Extend the Value of SAP Investments with Tivoli Security Management Solutions

Security management solutions White paper

Extend the value of SAP investments with Tivoli security management solutions.

December 2005 Extend the value of SAP investments with Tivoli security management solutions. 2

Introduction Contents During the past three decades, leaders in the industrial sector have implemented SAP-based supply chain management (SCM) and product 2 Introduction life-cycle management (PLM) systems to help manage growing product 3 Help protect business-critical complexity, manufacturing logistics and customer demands. Bringing processes through a comprehensive coherence to the diverse applications and technologies that comprise these security infrastructure business processes has had a transforming effect. SAP solutions have helped 6 Case one — Financial services companies: 6 Help maximize the security of supply chain processes • Reconfigure supply chains based on their fluctuating needs. 7 Help optimize the security of the • Slash order-processing cycles. PLM process • Reduce capital investment with more efficient and accurate production and distribution plans. 8 Case two — Chemical and petroleum 8 Help strengthen authentication through As the global marketplace becomes more interconnected, companies will seek TPM integration to extend their SAP-based systems to suppliers and trading partners to help 9 SAP-certified solutions drive product innovation and speed time to market. These initiatives require 11 At your service a carefully orchestrated approach that must take into account the need to 12 Summary manage authorization and access control, enforce enterprise-wide security 12 For more information policies and facilitate compliance with expanding regulatory demands. Managing the security of SAP and enterprise systems with IBM Tivoli® software can help a business establish the security and trust necessary to extend supply chain transactions to external partners without compromising agility.

This white paper examines how IBM Tivoli security management solutions can help a company optimize its SAP investment by providing the security needed to integrate and extend business processes internally and externally. Specifically, this white paper discusses how comprehensive software, services and expertise from IBM can help a company in the industrial sector securely extend its business-critical enterprise applications to trading partners, Extend the value of SAP investments with Tivoli security management solutions. 3

��

Modern applications and technology support convergence of business processes and IT leading to improved efficiency. They also increase risk.

suppliers and customers — and thereby help the company increase its ability to compete in an interconnected world. IBM leverages years of experience working with SAP systems and the industrial sector to help companies:

• Integrate comprehensive security solutions across a heterogeneous environment composed of SAP R/2, SAP R/3, SAP NetWeaver and non-SAP systems. • Create centralized security functionality to manage user identities and access for SAP and non-SAP components. • Incorporate security standards for authentication methods. • Enable integration of SAP security with Web-based legacy applications. • Provide access control management, centralized rules and comprehensive audit capabilities. • Facilitate centralization of user management when using non-SAP applications.

Help protect business-critical processes through a comprehensive security infrastructure SAP components support business processes that are typically among the most critical ones. Due to the tight relationship between an SAP environment and these processes, the availability of the SAP environment is increasingly important to a business and its interconnected partners. SAP components may also be tightly integrated with other assets of the IT infrastructure — both Extend the value of SAP investments with Tivoli security management solutions. 4

��

IBM Tivoli security and identity software complements SAP internal security management.

older SAP systems and more recent Web services–based systems — all of which must be kept highly secure and available. The challenge for newer business processes and services lies in the need to integrate older security process silos and ad hoc security solutions to create a security-rich environment for external transactions.

Isolating systems from external interactions carries risks of its own: lower revenue, higher operating costs and the threat of falling behind competitors who reap the benefits of the next generation of external transactions. Nowhere is this truer than in the industrial sector. Companies in this sector depend heavily on their suppliers and trading partners to provide products and services. A large part of the industrial sector supply chain process is conducted through secure supply chain transactions on the Internet or extranet. For example, in the electronics industry, one company might design the product, which is manufactured by another company, assembled by yet another and finally distributed by a fourth company.

