Configuration & Security Analysis

Configuration & Security Analysis (CSA) supports the monitoring and analysis of static data.

• For on premise and private cloud systems, this typically relates to technical configurations that are relevant for stable and secure operations of your SAP solution landscape.

• For Cloud Services, where the configuration for stability and performance are in the responsibility of SAP as the cloud provider, the data onboarding has a strong focus on security.

The features of CSA in SAP Cloud ALM are very similar to the respective functionality in SAP Solution Manager and SAP Focused Run. You have a central Configuration & Change Database (CCDB) and data collectors that push snapshots of data on a daily basis. CSA provides features for interactive analysis that give you access to the collected data.

The diagram below illustrates how configuration data is stored in the Configuration & Change Database:

The system allows for automated synchronization with SAP Cloud Landscape Directory to easily configure monitoring for new services in the landscape that have been made available by SAP. This includes services subscribed to by someone in the company.

Users can:

• Browse through the security configurations recommended by SAP and search for configurations that are relevant to their company's compliance based on text patterns.

• Search for non-compliant items using text patterns or Security Recommendation Index ID, selecting the appropriate scope for their organization. In addition, analysis of changes within the last reporting period can be done and the results can be downloaded for further processing in tools like MS Excel.

• Standardize regular analysis and create visualizations tailored to their organization's needs. The SAP Analytics API can be used to load selected data into SAP Analytics Cloud or Grafana. This allows to deliver an aggregate security status and trend information for the overall landscape or for specific services.

• Get item-level insight for drill-down or for building custom-tailored validation in external tools.

In general, the following services and system types can be monitored.

On-premise and private cloud: SAP Application Server ABAP used in:

• SAP Business Suite
• SAP S/4HANA
• SAP S/4HANA Cloud Private Edition

SAP cloud services on SAP BTP:

• Credential Stores
• Destination Services
• Identity Services
• Mobile Services

The general approach of the Configuration & Security Analysis application is a close collaboration with SAP Global Security, SAP Technology & Innovation, and SAP Product Engineering on delivering harmonized configuration data from all key cloud solutions and establishing a SAP process for continual content update.

The following graphic depicts the Configuration & Security Analysis approach:

Therefore, the application relies first on Recommended Security Configurations for SAP Cloud Services. In a second step, the data is collected via different APIs into the Configuration & Change Database in SAP Cloud ALM. In a third step, the Configuration & Security Analysis application allows to visualize the compliance either in the UI of the application itself or in an external tool, for example with the help of the SAP Analytics Cloud Dashboard Template.

The figure displays the features that are currently available and those that are planned for the future:

The general usage concept relies at the moment on Pre-Validated Data, which can be browsed via the Search UI or via the Analytics API in conjunction, predefined or custom-built dashboards.

In a further expansion phase of the Configuration & Security Analysis, the concept will be extended by a detailed validation concept based on Raw Data. This extended concept includes that the user can maintain a policy in the Policy Maintenance and validate this policy against the available raw data. Again, this concept also includes a Validation API and some predefined dashboards to be used with SAP Analytics Cloud.

The Configuration & Security Analysis application offers browsing and searching the data, analyzing the number of changes in a certain time frame and allows to access the data via the Analytics API (Application Programming Interface):

The Configuration & Security Analysis application puts you in the position to browse into configurations of your services and systems. Data is stored in containers, the so-called Config Stores. Each Config Store stores data of the same semantics. On the Home (or Overview) page (1), you can get an overview of the available managed components and the number of associated Config Stores. By selecting the number of stores you are reaching the Store Browser (2), where you find a list of the available Config Stores for this managed component.

The following screenshot diplays the Changes Page:

On the Changes page, you can identify and drill-down into changes that occurred within the last reporting period. You would be able to answer questions like "Are there any new instances of critical services or unexpected configuration item values?" The Configuration and Change Database checks for item changes when items are uploaded. If the exact change time stamp is unknown, it reflects when the change was identified by comparing the previous snapshot with the current snapshot. The change of configuration items displays the number of changes at a service/system level.

The next screenshot displays the Search Page:

Via the Search page, you can find configurations and their values based on text patterns.

As source, the search uses the column content of a Config Store. This means that the column names are not part of the search and the columns are searched separately. Therefore, you can either search for a topic, such as *password* (1) or the enrichment of the data makes it even possible to search for COMPLIANT or NONCOMPLIANT (2).

As a reference you can use:

• SAP BTP Security Recommendations on SAP Help Portal, and
• Config Stores of SAP On Premise Solutions on SAP Support Portal.

The SAP Cloud ALM Configuration & Security Analysis Analytics API enables you to build dashboards and reports for Configuration & Security Analysis. For SAP Analytics Cloud.

The following screenshots illustrate an example of a Security Configuration Dashboard and the accompanying documentation that is available:

There is also a Security Dashboard template available, which is published as SAP Analytics Cloud Community Content together with a comprehensive How-To-Guide

In the following, let us consider SAP BTP Identity Services - Identity Authentication (IAS) as an example.

The screenshot below serves as an example of the SAP Business Technology Platform Identity Services - Identity Authentication (IAS):

SAP Identity Authentication can be configured to push security configurations to Configuration & Security Analysis, which will provide configurations for:

• The Identity Authentication tenant
• Managed applications
• A list of managed applications

This table displaying SAP Security Recommendations and the corresponding data provided:

When you look into the SAP BTP Security Recommendations in SAP Help Portal, you can see that the data of SAP Security Recommendations is organized in a table with an index. You would find the respective data in the Configuration & Security Analysis application via the text search by referring to this index.

The screenshot provided illustrates how data is represented in the Configuration & Security Analysis feature of SAP Identity Services:

In the Store Browser, you now find all the available config stores and for each config store you can find the respective time stamp, where the configuration was found for the first time.

The setup of the Configuration & Security Analysis (CSA) application is usually relatively simple: You have to define the scope of your monitoring, then take care that the data for a specific managed component is switched on, and finally set the needed retention time of the data:

For Services, you just turn "ON" the data collection in the configuration area and the data will be pushed into your Configuration and Change Database within the next 24 hours. This is a very simple step, which has to be done manually.

For systems, the configuration is a bit more complex as these have to be connected to SAP Cloud ALM first.

The housekeeping for Configuration & Security Analysis in SAP Cloud ALM for operations mainly effects the Configuration & Change Database (CCDB) of the application.

The screenshot below displays the settings for Data Retention Time:

The CCDB housekeeping allows to define a retention period in days. A setting for aggregated data is not required because CCDB does not aggregate data. Instead, it only stores the initial values of configuration items plus their changes. Because only a minor set of items changes over the time, there is no huge data growth expected after the initial load.

There is a daily collection of data from services and systems with a default 30 days retention time of the data. For covering audit needs, you can extend this value to a maximum retention time of 20 years. To benefit from the Change Analysis capability, it is recommended to use a much higher retention period than the default value, such as 12 months. The housekeeping can be switched off completely by setting the retention period to 0 (not recommended).