IBP security

best practices
Csaba Kabai, SAP

INTERNAL – SAP and Customers Only

Disclaimer

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of
SAP. Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or any
other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this
presentation or any related document, or to develop or release any functionality mentioned therein.
This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms
directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The
information in this presentation is not a commitment, promise or legal obligation to deliver any material, code or functionality. This
presentation is provided without a warranty of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement. This presentation is for informational purposes
and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this presentation, except if
such damages were caused by SAP’s intentional or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from
expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of
their dates, and they should not be relied upon in making purchasing decisions.

INTERNAL – SAP and Customers Only 2

Why we need security?
Three pillars of SAP security

Cloud
solutions from
SAP

1. Build securely 2. Run securely 3. Act securely

We build secure-by-design solutions. We run cloud operations securely. Security-first culture in everything we do.

Secure software development and Automated preventive and detective controls Security is part of our core, affecting how we organize,
operation lifecycle Intelligence, operations and response orchestration train and protect people and assets
Product solutions and features for Attestations and reports for our security processes Customer feedback loop supports continuous
enhanced security and controls improvement
Secure-by design environments (SAP and Partner ecosystem enhances security
cloud service providers)

INTERNAL – SAP and Customers Only 4

Security is part of our core

Security is integrated into SAP company processes

(e.g. Employee Onboarding, Global Security Trainings)

Secure Cloud Software Leading Security and DPP Secure Operations & Comprehensive Contracts
Development Products & Features Landscape Architecture Privacy, security framework, and
Threat Modeling, Code Scans, Authorization Concept, Read Holistic approach: prevent, applicable local regulations
Internal & External Security Access Logging detect, react
Assessment Standardized operations
processes

Independent Audits
Certifications and Attestations

INTERNAL – SAP and Customers Only 5

Management system of standards and best practices1

Certification Financial controls Operations and compliance Cloud computing compliance

ISO 22301,2 ISO 9001 2, SOC 1 SOC 2 controls catalog
ISO 27001 3 (SSAE18, ISAE 3402) (AT 101, ISAE 3000) BSI-C5
(ISAE 3000)
Transparency

Data protection Data privacy

BS10012 EU General Data Protection Regulation, Personal Information Protection Law
Privacy

Quality Service delivery Business Application Hardening Destruction of Incident

management ISO 20000 continuity security guidelines media management
ISO 9000 ISO 22300 ISO 27034 SANs, ISO ISO 27040 ISO 27035
Security best practice
ISO 25010 OWASP CERT, NIST
(extract)

Code of practice
ISO 27002
Foundation
SA P Integrated Business Planning standards and best practices

1. The management systems are used across all SAP Cloud Secure services, execution of independent certification, and audit depend on service and organizational unit respectively.
Details are available at www.sap.com/about/trust-center/certification-compliance.html.
2. Integrated Business Planning is certified as a subscope of SAP Enterprise Management System.
3. In addition to this certification, the organization uses the standards ISO/IEC 27017:2015 and ISO/IEC 27018:2019 as sources for the control set as defined in the SoA, for a part of the scope.
INTERNAL – SAP and Customers Only 6
 1. Build securely
SAP’s secure development and operations lifecycle We build secure-by-design solutions.

Continuous improvement and development

PRERELEASE

Plan Develop Test (Pre-)Release

Planned security Secure

Training Risk assessment Security testing Security validation
measures development

INTERNAL – SAP and Customers Only 7

 1. Build securely
Security assessment and testing We build secure-by-design solutions.

Internal and external security assessments including penetration tests

Penetration tests
Security testing with shift-left principle
▪ Internal and external
▪ Web applications (SAP IBP, ABAP NW Cloud Platform and others)
▪ SAP Bug Bounty Program

Code scans
▪ Static application security testing (SAST)
▪ Dynamic application security testing (DAST)

Other application security testing

▪ Code scan
▪ Authorization tests end to end
▪ Virus scans for documents
▪ Other test methods
INTERNAL – SAP and Customers Only 8
 1. Build securely
SAP IBP Bug Bounty Program We build secure-by-design solutions.

Involving third-party researchers in finding security vulnerabilities

Highlights Scope updates Vulnerability analysis

3% 3% 1% 1%

41% True positive rate 2011: Demand Planning apps

2102: Inventory Planning apps, Data Integration app 9%
6%

2105: Supply Planning apps, Planning Calendar API 47%

2108: new Demand Planning apps, Intelligent Visibility app 10%

~$1,000 Average reward

2111: Account Planner apps were not part of previous scope
2202: Administrator with limited access, Supply Chain Analyst
2205: Configuration Expert with limited access 19%
2208: Extended Configuration Expert role set
2211: Manage Analytics Stories based on SAC-technology

~500 Security researchers

2302: All business roles organized into a single bucket
2305: Extended Demand Planner roles
2308: Configure cost roll up application added
Broken Access Control (BAC)
2311: Extend Inventory Planner roles
Sensitive Data Exposure
Server-Side Injection
Broken Authentication and Session Management
Server Security Misconfiguration
Cross-Site Request Forgery (CSRF)
Other
External Behavior
INTERNAL – SAP and Customers Only 10
Application-Level Denial-of-Service (DoS)
 2. Run securely
SAP’s secure development and operations lifecycle We run cloud operations securely.

