How Secure are your SCP Platform Users/Administrators?
In Australia, there is a nice new payroll requirement to send all payroll data through to the Australian Tax Office called Single Touch Payroll. For many customers, this will be the first implementation of SAP Cloud Platform in the organisation beyond WebIDE tenants.
If you’ve used WebIDE before, you know you most likely log-in with your companies SAP S-ID with a username/password or x.509 Certificate from anywhere in the world – The performance and user experience benefits for those who work remotely without needing to VPN are great!
But does it sounds a little concerning if that’s all you need to do to access a system as an administrator which has all your companies’ employee data flying through SAP Cloud Integration?
Let's talk about the S-ID's themselves and how secure they are in your company to begin with:
- Do users ever share S-ID’s or give out username/passwords (obviously a big no-no)?
- Do you protect your x.509 certificates from being exported (very scary since these don't expire for quite some time)?
- Do you deprovision S-ID’s immediately when someone leaves?
- Do you allow SAP logon id’s from outside of your company (C, P, D, I, etc) access to any of your tenants and know when to deprovision them?
Unfortunately, in reality, most companies probably do not have a good handle on the security of these SAP accounts I’m guessing.
Let's also not forget we are talking about internet accessible web "services". Most likely, if your company knows anything about internet security, they have introduced "controls" like Multi-Factor Authentication and have their own Identity Provider to support this.
And it's at this point, you start to scratch your head and say "What is everyone else doing?" which is where I was over a month ago. A little later, I discovered that the secret sauce no one forced you to purchase a subscription to is "SAP Identity Authentication Service".
So what is SAP Identity Authentication Service (IAS)?
Now rather than give you a detailed product explanation of IAS, I’m going to tell you why you need SAP IAS if you use SCP for anything of a serious production nature.
IAS gives you the ability to remove the default SAP Account Identity Provider for your platform users to use your own Identity Provider; or at the very least, allow you to restrict access to your tenant for platform users with additional attributes such as dual-factor authentication, IP address ranges, etc.
Lots happens behind the scenes when you use this as an Identity Provider proxy apparently (like creation and mapping to new p-users) but for the sake of this post, that is irrelevant.
Note - It is important to note that licensing of IAS is based on
number of individuals who logon per day.
Platform vs Application Identities
From my research (with lots of help from various sources both in and out of SAP), Application identities do not necessarily require IAS, and you can use your own Identity Provider and avoid any subscription logon licensing costs. But for Platform identities, you have no other option except single factor SAP user-id’s which, is probably obvious from above, I don’t believe is really an option.
How do I test this all out?
There is some good information out there about this, but unfortunately, no Trial access to IAS and the all-important Platform Users from what I could find. I hope SAP address this in the future as the more friction that stops you from getting security, single sign-on and access sorted; the more likely customers will be in a compromised situation.
So what is the Unofficial "Community Announcement"?
Until Dual-Factor Authentication is available for all SAP account usage by default, if doing anything serious with SCP, do not forget to you will need IAS!
Or more importantly, have I misunderstood this requirement & solution? Please help me and more importantly, the community understand if there is a better way and comment below and I'll do my best to try keep the overarching post up to date.
A Last Minute Thought for the Day
Did you ever think about the internal systems' usernames/password stored in the SAP support portal for SAP to support your production issues. Sometimes they are even stored directly in the message not in the secure area.
Now think about the fact that it is single factor authentication to this information via your potentially unmanaged S-ID's.
With that thought in mind, you might want to consider everything you have available on the Internet and how you protect from malicious access. e.g. I remember a company that published an WebGUI application externally, but with a little url manipulation, I was able to get to a full WebGUI ERP logon screen. Now if I had an SAP_ALL username/password from the support portal...Well that could be interesting.
Appendix: Point of Clarification around STP/SCI
The actual solution for STP is very secure, and the point of this whole post is simply that if you don't lock down your tenant administrators, they could easily get access to SAP Cloud Integration, turn on tracing and start to read your sensitive data (well that's the theory at least)...