Businesses in the automotive industry rely on suppliers for replacement and substitute parts and components. When automotive original equipment Extend the value of SAP investments with Tivoli security management solutions. 5

manufacturers (OEMs) extend business processes to their suppliers, it enables Highlights them to streamline service and parts operations and provide fast service to end customers. But without a robust security mechanism in place to protect their enterprise resource planning (ERP) and PLM systems, OEMs risk exposing their intellectual property, confidential pricing and parts specifications to a significant security breach.

Mergers, acquisitions and joint ventures in oil exploration are becoming more or less mandatory to contain risks and costs in the chemicals and petroleum industry. When employees can change from month to month, businesses need to be able to grant authorization to new or temporary employees quickly. By the same token, they should also be able to revoke access immediately.

To succeed in this highly fragmented sector, companies need access to a security-rich environment in which they can exchange information and make transactions seamlessly across geographies to increase product innovation and speed time to market — without compromising business processes or the ability to comply with regulations.

IBM Tivoli security solutions for SAP can IBM Tivoli security solutions for SAP can help companies protect information help companies protect information assets, assets, confidentiality and data integrity to increase the resilience and security confidentiality and data integrity to increase of SAP environments. IBM Tivoli software delivers open standards–based, resilience and security of SAP environments end-to-end solutions that integrate across the enterprise.

Tivoli security solutions can help companies:

• Streamline user provisioning, deprovisioning and reconciliation services for internal and external users of SAP SCM and PLM applications. • Address basic requirements for managing authorization and access control, as well as transmission security, in implementing NetWeaver with Web services. • Segregate sensitive data and limit access to it to users with certain roles, attributes or both. • Consolidate security management to provide one set of processes for the entire enterprise. • Derive regulatory compliance objectives from IT process models. • Take into account a number of access points, including corporate intranet, Web, remote access and mobile channels. Extend the value of SAP investments with Tivoli security management solutions. 6

Financial services Help maximize the security of supply chain processes

Overview: With more than 3,500 users accessing SCM processes comprise a number of functions: planning and monitoring, multiple SAP- and non-SAP solutions, employee establishing and maintaining supplier relationships, manufacturing, logistics self-service and managing passwords, logins and and transportation. Integrating and automating these functions allow a user accounts were costly, slow and cumbersome business to increase visibility across and beyond its supply chain — enabling for financial services firm FIDUCIA.* The company needed a comprehensive security management the company to identify and resolve problems in an on demand way. solution that would allow users to self-manage with predefined privileges and offer centralized audit- IBM Tivoli solutions help create the trust necessary to integrate and trail and user-deletion capabilities. automate the supply chain in a security-rich manner while retaining the Business need: FIDUCIA wanted to eliminate integrity of business-critical applications. With full support for SAP central manual administration and allow both the IT user administration (CUA) and automation of user data, IBM Tivoli security department and users to focus on serving customers. The company selected IBM Tivoli solutions can help an organization automatically create and manage user identity and access management tools to accounts based on its role structure and data classification standards, plus automate access to core systems, cutting new apply a consistent access policy that spans crucial systems. By creating a user account creation from days to minutes. The single, reliable source of information about individual users and their access Tivoli solutions enable FIDUCIA to position itself as an On Demand Business, integrating internal rights, IBM Tivoli Access Manager and IBM Tivoli Security Compliance processes more effectively and responding faster Manager can help a company protect data from unauthorized access by to new business demands. identifying and responding automatically to security vulnerabilities. Through Solution: After consulting with IBM, FIDUCIA the robust workflow engine of IBM Tivoli Identity Manager, a business can implemented a solution that includes: automate the user-provisioning process, including approvals and account • SAP R/3, including financials, human resources creation, and the user-deprovisioning process to mitigate the risk of invalid (HR) and payroll. accounts and privileges. • mySAP Customer Relationship Management (mySAP CRM). • SAP Business Intelligence Hardware. IBM Tivoli Federated Identity Manager enables a business to exchange user • Tivoli Identity Manager. identification and attributed information with trusted entities that share an • Tivoli Access Manager for e-business. open standards–based authentication framework to execute supply chain • IBM Tivoli Directory Server. transactions within SAP and non-SAP environments. Tivoli Federated Identity Benefits: With reduced account-creation times, a Manager reflects IBM’s commitment to Web services standards and is fully full audit trail and tighter central security control, compliant with all major specifications, including Liberty Alliance, Security FIDUCIA has cut its administration costs; provided faster service to staff, suppliers and customers; Assertion Markup Language (SAML), WS-Federation, Web Services Security and reduced its total cost of ownership. (WS-Security) and WS-Trust.