Continuous security monitoring and operations

P RERELEASE

Prevent Detect Respond and adapt

Vulnerability Security Incident

Security validation Defense in depth Analysis
management monitoring management

INTERNAL – SAP and Customers Only 11

 2. Run securely
SAP IBP shared responsibility We run cloud operations securely.

Customer Business process and application usage

Customer application access

Security operations and monitoring

Network and security management

SAP Application and OS management

Cloud operations from SAP

Database and storage management

Service configuration and account management

SAP or
hyperscaler
IaaS administration console and API IaaS orchestration

SAP or Network Storage Compute

hyperscaler Physical fabric

Data center and hardware

INTERNAL – SAP and Customers Only 12

 2. Run securely
Security monitoring: Detection, protection, and response We run cloud operations securely.

Customer security
Cloud provider security monitoring monitoring

Host Network Infrastructure Authentication Access and application

EVENTS

Security incident and event Customer

management (SIEM) SIEM
External
Data ALERTS threat
enrichment
intelligence
Security orchestration, automation, and
response
Playbook

CASES

Incident response

INTERNAL – SAP and Customers Only 13

 2. Run securely
Security monitoring: Detection, protection, and response We run cloud operations securely.

B usiness Role
Customer security
C ommunication User
monitoring
C ommunication System
CASES

R
C ommunication Arrangement
Access and application
C ontent Security Policy

Protection Allowlist

R
Customer
B usiness User Logon Details. SIEM
EVENTS

SIEM Systems with Sec Audit Logging.

B usiness User C hange Documents.

B usiness Role Change Documents

Additional services are planned for upcoming releases.

INTERNAL – SAP and Customers Only 14
 2. Run securely
Security Monitoring APIs – Monitoring Configuration Data We run cloud operations securely.

The following services are available (subject for future enhancements by upcoming releases):

Integrating Business Role Data (Read) - SAP_COM_0A04

Allows you to read business role data, such as business role ID or description, read business roles, read assigned business users,
launchpad spaces and business catalogs, or filter for specific combinations.

Integrating Communication User Data (Read) - SAP_COM_0A05

Allows you to read communication user data, such as read communication users, read assigned certificates, communication systems and
communication arrangements.

Integrating Communication System Data (Read) - SAP_COM_0A06

Allows you to read communication system data, such as read communication systems, read assigned inbound users, outbound users, and
communication arrangements.

Integrating Communication Arrangement Data (Read) - SAP_COM_0A07

Allows you to read communication arrangements, read assigned inbound users, outbound users, inbound services, and outbound services.
Integrating Content Security Policy Data (Read) - SAP_COM_0A08
Allows you to read Content Security Policy (CSP) data, such as read Content Security Policy statuses, or read trusted sites.

Integrating Protection Allowlist Data (Read) - SAP_COM_0A09

Allows you to read protection allowlist data, such as read clickjacking protection data, read trusted network zones, read trusted CSS Style
Sheets or read Cross-Origin Resource Sharing.

INTERNAL – SAP and Customers Only 15

 2. Run securely
Security Monitoring APIs – Monitoring Logs and Changes We run cloud operations securely.

Business User Logon Details Data – SAP_COM_0889

Allows you to read business user logon details, such as user name, validity, assigned business roles, read business users, read assigned business
catalogs, business roles and application jobs, or filter for specific combinations.

Integrating SIEM Systems with Sec Audit Logging – SAP_COM_0750

Allows you to retrieve the SAP Security Audit Log from SAP IBP. You can use the audit log data to integrate them into your Security and Event
Management solution (SIEM) to detect security relevant event situations.

Integrating Business User Change Documents – SAP_COM_0327

Allows you to read the change documents of business users. We recommend that you limit the number of change documents according to the
Changed On and the Business User ID fields to avoid a high volume of data.

Integrating Business Role Change Documents – SAP_COM_0366

Allows you to read the change documents of business roles. We recommend that you limit the number of change documents according to the
Changed On and the Business Role ID fields to avoid a high volume of data.

Additional services are planned for upcoming releases.

