Making SAP business applications secure

In Business security the subject of single sign-on is discussed, and various approaches to SSO are compared. This article discusses the use of Kerberos, and the benefits of using it with business applications from SAP.

“The Gartner Group research suggests that between 20% and 50% of service desk calls processed by most companies are related to user password or logon issues”

Some of the many reasons why Kerberos has become the de-facto standard for authentication and cryptographic key management for an enterprise wide secure SSO solution, are described below:

Use of Microsoft Active Directory - Most companies already use Active Directory for authenticating users to a domain when they logon to their computer. Since Active Directory uses the Kerberos protocol, the Kerberos credentials issued during this logon to the domain can be re-used by an application to authenticate the user to the application server, without them needing to authenticate again.

Multi platform and standards based - The Kerberos protocol is widely available on a wide range of operating systems, and using a wide range of application technologies, so it can be used regardless of the operating system or technology used by the business applications. The protocol is also standards based, so solutions from multiple software vendors can easily interoperate.

Password storage and transmission - When using the Kerberos protocol for application authentication, the users password is not stored or transmitted over the network, not even encrypted. This improves the overall security of the application, and reduces the chance of password theft.

Network security - When an application uses Kerberos, the application can benefit from improved network security. The IT organization can be confident that the data the user enters into the application, and the data they are presented with at the client user interface, is transmitted over the network securely. In healthcare applications, this is particularly important, since patient data needs to be secured, and kept confidential, as does HR data in a HR business application. Virtually any business application can benefit from this improved network security, and compliance can be achieved.

Strong authentication - When an application has been enabled to support user authentication via Kerberos, the user can authenticate themselves using one of many supported methods. If the IT organization wants to use a different method of user authentication, this can be achieved without any changes to the application, thereby keeping the cost of application changes to a minimum. The Kerberos protocol is often used with a user id and password user authentication method, but can be extended to support others, such as one time password, smart cards, token devices, and even biometrics. When implementing SSO, using a method stronger than a password for user authentication might be desirable, but not essential.

Cost savings

It is likely that the cost of help desk or service desk calls related to password problems will be high for most companies, and a return on investment can be quickly achieved by implementing secure single sign-on. The Gartner Group research suggests that between 20% and 50% of service desk calls processed by most companies are related to user password or logon issues. With the estimated cost of each password reset costing between $27 and $147, clearly if this number of calls can be reduced, productivity can be increased and cost savings achieved. More information on the return on investment, and cost savings associated with SSO can be found in the article titled Staying safe.

Using Kerberos with SAP applications

One of the market leading business application software vendors, is a company called SAP. Their products are used by more than 2,300 organizations in the healthcare industry, and by more than 50,000 organizations worldwide. You can find out more about the SAP solutions for healthcare at www.sap.com/industries/healthcare.

The company I represent, CyberSafe Limited, specializes in the use of Kerberos for application and network security, and we primarily sell our security software solutions to SAP customers. Our customers have implemented common authentication and secure single sign-on, for users accessing their SAP applications. Some of the SAP applications are accessed using the SAP client on Windows, known as SAP GUI, whilst others are accessed using a Web browser. The same features and benefits are provided, regardless of which method is used to access the application.

Often we find that SAP customers have requirements which don't lend themselves to typical SSO solutions, so we have added features to our products to cater for these additional needs. We have learnt from just under 20 years of experience gained by selling Kerberos based security solutions, that customers requirements often extend beyond SSO, sometimes without them realizing it.

One of our customers, a healthcare product provider with global operations, and over 100,000 users of their SAP applications, had a need to use Kerberos for authenticating users to SAP applications running on several hundred servers,. The users of these applications include employees, as well as users from business partners, and temporary staff. They had a need to use the same common Kerberos based authentication on shared workstations, so a user just needs to remember their Active Directory user id and password and is able to logon to the SAP applications from virtually anywhere in the company, and do so securely, using either a Web browser or the SAP client software. This was easily achieved using the CyberSafe TrustBroker products, so they now have secure SSO, common authentication and improved network security, and tens of thousands of happy users...

The use of secure SSO based on Kerberos mean that this customer, and thousands of others have all been able to realize their business goals, and significantly reduce costs. These customers have also been able to improve management of passwords, and identities, and are now using a standards based authentication technology which will allow them to take advantage of other methods of user authentication that may be needed in the future, such as token devices, biometrics, etc.

Many companies who use SAP business applications, also have business applications which are not provided by SAP, but user authentication and network security issues still need to be considered. Also, the integration of these non SAP applications with the applications from SAP, and making the integration secure can be difficult. The CyberSafe TrustBroker products can help here also.