When considering security domains, the innermost area is typically the corporate internal network. The internal security domain, or intranet, is where the core SAP Business Suite components run. ISVs with tightly integrated applications may also run in this security zone.
The outermost security layer is the boundary between a customer’s datacenter network and external networks, especially the Internet. Enterprises often create a demilitarized zone (DMZ) just outside their data center “fortress” (see Figure 9-3).
|Figure 8-3. Security Zones|
The DMZ typically contains network firewalls and other network edge services (NES) that provide security features such as defense against malicious access of application systems in the inner security zones of a company.(1) However, DMZ security functions are not limited to network technologies; certain application components may also be placed in a DMZ. Examples include the SAP NetWeaver Portal, through which traffic going to backend applications in inner security zones might be channeled, and SAP NetWeaver Process Integration, which, when placed in the DMZ, can serve as a security layer for messaging traffic.
Even composite application components may be put in a DMZ, especially if they are designed to selectively provide business information from tightly secured backend systems to remote users without allowing general access to all data in the backend system. An example of such a composite might be an application that allows a company to communicate with its suppliers without revealing company secrets.
Moving further away from the corporate data center, some applications that integrate with the SAP Business Suite might be running outside the customer’s data center. An increasingly popular example would be integration with a software as a service (SaaS) offering such as SAP Business ByDesign.
SAP recommends that ISVs advise customers about which security zone is most appropriate for deploying the ISV’s application.
Another aspect of security is encryption, which may be needed at multiple layers. First of all, transport security entails encrypting network traffic to and from your application. For a typical SAP business application, all traffic should be encrypted, even if only handled within a company’s internal network, because all transaction steps, user screens, and messages may contain company confidential business data. This requirement is different from online stores where most information is catalog and advertisement content and only a few data elements need to be encrypted, for example, credit card numbers during the checkout process. Sometimes stored business data is also highly confidential; in this case, encryption might also be used for storing data, whether in databases or in other storage mechanisms.