INTERNAL – SAP and Customers Only 16

 2. Run securely
We run cloud operations securely.
Security Specialist (IBP) Role Template
New role template comprises the authorizations required to view and maintain
security-related configuration and data in the system and support compliance with
data protection and privacy policies.
This role enables you to perform, among others, the following tasks:
Maintain client certificates, trust list, and content security policy
View security-related audit logs and static system information
Schedule and monitor destruction runs for employee data and audit logs
Create and maintain employees and business users
Create and maintain business roles and assigning them to business users
View data related to business users
View changes to master data attributes that are configured as personal data

ID: SAP_BR_SECURITY_SPEC_IBP
Launchpad Space: Security – Configuration and Monitoring

INTERNAL – SAP and Customers Only 17

 2. Run securely
Security Recommendations for SAP IBP We run cloud operations securely.

It provides an overview of the essential security settings in

SAP IBP
You can see the given topic’s priority, relation to the Secure
Operations Map, default and recommended setting at a
glance. Use filters to find information more quickly.
The page is updated regularly. Updates are announced in
the What’s New for main releases and in the What’s New
History for Hotfix Collections.
You can access it by following the link or navigating from
the SAP IBP product page:
https://help.sap.com/ibp → Implement → Security Guide
→ Security Recommendations
We recommend that you familiarize yourself with these SAP Trust Center - summary for selected cloud products
recommendations and review the related settings in your
system.

INTERNAL – SAP and Customers Only 18

 2. Run securely
Customer-managed security testing We run cloud operations securely.

Subject to the conditions and restrictions in Penetration Testing Rules of Engagement and the terms of the
Agreement, Customers may be permitted to perform an annual application penetration test of SAP Cloud Services
upon mutual agreement after subscription to the Cloud Service. Customer’s Agreement must be active and in place
prior to testing.
Request Testing Validation Remediation
The customer can execute Customer can execute SAP expects, the customer The SAP Product Security
a vulnerability assessment testing in accordance with will provide proof of Response Team (PSRT) will
or penetration test by the approved test scope. concept, detailed coordinate the
requesting for approval SAP expects customer to illustration of identified communication among
after submitting a service review the results for each vulnerabilities, filter out SAP’s product teams. PSRT
request ticket. The request finding identified if it false positives and validate will provide Product
Possibility to perform
is then reviewed by SAP to belongs to the customer’s findings generated from Security case (PSI) number pentesting on
ensure the proposed test own developed scanners. Scanner results to the customers. “dedicated instance”?
has no impact to other applications or SAP without enough Customers can retrieve
customers or SAP’s developed applications. If documentation of the updates to the issues via
underlying infrastructure. the findings belong to the reported vulnerability may customer support.
Once the request is customer, SAP does not be considered false
approved, a formal need to receive these positive.
authorization will be sent to findings.
the customer via email or
service request. The
approval process takes 10
to 15 business days. Further information
2100758 - How to update the Security Contact - SAP for Me - SAP for Me
3080379 - Customer Penetration Testing Request Process
INTERNAL – SAP and Customers Only 19
 3. Act securely
SAP Customer Influence Portal Security-first culture in everything we do.

SAP Customer Influence for IBP enables customers not only to submit ideas, but to vote on them as well.
These voting results inform SAP about product enhancements and changes customers are most interested in seeing in future
releases.

SAP Customer Influence is an open and transparent site. This means every SAP customer, as well as SAP employee, can see all
submitted requests – specifically, the content submitted, and who (employee name and company-name) the request came from.
All SAP customers can submit, vote, and comment on improvement requests. By agreeing to the Terms of Use and Privacy Policy,
shown during first visit of SAP Customer Influence, you agree to this approach.

1 Influence Portal -> Integrated Business Planning Influence Opportunity Homepage - Customer Influence (sap.com)

2 Submit improvement

3 Improvement request category -> Security and Data Privacy

INTERNAL – SAP and Customers Only 20

 3. Act securely
Maintain Security Contact for IBP – cloud components Security-first culture in everything we do.

SAP addresses urgent security topics to the Security Contacts named by your company via e-mail. It is recommended that you only assign this
authorization to users who must receive urgent security notifications, due to the sensitivity of such notifications.

How to maintain the Security Contact authorization

The Security Contact is an S-user ID authorization that is managed in the User Management application by an administrator that has this
authorization. This is not a special function/role that SAP assigns.

