Remote Maintenance: How to Secure Your SAP System
The highly secure genua Advanced Secure Connect SAP remote maintenance solution ensures the trouble-free operation of your central SAP applications and thereby enables maximum efficiency of your company’s processes. This makes it an important component of SAP Advanced Secure Support.
It accesses your SAP system remotely when required, carries out maintenance sessions or analyzes and recommends steps necessary for the prevention and solution of problems before they result in downtime. Our genua Advanced Secure Connect solution, which we developed in cooperation with SAP, guarantees a very high level of security when accessing your sensitive SAP systems.
- Guarantees reliable and trustworthy SAP remote maintenance solution
- Infrastructure recommended by SAP Support for the remote maintenance of systems with elevated security requirements
- Coordinated complete solution made of high-quality security systems and processes of the support teams from genua and SAP
- Seamless integration in the SAP environment through a specially created connection type
- Encryption of the entire maintenance connection with technology from the classified data sector
- Shielded maintenance area; no access to other systems possible within your network
- Tamper-proof recording of all maintenance actions
- Potentially malicious code in the SAP data stream cannot be executed
- Continuous system maintenance: security updates and always up-to-date hardware
Our concept for maximum-security remote maintenance: The maintenance connection is established via a rendezvous server on the Secure Connector; the rendezvous server is installed as a central component in your demilitarized zone (DMZ). As a result, you do not need to grant the manufacturer’s support direct access to the SAP system in your network.
At the agreed upon time, you establish a connection to the Secure Connector from within your network and the manufacturer’s support staff establishes a connection from the outside. Once this rendezvous on the server has taken place, the maintenance connection to your network can be established. The support staff can access your SAP systems using VNC, RDP or SSH, but only with your explicit approval.
Providing additional security at the end point of the maintenance connection in your SAP system as a further component of our solution is the Service Box.
It shields the SAP system that is undergoing maintenance from the rest of your network. The connection thus leads only to the maintenance object; other systems in your network cannot be accessed. A customer-specific VPN gateway (Virtual Private Network), which is under your complete administrative control, is also installed in the SAP support computing center. Thus, the access point for the encrypted connection with SAP is also under your control.
Follow all of the actions performed by the SAP support staff live on the user interface of the solution. You can also create and archive video recordings of the actions. All log information is recorded, thereby meeting the security requirements of the German Federal Office for Information Security (BSI). This means that you are always able to keep track of external access and can retroactively determine which changes are made to your SAP system.
Through the rendezvous solution, the sovereignty over the complete connection, and the extensive monitoring, you have absolute control over maintenance access.
All components of our Advanced Secure Connect remote maintenance solution meet the highest security requirements. The central Secure Connector component runs on a microkernel operating system. The low complexity means that errors in the code and therefore potential vulnerabilities are avoided. In addition, the operating system on the Secure Connector creates two strictly separated areas: One for the systems used to establish the VPN connection, another for the SAP router protocol. Both areas have their own operating systems and hardware resources. This internal separation provides a strong barrier against attackers: Even if an attacker manages to break into one area, the way into other areas remains blocked.
The VPN gateway and the Service Box components run on hardened operating systems, which have been reduced to providing only the functions that are absolutely necessary and therefore do not present potential starting points to attackers. We use high-quality procedures to encrypt the maintenance connection. These have been approved for use for the protection of classified government information and are guaranteed to be free of backdoors. With our coordinated, complete solution, we offer SAP security at a uniquely high level of protection.
All components are administrated using the Central Management Station genucenter, which is also designed to meet the requirements for handling classified information. Our remote maintenance solution is operated with a Windows app: The connection is established from your side at the click of a mouse. As a result, you can use and administrate the complete solution with very little effort.
Support for the remote maintenance solution comes directly from the manufacturer. Our Advanced Secure Connect experts are available 24/7 to answer your questions and assist you with problems, and we provide you with regular updates. For hardware, we provide a next business day replacement service for customers throughout Germany: if a system should fail, you will receive an identical replacement device on the next working day. Locations outside of Germany receive replacement devices as quickly as possible.