Unified Security Framework for SAP®
The Unified Security Framework (USF) is a security event engine for SAP Systems. USF collects, correlates, normalizes and delivers security events to your compliance and security infrastructure. Whether someone logs into your sap with superuser privileges, or password settings have been temporarily modified, USF is able to detect hundreds of security relevant events. USF has been architected from the ground up as a flexible and scalable middleware solution to be deployed into existing security architectures. You can now leverage your investments in Security and Information Event Management (SIEM) solutions such as RSA enVision, Arcsight or Splunk to correlate critical sap security events with network and operating systems events. Or you can forward important security events to audit data warehouses for compliance retention. What about creating Data Warehouse reports on superuser activities from several SAP systems? With USF you can. With its real-time security event engine and open interfaces, you can now support multiple security monitoring scenarios.
USF provides a standardized framework for interfacing SAP with complimentary security and compliance solutions. SAP doesn’t have to be a black box for your company-wide security initiatives. With USF you can now easily deploy an SAP friendly solution and increase your security efficiency.
- Security Events (SE): Security audit log events, system log events, table changes, change documents, remote function calls (RFCs), transport events, system parameters, role changes, user master data changes, superuser logs, customization settings, SA38 report starts. (for a complete list please consult the detailed product and version documentation). All security events are normalized in a structure called dataspaces, which enables a flexible administration of events queues and persistence.
- Publish-Subscribe Model: Each security endpoint client can selectively subscribe to security events. Filtering of events is possible for primary attributes.
- Event Format: USF supports several well-known event formats such as syslog or Arcsight Common Event Format (CEF) in addition to its own xml-based format. Clients can extend the framework to support additional formats.
- Transmission Protocol: Remote function calls (TCP) within the SAP Netweaver landscape and the central USF instance, syslog/UDP or other TCP based protocols to SIEM systems. File oriented transport protocols supported by the native operating systems (SCP, FTP).
- Easy Deployment: USF requires an SAP® Netweaver 7.x system for the central USF instance and supports extraction of security events from systems from 4.6x upwards. It doesn’t need any agents to be installed for basic functionality. This way, you can be up and running with the solution in a matter of hours. USF is written in ABAP Objects and can be easily installed with an SAP transport.
- Dynamic Configuration and Discovery: USF has advanced network functionalities to discover systems in your SAP landscape, and helps dynamically configure systems for monitoring. This reduces administration costs and ensures high availability.
- Scalable: USF has been architected to support the largest SAP installations up to hundreds of system clients. Load on monitored systems is kept to a minimum. The core engine has been parallelized to achieve maximum performance on contemporary hardware.
- Transport Management Support: USF supports SAP configuration and transport management standards. Configuration settings are done in development systems and transported to production systems. This provides for compliance with strict change management requirements.
- Security and Auditability: USF configuration changes can be logged and can be defined themselves as security events to be monitored. Application security is implemented through the standard SAP role-based access model.