• Go to SAP for Me > User Management

• Find the user with the Users search option or simply locate the user in the Users list
• Click on the user
• Click the AUTHORIZATIONS tab
• Click edit (pencil icon)
• Scroll down to the User Data section and check (enable) or uncheck (disable) Security Contact
• Scroll back up to the top of the AUTHORIZATIONS section and click the Save icon

Further information: 2100758 - How to update the Security Contact - SAP for Me - SAP for Me

INTERNAL – SAP and Customers Only 21

 3. Act securely
Receive Security Notifications – on-premise components Security-first culture in everything we do.

The Security Notes application gives access to review SAP Security Notes and important action items to help you maintain security of your
systems. These notes come as Patch Day Security Notes to focus on immediately, and Support Package Security Notes that are im plemented
automatically through support packages.
Note: When using the System drop down, the systems displayed are your recently used systems or ones that you have marked as Favorites
(see KBA 2853522).
How to access application
Important: The application is S-user based not Customer Number based. That means if one person flags a note as Not Relevant it does not
change it for other S-users.
Access the application: Go to SAP for Me > SAP Security Notes
Tabs give access to notes that should be reviewed, those that you confirmed or marked as not relevant, and to the complete SAP Security
Notes list.
Select checkboxes beside the relevant SAP Notes or select all SAP Notes by checking the box beside SAP Component. Confirm them or mark
them as Not Relevant in one click. These SAP Notes will then be removed from the tile counter.

Further information: 2371996 - How to access and use the SAP Security Notes application - SAP for Me

INTERNAL – SAP and Customers Only 22

 3. Act securely
Report security incidents Security-first culture in everything we do.

Proven way for SAP customers and security researchers

Security Issue Management

INTERNAL – SAP and Customers Only 23
 3. Act securely
Example: Root Certificate Replacement Security-first culture in everything we do.

Current issuer: DigiCert TLS RSA SHA256 2020 CA1 → DigiCert Global Root CA (default IBP system certificate)
Future issuer: DigiCert Global G2 TLS RSA SHA256 2020 CA1 → DigiCert Global Root G2

Roadmap / Schedule:
Systems that are provisioned on or after December 1. 2023, come with the new trust chain. Client certificates whose key is rotated after Dec
1. 2023, are signed with the new issuer and root certificate.

Systems that are provisioned this year and certificates that are renewed until Nov 30. 2023, come with the old trust and root certificate. They
will eventually be migrated to the new root certificate during the regular key rotation.

Deadline:
End of 2024.

Customers’ tasks once we start to renew existing certificates using G2 root ca:
ensure that G2 certificate is present in their communication system trust list (for server identity validation, even if basic authentication is
used).
download the new G2-based client certificate from IBP communication scenario configure if certificate-based authentication is used.
update SAP components (e.g.: SDI agents, Excel Add-In) to the minimum version which supports new G2 certificates in their landscapes.

INTERNAL – SAP and Customers Only 24

 3. Act securely
Certificate Expiration Notification Security-first culture in everything we do.

Once the default client-certificate for your tenant expires, SAP generates a new certificate for your tenant and send notification about the upcoming change.
▪ 89 days before expiry
• You receive an email informing you about the upcoming expiration and the planned issuing of the new default client certificate.
• You aren’t required to take any action yet; however, we recommend that you prepare for the certificate replacement by checking which of your
communication systems use the default client certificate for authentication and planning your replacement activities.
• To check which communication systems use the default client certificate, open the Maintain Client Certificates app, select the Client
Default certificate and choose the Communication Systems tab on the right.
▪ 30 days before expiry
• SAP issues a new default client certificate. You are informed about it by email.
• The new default client certificate is available for download in the Maintain Client Certificates app. It is called Client Default. The expiring certificate is
renamed to Client Default Expiring.
▪ On expiration date
• Once the old certificate expires, it is removed from the list in the Maintain Client Certificates app. You receive a confirmation of this action by email.
• What Happens If You Don't Act
• If you don’t update your communication users and your external system trust store with the new certificate, the outbound integration scenarios
which use the default client certificate for authentication will be broken. You get the 403 Forbidden HTTP status code message when trying to
connect.

▪ Further information:
▪ Default Client Certificate Renewal | SAP Help Portal

INTERNAL – SAP and Customers Only 25

Three Key Messages to Take Away

Security and compliance are key capabilities of SAP

Integrated Business Planning, part of our core.

SAP IBP solution with built-in s security features and

privacy capabilities.

Close partnership with our customers to secure future

innovations to enhance service experience.

INTERNAL – SAP and Customers Only 26

Thank you.
Contact information:

Q&A (2 nd day breakout)

Csaba Kabai

csaba.kabai@sap.com
o Usage of Data Privacy features?
o Customer-managed pen-testing on dedicated tenant?

© 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to this material.
Knowledge check
Knowledge Check

True or false. Question comes here…

a) True

b) False

INTERNAL – SAP and Customers Only 29

Knowledge Check

True or false. Question comes here…

a) True

b) False

INTERNAL – SAP and Customers Only 30

Thank you.
Contact information:

© 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to this material.
 Remove this slide for final presentation
Template information

Please use the first row of the PowerPoint

Theme Colors and the shadings in
Custom Colors.
The complete palette is available at the
end of the presentation.

INTERNAL – SAP and Customers Only 32