“IBM Tivoli solutions allow us to manage users more effectively throughout the whole group, and offer users faster access to the relevant SAP solutions. This is particularly important for human resources systems, where the integration between SAP’s HR applications and Tivoli enable very easy access to all the internal systems that our employees need.”

— Lutz Bleyer, Head of Central Security, FIDUCIA Extend the value of SAP investments with Tivoli security management solutions. 7

��

IBM Tivoli security management solutions for SAP

IBM Tivoli software maps overall security to SAP and helps provide secure identity and access management for mySAP. The Tivoli security adapter family for SAP can:

• Provide consistent, security-rich access control to SAP resources and applications by integrating the SAP NetWeaver stack. Adding SAP integration to Tivoli Access Manager centralized access control extends SAP application with a wide range of authentication methods. • Simplify creation of user accounts, automate approvals and provision user access rights by managing SAP R/3 user registry, integrating SAP User Management Engine (UME) and providing SAP HR linkage and CUA integration. Integrating SAP applications into a comprehensive identity life-cycle framework by using Tivoli Identity Manager can enhance SAP systems by providing approval workflow and full audit and reporting capabilities to SAP systems. • Provide a meta-directory capability to SAP systems, real-time synchronization between identity data sources and applications transforming data between R/3 User Registry, SAP HR and other systems. IBM Tivoli Directory Integrator manages data across a variety of repositories, providing the consistent directory infrastructure (including SAP).

Help optimize the security of the PLM process New products are an important part of a company’s growth strategy: they attract new customers and investors, improve competitive positions and drive revenues in new markets. Inherent in these growth strategies, however, is the challenge of managing the vast resources and processes used throughout the life cycle of the product. From the initial design to implementation, everyone along the company’s value chain should operate as a single enterprise. Early and frequent collaboration lets a business provide a clear understanding of the intended product characteristics and attributes to stakeholders so that Extend the value of SAP investments with Tivoli security management solutions. 8

Chemical and petroleum the company can better align the full cost and revenue impact with business

Overview: As the holding company for the world’s priorities. During the design process, team members can assess the impact of largest petroleum and petrochemical group, BP design changes and identify problems before they derail the project. provides fuel for transportation, energy for heat and light, retail services and petrochemicals But if the benefits are obvious, so are the risks. A company also needs products for everyday items. to protect its intellectual property, separate sensitive information from Business need: BP needed to respond quickly unauthorized users and help drive the security of real-time connections to mergers and acquisitions to reduce the time required to apply security roles and permissions between people and departments. IBM Tivoli Access Manager for e-business to the newly acquired organizations across their and IBM Tivoli Privacy Manager for e-business let organizations manage global enterprise. users and data access to implement and enforce privacy policies that help a Solution: Tivoli Identity Manager helped BP company segregate access to sensitive systems such as financial information automate the administration of user rights for stored in SAP systems. Tivoli Identity Manager provides the functionality more than 155,000 users across 15 countries, to provision, deprovision and reconcile internal and external user accounts while consistently enforcing the security policy across its enterprise in an audit-friendly manner through the appropriate policy and application integration agents. Tivoli to facilitate compliance with regulations. Federated Identity Manager provides the integration technology to connect a

Benefits: The project was justified after just one remote provisioning request to Tivoli Identity Manager, which executes the merger. Provisioning users went from 5 days to appropriate policy and procedure for the task. 10 minutes.

