________________
Sybase Unwired Platform
SAP NetWeaver Gateway
Mobile Business ByDesign
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
57
_________________________________
Sybase Unwired Platform (SUP)
•
•
•
•
_________________________________
SUP is a platform used to provide applications on a variety of
mobile devices
SUP is a Mobile Enterprise Application Platform (MEAP) that
connects to SAP and the mobile device
Uses a relay server in the DMZ to separate itself from the SAP
back-end system
Afaria is available for device management and enhanced security
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
58
_________________________________
Sybase Unwired Platform (SUP) (cont.)
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
59
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
60
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
61
_________________________________
Mobile Business ByDesign
•
•
•
_________________________________
Business ByDesign provides mobile applications and the ability
to develop applications using its platform
Everything is cloud-based
N hhardware
No
d
changes
h
are needed
d d tto allow
ll th
the use off the
th
ByDesign mobile solutions
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
62
_________________________________
What We’ll Cover …
•
•
•
•
•
•
_________________________________
What is an Internet-facing portal?
What are people putting on the Internet and why?
What challenges arise from implementing an Internet-facing
portal?
t l?
What are the technical components and steps involved?
Mobility solutions
Wrap-up
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
63
_________________________________
Additional Resources
•
•
•
•
_________________________________
http://help.sap.com/saphelp_nw73/helpdata/en/fe/a7b5386f64b555
e10000009b38f8cf/frameset.htm
ΠNetwork and Communications Security
www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/2992
d
/i j/ / bl ?bl / b/ l /2992
ΠHow to ... Configure SAP Web Dispatcher as a reverse proxy
http://help.sap.com/saphelp_nw73/helpdata/en/48/8fe37933114e6f
e10000000a421937/frameset.htm
ΠSAP Web Dispatcher
http://help sap com/saphelp nw70/helpdata/en/59/31ae42e0fac911
http://help.sap.com/saphelp_nw70/helpdata/en/59/31ae42e0fac911
e10000000a1550b0/frameset.htm
ΠURL Generation in an AS-ABAP РWeb Dispatcher
Configuration
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
64
_________________________________
Additional Resources (cont.)
•
•
_________________________________
www.sdn.sap.com/irj/scn/index?rid=/library/uuid/f0d2445f-509d2d10-6fa7-9d3608950fee
ΠSecure Configuration SAP NetWeaver Application Server ABAP
htt // i t t/ ikt 2
http://cirt.net/nikto2
ΠNikto РWeb server scanner
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
65
_________________________________
7 Key Points to Take Home
•
•
•
•
•
•
•
Allowing access to the portal over the Internet can provide
improved service while reducing costs
Be aware of legal and policy implications before deciding what to
offer and designing your solution
Thoroughly test your solution before connecting it to the Internet
Be extra diligent about installing updates and support packs to
keep up-to-date with the latest security fixes
Ensure firewalls are deployed between network zones and that
there is always a proxy between the Internet and your servers
Consider advanced protection methods like whitelists, blacklists,
learning firewalls, security appliances, and other tools available to
you in order to maximize security
Mobile solutions need to be protected just like Internet solutions
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
66
_________________________________
Your Turn!
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
How to contact me:
Jacob Crane
[email protected]
_________________________________
_________________________________
67
_________________________________
Disclaimer
SAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet®, PartnerEdge, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product
and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by
SAP.
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
68
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2012 Wellesley Information Services. All rights reserved.
How to print your Air Force retirement points summary (PCARS)

How to print your Air Force retirement points summary (PCARS)

Print out employment verification letters on your own.

Print out employment verification letters on your own.

-2014 2011 y

-2014 2011 y

Introduction to My Site

Introduction to My Site

How to integrate automated ABAP code correction within the ongoing development process

How to integrate automated ABAP code correction within the ongoing development process

Young Volunteers affirm bonds of friendship: Welcome, again, SAP!

Young Volunteers affirm bonds of friendship: Welcome, again, SAP!

ATEECO: Mrs. T’s PiErOgiEs Dishing UP new eFFiCienCies at a QUiCk FaCts

ATEECO: Mrs. T’s PiErOgiEs Dishing UP new eFFiCienCies at a QUiCk FaCts

Satisfactory Academic Appeal (SAP) Maximum Timeframe Appeal Form 2012-2013 PRINT

Satisfactory Academic Appeal (SAP) Maximum Timeframe Appeal Form 2012-2013 PRINT

Document 179778

Document 179778

How to index IBM Connection in Portal environment

How to index IBM Connection in Portal environment

abcdocz.com

© Copyright 2024