Security_Management_for_Erp

OPERATING SYSTEMS SECURITY ARCHITECTURE MODEL AND DATA HIDING METHODOLOGIES With the advent of new technologies and broader use of internet, Information security is facing unprecedented challenges, and effective information security and integrity management is one of the major concerns for most of the organization in the business world. In this part we will discuss various tools deployed and strategies and concerns involved in securing windows server 2003 one of the highly used operating systems in various business environments. There are various features deployed and integrated within the system to achieve this like authentication, access control, auditing, Active Directory, data protection, network data protection, public key infrastructure (PKI), and trusts. A good security model should also have arrangements for Incident Response Planning, what it means in general is a plan that defines what a breach of security is and the steps that are to be followed for any incident that calls for a breach in security. An IRP plan discusses how information is passed to the concerned department in order to provide assistance for minimizing the damage caused and establish procedures for the possibilities of implementing a policy that would protect the organizations key resources from foreign intrusions. Analysis of Security for an ERP System In past, database system was considered as a core of Information Technology with all the major application programs of companies surrounded to it. But with the advent of ERP systems, companies have targeted ERP to solve their IT problems. The main purpose of ERP implementation was to consolidate and integrate the information across the entire organization. The flow of information at cross organizational level is managed by the centralized database system. So in order to ensure the integrity and confidentiality of the data it becomes very important for the companies to evaluate and audit the security policy for ERP systems. The purpose of security model is to ensure authentication, authorization, integrity and auditability. In order to achieve these, there must be an explicit and well defined security policy enforced by the system. Now we will study the various architectures defined by SAP for most of their critical applications under the umbrella, some of the models deployed by SAP are Fraud Detection Model, Global Security Positioning Model, and Business Shadow solution. The attributes defined to maintain security within an ERP structure are User Authentication which involves authentication of the users with help of creating different user accounts depending on the authority of the users, deploying complex password and session security within the organization. User authorization is also one of the important aspects that have to be considered while designing the security model of an ERP system. By default SAP R/3 does not allow any user to execute any transactions or programs unless he/she has been explicitly authorized to do so. Authority checks must be used to grant users specific authorization to carry out functions effective use of tools like PFCG should be used in order to create various user profiles within the system. Network level security is as important as securing the SAP configuration, the operating systems and the database. For securing sap network offers careful planning in order to decide placement of components and configuration of access control lists on firewalls and routers. Standard Network Configuration Security and Secure Network Communications are the two approaches followed by SAP to secure their networks. Also keeps a variety of logs for system administration, monitoring, problem solving, and auditing purposes. Logs and audits are important for monitoring the security of SAP R/3 and to track events in case of problems. SAP also enforces the logging feature which ensures security; these features include Application logging, Change document logging, Monitor changes to table data, Monitor changes to use master records, profiles and authorizations. Database security is the most important factor which is considered while defining or designing the security model. With SAP Database Security the key measures that have been implemented by SAP for the security of its database (Oracle or SQL) are Only R/3 tools (such as SAPDBA) must be used to access the database The initial password for database must be changed frequently. Access to USR tables is prohibited. Write access to T000 table is prohibited. Application specific tables must be protected in accordance with the authorization matrix. Just like various other applications like Microsoft even SAP have Fraud detection Models, Risk Management Model, Disaster Recovery Model in place to provide the highest level of security to enterprises who implement the SAP framework. ANALYSIS OF ENTERPRISE WEB SERVICES SECURITY One of the primary goals of SOA is to facilitate the automation of business processes by allowing Web services to automatically discover one another and immediately take advantage of the functionality offered. To facilitate business transactions, Web services need to be able to create, enforce, and abide by contracts between organizations for this various techniques can be used like Negotiation protocol Negotiation service Mediation service Auditing service Negotiation-enabled Web service All software, including Web services, can be characterized by its fundamental properties, which include functionality, performance, cost, usability, and security. The following five properties of software that, if present, will directly contribute to the ability to assure that a Web service is secure Predictability of operation Simplicity of software design and code Correctness Safety In addition to providing security at different layers of the Web service architecture, each standard provides a different aspect of security. Bellow table shows what security properties various specifications and standards provide in each of the SOA security dimensions. Each SOA security dimension is supported by one or more security requirements. Every requirement may have any number of standards that support it. For example, both SSL/TLS and WS-Security provide confidentiality, integrity and authentication support for the messaging dimension while the accountability requirement of the resource protection dimension and the software security requirement of the security properties dimension do not have supporting standards. As discussed earlier with Microsoft and SAP similarly a through RISK ANALYSIS of the web services should be done and all the vulnerabilities and loop holes should be identified for securing the data transmission and effective responsive or back up plans should be in place in case of an attack . Finally, trying to encapsulate it all in a nutshell, the following could be said. IT systems are vulnerable to a variety of disruptions, ranging from mild (e.g., short-term power outage, disk drive failure) to severe (e.g., equipment destruction, fire) from a variety of sources such as natural disasters to terrorists actions. While much vulnerability may be minimized or eliminated through technical, management, or operational solutions as part of the organization’s risk management effort, it is virtually impossible to completely eliminate all risks but still effective security models should be in place to avoid such threats.