“Tivoli Identity Manager forms one of the key Help strengthen authentication through TPM integration elements of our security services, supporting our In an interconnected marketplace, employees and trading partners are often ability to respond rapidly to change. Centralized located across the globe. These employees and suppliers need fast, secure provisioning is the only way to manage the scale and speed of our organizational change that our access to critical information through a variety of access points: corporate business growth requires.” intranet, Web, remote access and mobile channels. At the same time, a

— Paul Dorey, Director, company must verify the compliance of its systems with its own policies. Digital Business Security, BP p.l.c. IBM provides a comprehensive security management infrastructure with automated configuration and administration capabilities to help organizations cohesively manage users, systems and networks. If a workstation does not have the current version of virus software or the operating system security settings do not comply with corporate standards, this system will automatically assess and identify what needs to be changed and then respond with the remediation that is necessary to meet the corporate standards and polices. Extend the value of SAP investments with Tivoli security management solutions. 9

Using Tivoli Access Manager for e-business and Tivoli Identity Manager, an organization can easily extend access control to desktop security solutions that rely on smart cards and Trusted Platform Modules (TPM). Tivoli Access Manager for e-business supports multiple authentication methods and access devices, including desktops, handhelds and other pervasive devices. Tivoli Identity Manager helps a company establish a centralized place to create credentials and authorizations — from PKI-based cryptographic information to biometrics (electronic fingerprints). Available file and folder encryption helps save time by automatically encrypting files and helping to protect data from unauthorized access.

Enhanced security for both wired and wireless networks through the Embedded Security Subsystem facilitates information access and communication while helping maintain the security of digital identities and data by requiring advanced system authentication. Tivoli security solutions also provide self-service capabilities for password resets to help reduce the number of help-desk calls, along with single sign-on capabilities to help reign in the number of passwords that can proliferate when each user has multiple accounts.

SAP-certified solutions Tivoli security solutions obtained SAP interface certifications to all SAP certifiable interfaces for identity and access management. The following Tivoli products include SAP-specific functionality.

Tivoli Access Manager for e-business — a versatile solution for authentication and authorization problems. By integrating SAP solutions, it extends SAP security to centrally define and manage authentication, access and audit policy for a broad range of business initiatives such as employee, customer and partner portals, CRM systems, e-procurement, cross-company single sign-on projects and outsourcing projects. Extend the value of SAP investments with Tivoli security management solutions. 10

Tivoli Identity Manager — provides a secure, automated and policy-based user management solution that helps effectively manage user accounts, access permissions and passwords from creation to termination across all the SAP applications and the whole IT environment. By integrating SAP user administration functionality, it extends user-provisioning capabilities to the SAP landscape and extends its capabilities with a comprehensive, role- based access-control model and approval, workflow, auditing and reporting mechanism.

Tivoli Directory Server — certified for the SAP BC-LDAP-USR interface, it provides a powerful Lightweight Directory Access Protocol (LDAP) identity infrastructure — the foundation for deploying comprehensive identity management applications and advanced software architectures like Web services. It also provides an LDAP-based user repository for SAP systems to share with applications in heterogeneous and Internet environments.

Tivoli Directory Integrator — synchronizes identity data residing in directories, databases, collaborative systems, applications used for HR, CRM, ERP and other corporate applications. The connectors available for SAP integration enable external SAP applications to manage SAP users and their attributes in a similar fashion to the SAP standard user management transaction and provide support for create, read, update and delete operations for SAP R/3 HR data.

Tivoli Privacy Manager for e-business — protects consumer trust and brand integrity by implementing privacy policies that help guard consumers’ personally identifiable information. The Tivoli Privacy Manager Monitor for SAP R/3 externalizes an organization’s privacy and data disclosure policy by mapping between R/3 data locations and policy types. It enables ABAP code to call out to monitor for real-time privacy authorization decision, data user access audit notification and data owner consent collection. Extend the value of SAP investments with Tivoli security management solutions. 11

At your service Highlights Drawing on a 30-year partnership with SAP, IBM provides a range of

Based on a 30-year partnership with SAP, hardware, software and services to complement SAP systems. Industry-proven IBM provides hardware, software and services IBM consultants can help companies secure SAP environments as they extend to complement SAP systems business processes both inside and outside their organizations.

