It is a known fact that an SAP authorization system has been in existence for quite a while in closed and shielded systems. At that time the implementation of data security and data protection was relatively simple. Now the closed systems have been replaced by 24/7 Enterprise Resource Planning applications that are connected to the Internet.
Even during the R/2 and R/3 era, the authorization system was not considered to be child’s play but the opening of the Blackbox R/3 and Cloud Computing have brought new tasks and helped the “authorization system” to become an independent discipline. Secude has committed itself to the challenge of ‘data security’ and is known as a leading provider in the global SAP community. To find out more Peter Färbinger, E-3 Editor-in-Chief, talked to Andreas Opfer, Managing Director, and Holger Hügel, VP Products and Services, Secude.
Every SAP administrator has one primary question: Is their roll-based access to data still up-to-date? “The access is and remains up-to-date as it provides adequate protection within the SAP landscape,” explains Andreas Opfer. “Our focus is the world outside SAP. Data leave SAP systems to support established processes that are processed in Microsoft applications.” Outside the SAP landscape, the authorization system is no longer effective and data is unprotected – a big threat as emphasized by Secude.
Holger Hügel adds, “The roll-based authorization concept in SAP has always been cumbersome for customers when it comes to securing customized business processes. Many SAP customers jokingly claim that they probably have as many SAP profiles as users. There are many solutions that simplify security within the SAP system. Secude adopts a data-centric approach based on automated data classification and is focused on the data export interfaces in SAP.“
All SAP data, which customers claim as “business critical” or “sensitive” is data that should be protected”, Andreas Opfer and Holger Hügel state together. From the legislator’s point of view, this also includes personal data. The intellectual property of companies is often found in the area of financial, material, production planning and construction data. Of course, customer data and pricing information are also sensitive. “Secude believes that it is necessary to keep such data within the secure boundaries of the SAP system and only let data leave via authorized user downloads or data transfers. Unauthorized downloads have to be prevented and exported files have to be protected by encryption and integrated access profiles,” explains Holger Hügel in the E-3 conversation.
Andreas Opfer specifies, “We distinguish between business information that are critical to the company’s future performance and personal data that must be protected in the future in the context of the EU Data Protection regulation.”
What should be protected?
Relevant information could be a new technology on automobile electric propulsion that gives range of more than 1000 kilometers and thus ensures the success and profit of the automobile manufacturer. If this information is stolen via the internet, during its journey from Germany to the production site in China, it would cause incalculable damage. Personal data does not only include information of one’s own employees. Even customer data of a telecommunications provider must be protected. “All companies that work with customer data are affected by the EU regulation, even those companies from non-European states that do business in the European Union,” emphasizes Andreas Opfer.
Secude’s data security approach for SAP is applicable to all SAP releases. Andreas Opfer emphasizes this. “We are certified for all current releases.” Secude’s solution Halocore works on the NetWeaver layer. Even if SAP with S/4Hana does not like to use this designation, it is technically still the same layer. Holger Hügel adds, “This is why our solution is equally suitable for all SAP releases from 7.0 onwards.” SAP customers consider all these layers in their data security concept. However, the individual layers are often considered independent of the business processes and data flows.
Holger Hügel states from experience, “There is also a lack of synchronization of the respective technical implementations. Data security should begin with processes and the data processed in them. This first step allows to derive security requirements, which are then technically implemented in the individual layers. The dynamics of SAP operation, however, also require a central authority, a security solution that keeps all these layers consistent. We focus on all the data processed in SAP,” explains Andreas Opfer.
“This can be on a Hana database or on any other. Also a CAD drawing of the electirc batteries, I mentioned before, that is stored externally on a content server and then can be shared within SAP, is worthy of protection. All other components, operating systems, etc. are of secondary importance to us.”
The path to S/4 is always a Hana migration project. What security aspects should SAP customers consider here? In addition to the NetWeaver stack, Hana also offers the possibility to access data directly via Hana XSA. As a result, Hana also has its own authorization policy. Holger Hügel says, “This is to be integrated in the previous policy or by extending the existing one to Hana. Hana as a platform offers numerous new application interfaces, all of which carry per se security risks. It needs technical solutions that minimize these risks.”
“For some SAP customers, ‘SAP on Azure’ is a very interesting alternative to their own data center. Security from the process and data perspective is independent from the operations model or the operating platform of the application,” says Holger Hügel.
“However, customers start to ask about access rights after they had migrated to the cloud without realizing that data misuse by malicious insiders, which happens already on-premise, represents two-thirds of all incidents. The move to the cloud does not change anything”, Andreas Opfer puts in a nutshell.
Even if the data center is outsourced, SAP users load data to their local computers, for example, into an Excel table, which makes the data as vulnerable as in on-premise environments. He further points out that, “SAP customers should also ensure that external service provider have implemented protection mechanisms as well. An SAP operations unit that is located in India and maintains the customer’s systems, including firefighting sessions, has all the options to download sensitive and business-critical data at any time. This is a considerable risk, which can not be protected with pure contractual penalties.”
The supervision of automated downloads to other applications is also a part of Secude’s portfolio. And Andreas Opfer emphasizes in the E-3 conversation that these downloads mostly happen in the background, as they are passed on without the active intervention of the user. “This is also monitored by Secude and thus ensures 100% transparency of all SAP data downloads,” explains Andreas Opfer.
If data is transferred from SAP to another system, the following question arises: How will the SAP security profile of this data be copied and mapped in the other system? Holger Hügel describes the scenario as follows. “As already mentioned, in many cases these profiles are technically not matched. Basically this is a data security risk. If the standard software is Microsoft Office, which is very often the case, there is no data security at all without Microsoft AIP / RMS.
This is where Secude seamlessly connects SAP and the Microsoft world.” The challenge is to see security as a permanent, proactive and preventive discipline in operations. Simply filling up safety gaps as soon as they are discovered is not enough,” warns Hügel. Clouds reinforce the issue because the possibilities for attacking the system are simply bigger and more complex.
Andreas Opfer knows this situation well. “The cloud providers are hesitant when it comes to investing in data security or want to pass on the costs to their customers. Customers, on the other hand, expect this protection from the service provider, but do not urge the provider to act.” Holger Hügel adds, “Cloud providers are usually focused on attacks from the outside, i.e. by hackers. The insider who has access to the SAP application is not in focus.”
General Data Protection Regulation
The Genral Data Protection Regulation (GDPR) entered into force in Europe in May 2016. Andreas Opfer states, “Many companies have not yet realized this. We are in the implementation phase, which has been generously given for two years. It ends on 25th May 2018. Companies handle this very differently.”
The GDPR regulation has substantially increased penalties for violations, so that CFOs became aware.
“SAP customers should identify precisely in which processes they process personal data,” says Holger Hügel. As long as the data does not leave the SAP system during the process, data protection is generally sufficient. SAP is quite well placed. “However, data exports must be controlled automatically,” emphasizes Hügel. “Only necessary and legitimate exports may leave the system. Protection must follow the data throughout its lifecycle, which is technically the greatest challenge and requires lead time to implement suitable solutions. SAP’s customers should act now and not wait until the first customer complains. Secude provides a solution for all personal data of an SAP landscape that meets the requirements of the GDPR”, explains Andreas Opfer.
Andreas Opfer adds, “The monitoring and auditing of all wanted and unwanted downloads – this is several thousand downloads per day, which can not be monitored or controlled without a proper system.”
In case of violations of the GDPR guidelines, the Secude solution alerts by using SIEM to ensure a response to the customer within the 72-hour deadline and to report the incident to the authorities. As a result, data security remains an important and essential issue in 2018, and is a must for every CIO.