The limits of the SAP user authorization concept
Classic roll-based access is static and describes the role of the user with abstract profiles such as ‘employees’ or ‘project managers’. Many SAP administrators refer to departments and project groups by defining variants such as “Employee Dept. 1”, “Employee Dept. 2” or “Project Manager Project A”. Thus, they force organizational dynamics into a static concept, which, in itself, is neither manageable nor effective in the long term.
As soon as an employee shifts from one department to another or works in several projects at the same time, an enormous amount of authorization maintenance is required, which can be hardly met by the IT department. In many cases, the complexity of the profiles increases in such a way that, no one is aware of which rights are actually provided. The reaction of most IT administrators is a restrictive authorization handling. The result: Users are impacted in their day-to-day operations and the efficiency of the processes suffers.
As a consequence, this leads to short-term, generous loosening of individual access rights without a deep analysis of potential security risks. For the moment, the problem may seem to be solved. However, due to high resource allocation in IT departments the measure is often not revoked and the once secure authorization policy becomes a free-ride ticket for insider attacks and creates considerable data gaps.
The evolving digital transformation and increasing interconnection of applications is also pushing best practices to their limits. Both SAP S/4 HANA and many connected third-party applications have their own authorization concepts that are not integrated into the traditional SAP user authorization system. The security risks that arise from this are recognized by many departments, but a continuous synchronization fails due to insufficient budget and resources.
CISOs (Chief Information Security Officers), who are responsible for such security issues, usually do not have their own resources and hardly receive any support from IT department as their resources are already heavily allocated across other projects. While the next responsible (CIO) still relies on his specialists, the issue of data security ultimately ends up on the tables of the CEOs and CFOs, who, obviously are not familiar with such issues. However, in most cases, they are liable if an incident occurs. This is a “Bermuda triangle” that needs to be broken through.
Establish data-centric security concepts
To effectively secure SAP data even in the digitized world, dynamic new IT security rules are required linked to SAP authorization policies, but which place data itself in the foreground. For this purpose, company-wide standardized data classification is imperative. In order to implement such data classification in the company, managers should first focus on the processes through which data are processed.
They help to understand and critically question, for what data is needed and how they are processed. As soon as these findings are available, the importance for company success and the respective protection requirements can be derived. To speed up the process, the use of process analysis software is recommended. Subsequently, clearly defined data and protection categories should be defined.
There are two crucial challenges to master. The first is the general intelligibility and comprehensibility of the individual protection requirements classes. In other words, what does ‘confidential’ data mean? What user groups and user roles may access what data, to what extent? Effective data classification must answer these questions clearly for all users and must not impediment the requirements of individual process steps. The second challenge is technical in nature and concerns dynamic or adaptive implementation of protection requirements.
Context-specific data classification, in which the organizational and technical context of data generation or use is raised and automatically aligned with the definitions of the protection requirement classes, is helpful. This approach has some advantages over the classic, content-specific data classification. On one hand, it is less dependent on changes, for example, when content or data types are adapted. On the other, it makes it possible to take other dimensions into account, such as the time reference. Financial data or product innovations, for example, lose their confidentiality with their publication.
An effective data security policy is considering such dynamics and is automatically adjusting access rights just in time. The same applies to organizational structures and hierarchies. In the ideal case during authorization check, the security solution requests through a centrally maintained digital organization chart the hierarchy level of users and applies the appropriate protection classes automatically.
For SAP administrators, the new data-centric approach implies thinking beyond the SAP system boundaries when it comes to security. If data, for which SAP is the original and leading data source, leave the SAP system due to user downloads or background data transfers, they should be processed by a multi-dimensional classification. For this purpose, SAP provides a very extensive context of attributes that facilitates the automated implementation of classification. However, this does not prevent data from leaving the secure SAP environment. Anyone who wants to secure SAP data effectively outside the SAP world needs additional technologie
Halocore from Secude is precisely at this point. On the basis of context-specific data classification, this data security solution controls SAP user downloads and exports. Unauthorized downloads are blocked so that critical or sensitive data do not even leave the SAP system.
Data needed outside of SAP is automatically protected and encrypted through the Microsoft Azure Information Protection / Rights Management Service (AIP / RMS). This transfers the classification and the authorization profile from SAP to the exported file. Such capability makes it possible, for the first time, to provide cross-process protection that neither impacts IT operations nor users.
Data security is appended to the data and is not reapplied individually by other applications again and again.
Relying on established standard platforms
The core of implementing innovative safety concepts is the multi-dimensional, context-specific classification of all data with increased protection requirements. This can be derived from business processes using automated analysis. The key for the definition of data protection requirements classes is the clear comprehensibility of which users and roles are allowed to access the corresponding data. For the user, it must be obvious when the document is saved which data class has to be selected. By adding the dimensions of time and hierarchy, it can also be ensured that the data can be effectively protected in all further SAP-supported processes.
However, to secure data beyond the application’s boundaries additional technical solutions are required. It is recommended to use data security solutions, which leverage data classes as well as user roles. In any case, you should rely on established standard platforms that are supported by all common applications as a ‘security authority’. Secude Halocore uses in this case Microsoft standard technologies to protect any data export beyond the SAP boundaries.
Continue reading by clicking on the arrow on the right side of the screen.