The Collaboration Technology Support Center (CTSC) is staffed by both IBM and SAP personnel to help businesses identify scenarios that deliver the greatest value for their specific business integrations. The CTSC is committed to creating significant value by combining the strengths of both product portfolios. It establishes a strong knowledge base for interoperability scenarios, implementation guidance and solution assurance through its SAP- certified security solutions.

For a list of IBM certified security products, visit sap.com/softwarepartnerdir/ product/productlist.asp?Letter=*&qNameSrch=%23&qKeyword= IBM%20Tivoli&qWhere=3

With broad experience and a proven track record of successful engagements, IBM Managed Security Services consultants can help a business plan, design, construct and operate a security-rich environment for its SAP applications and transactions. IBM Managed Security Services can help evaluate current security, detect misuse and violations, respond to incidents and implement changes to improve defenses.

IBM Business Consulting Services helps customers gain competitive advantage, achieve tangible business results and realize return on investment by applying business processes and information technology to their business and leveraging the strong alliance and joint-development initiatives with SAP. A recipient of the SAP Award of Excellence for customer loyalty and satisfaction in every year and every geography in which it was awarded, the IBM Business Consulting Services SAP Practice helps companies worldwide implement the suite of mySAP products and industry solutions. More than 8,500 highly focused professionals in 160 countries bring comprehensive industry knowledge, deep skills and years of SAP experience to all aspects of the application life cycle — from strategy through operation. Summary © Copyright IBM Corporation 2005 As SAP enterprise applications are integrated and extended to the Web to IBM Corporation Software Group increase efficiencies and leverage the power of collaboration, these business- Route 100 critical assets must be kept highly available and secure. IBM provides the Somers, NY 10589 U.S.A. building blocks and infrastructure to help enhance the SAP business layer Produced in the United States of America through comprehensive security solutions. 12-05 All Rights Reserved With robust capabilities available to meet a wide range of security scenarios IBM, the IBM logo, the On Demand Business logo and Tivoli are trademarks of International Business Machines like identity management, single sign-on and compliance reporting, IBM Corporation in the United States, other countries or both.

Tivoli security solutions for SAP provide the capabilities a business needs to Other company, product and service names may be gain lasting value from its SAP investment: trademarks or service marks of others. *ibm.com/software/success/cssdb.nsf/CS/DNSD-6GTHDS • Make all customer-facing portals and applications security-rich. Each IBM customer is responsible for ensuring its own compliance with legal requirements. It • Help maximize the security of online collaboration efforts so design ideas and concepts can be is the customer’s sole responsibility to obtain readily shared. advice of competent legal counsel as to the identification and interpretation of any relevant • Facilitate compliance with government regulations. laws and regulatory requirements that may affect • Enable a high degree of security in a way that is efficient to manage and cost-effective. its business and any actions the customer may need to take to comply with such laws. IBM does • Provide common identity and security services for SAP applications. not provide legal advice or represent or warrant • Manage internal and external user identities — including those in the supply chain — from a that its products or services ensure compliance with any law or regulation. single repository to help minimize costs. • Help reduce the number of user IDs and passwords that SAP administrators need to maintain to help optimize application usability and the user experience.

Backed by 24x7, enterprise-level support and expertise, as well as a steadfast commitment to SAP, IBM is ready to help each business implement a security management strategy for its SAP-based systems today.

For more information To learn more about IBM security management solutions for SAP or to find out how IBM can help you develop a security strategy to meet your unique business requirements, contact your IBM representative or IBM Business Partner, or visit ibm.com/tivoli/solutions/security

To find out more about the IBM and SAP alliance, visit ibm.com/solutions/sap

GC28-8388-00