The undesirable leakage of critical SAP business data can have serious consequences for companies. With a joint approach from Virtual Forge and KPMG, users can get to the root of the problem.
Whether the cause is malicious hackers or careless company personnel: If sensitive data gets into the wrong hands, companies can face considerable financial and legal risks. For example, companies in the pharmaceutical industry face heavy losses if drug formulations find their way into the hands of competitors through data leaks and render many years of research work worthless.
(…) greater attention to employee data as unauthorized leakage here can have legal consequences.
For financial institutions, it is especially important to protect customer bank details as unauthorized leaks can lead to damage claims and also reputational damage. Across all sectors, companies must pay greater attention to employee data as unauthorized leakage here can have legal consequences.
Targeting the exit points
Data Leak Prevention (DLP) consists of a range of methods and tools which serve to seal the leakage points. Common to all these methods and tools is that they monitor the data flow in the company network at defined exit points and then raise the alarm if critical business information leaves the network or has already left it.
The DLP solutions are set up at different levels of the IT infrastructure. There are tools with which companies can monitor which data from employee laptops is stored on mobile devices such as USB sticks.
In SAP environments, leaks can occur in several places. When a specific ABAP program is executed, the required data is read from the SAP database tables and made accessible to the users via various communication channels: From classic output lists through special SAP interfaces right up to modern web services.
To prevent leakage, conventional DLP approaches monitor precisely those areas where the communication channels end (…)
To prevent leakage, conventional DLP approaches monitor precisely those areas where the communication channels end in such a way that the data can either be picked up by the end users or exit the SAP system via technical interfaces.
Another commonly used method consists of users creating an e-mail from an ABAP program and then sending the SAP data as an attachment to the mail.
Analysis of the SAP source code
As different as the individual technical DLP methods are, they all require a lot of effort to recognize the critical SAP data with certainty and to effectively monitor the diverse exit points from the company network.
To reduce this effort, the SAP security provider Virtual Forge has developed a new approach with the CodeProfiler tool, which takes effective and sustainable action much earlier in the process: Using static DLP analyses, it is possible to identify the leak channels of sensitive SAP data even in the SAP source code.
In contrast to the conventional reactive DLP approaches, static DLP analysis works preventively.
In contrast to the conventional reactive DLP approaches, static DLP analysis works preventively. In the SAP code itself, those points are identified which could be used fraudulently by an attacker or inadvertently by internal employees to obtain critical SAP business data initially from the database tables and then to remove it from the SAP applications entirely.
Since installation of the CodeProfiler is technically very easy, it is ready for use right away and the results of an analysis are quickly available.
It is important to determine which of the SAP information is particularly worthy of protection. Depending on the industry – this can be data from specific areas of the company, such as finance, development, marketing or sales.
At the same time, constantly changing protection and compliance requirements must be complied with and company-specific agreements and arrangements with the works council must be taken into account.
Once the sensitive SAP data has been identified, you must ensure that it can only be accessed by users who have the appropriate SAP authorizations.
Comprehensive expertise required
Since the classification of critical SAP business data requires comprehensive specialist knowledge, Virtual Forge collaborates with the audit and consulting company KPMG on DLP customer projects. Conversely, KPMG consultants rely on the static DLP analyses of Virtual Forge when they are summoned to a customer where unintended leaks of SAP data has been found.
KPMG is increasingly being engaged by customers who wish to preempt such IT security incidents.
The functional departments, representatives from the areas of governance, risk & compliance (GRC), internal protection officers and works councils are looking for effective DLP approaches in order to counter the risk of possible SAP data leaks.
(…) in many companies, the number of SAP systems has grown so fast in recent years that it is often difficult to retain an overview (…)
The growing demand is also based on the fact that, in many companies, the number of SAP systems has grown so fast in recent years that it is often difficult to retain an overview of which critical business data is processed by which SAP programs and – most importantly – in which context.
Against this background, the risks are growing that unauthorized persons, both inside and outside the company, can gain access to this SAP data.
Know-how bundled in joint offer
To make it easier for customers to collaborate in DLP projects, Virtual Forge and KPMG have bundled their technology and expertise in a joint offer. Each project is arranged in five phases:
- Definition of the legal and functional requirements. At the start of the project, the consultants work together with the customer to clarify which of the existing SAP information is business-critical and especially worthy of protection.
- Identification of the relevant data fields and SAP applications which process the data. Here it is determined which users are authorized to run which SAP programs and whether the existing authorizations are correct. The result is the target situation which differentiates between permitted and non-permitted data leakages.
- Use of the CodeProfiler. The functional requirements are converted into a technical language, which means that the DLP method is parameterized. The CodeProfiler combs through the ABAP source code with search algorithms and provides as a result, the current situation with the potential data leakages.
- Comparison of current and target situations with regard to possible SAP data leakages. In this phase, the findings obtained using the CodeProfiler are compared with the legal and functional requirements of the company.
- Definition of action recommendations. As a result, the company is provided with concrete measures to achieve the target situation and thus to prevent unauthorized SAP data leakages. A key measure is to clean up the affected SAP source code.
Continuous scans recommended
To achieve sustainable proofing against SAP data leakages, it is recommended that companies apply the static DLP analyses, not just once but on a regular basis.
As a result of constant new developments and adjustments, additional data leakage points can arise within SAP systems, and these can only be recognized if the CodeProfiler scans are permanently integrated into the development and security checking processes.
Free Webinar available
The author will be available on February 23rd 2017 – 16:00 CET / 10:00 ET for a Webinar titled “Protect Business Critical Data in SAP Systems – Data Leak Prevention with CodeProfiler “. For further information, please click here (external).