SAP as an Island
“Running SAP” often means managing business-critical processes through and storing your most sensitive data in SAP’s Enterprise Resource Planning (ERP) software. SAP often contains the most sensitive data a company possesses, such as trade secrets and secret formulas, Personally Identifiable Information (PII), unreleased financial results, Bill of Material (BOM) information, and a lot more. With SAP being a mission-critical piece of IT infrastructure, a significant amount of resources are spent on ensuring high-availability and security. The latter includes such measures as protecting network segments that include SAP systems with firewalls and intrusion detection, compartmentalizing access to information through roles and authorizations, preventing fraud through enforcing segregation of duties and encrypting or masking (i.e. tokenizing) sensitive information directly in the SAP database. Except certain infrastructure tasks, most of these measures are typically handled by the SAP department inside an organization.
Enterprise Data Protection
Protecting data outside of SAP is typically handled by the IT department, which commonly doesn’t have much overlap with the SAP folks. Outside of SAP data protection is covered by technologies, such as Full Disk Encryption (FDE), Information Rights Management (IRM), Enterprise Data Classification, and Data Loss Prevention (DLP) among others. However, these technologies are rarely integrated with each other, and even less frequently are they integrated with SAP applications directly, resulting in a patchwork security infrastructure and a time lag before sensitive data is recognized and protected.
Forget about the Perimeter
No matter where you look, your perimeter is eroding. Firewalls are no longer sufficient to prevent the bad guys from getting to your data. Many companies focus their defense strategy on the perimeter layer. However, in the case of a breach, the attackers gain relatively easy access to sensitive data within the network. When an organization focuses its security controls on one single layer of protection, its entire security becomes dependent on these controls working properly at all times, against all threats. Unfortunately, this scenario is not realistic. Why? Because the data is no longer confined within any sort of perimeter.
Data is everywhere; on mobile devices and in the cloud, and the unfortunate truth is – it doesn’t matter if you have policies in place that are meant to deter employees from using such technologies – they do it anyway. The same is true for SAP and data stored in it. Your most sensitive data is being extracted from SAP by your end-users on a daily basis for the purpose of analytics, reporting, and information sharing. That’s not necessarily a bad thing. Your users need to extract that data in order to get their job done. However, that requires that SAP is not considered an island when it comes to protecting data.
Include SAP Data in your Enterprise Data Protection Initiative
Deploying data strategy that brings traditional data protection solutions, such as IRM, DLP or Classification into SAP is a smart way of leveraging existing investments, while significantly increasing the level of protection for the most valuable asset in your company – your SAP data. A comprehensive enterprise defense model is a key requirement in today’s age of digitized data, and ERP software should be an incremental part of that ecosystem. Below are some tips on where to start and what steps to take to make SAP data an integral part of your enterprise protection initiative.
1. Conduct an Audit to Identify Sensitive SAP Data Movement
Building a company-wide protection framework is impossible without understanding where and how sensitive information is used, stored, and moved. Unfortunately, tracking data as it moves within your IT perimeter and beyond is rarely an easy task. It is especially true for SAP data that gets extracted from SAP systems and applications by users on a daily basis. An audit can reveal sensitive data tucked away in places that you’d never expect: stored unprotected in applications and databases across the network, employee-owned mobile devices, cloud-based services, and more.
2. Include SAP Data into an Existing Classification Framework
Many companies have already implemented data classification tools that assist them in this process; however, SAP data often gets left out. It is especially true for data that gets extracted from SAP that organizations often lose track of completely. By identifying and classifying data at the moment of its creation, enterprises can enable efficient management of sensitive data. Integrating SAP data in the overall classification framework is necessary for ensuring consistent data handling across the entire organization.
3. Extend Roles and Authorizations Beyond SAP
Roles and authorizations configured in SAP are a crucial part of SAP security, as they insure that only authorized users can access certain data. Unfortunately, all those roles and authorizations configured in SAP do not extend to the data exported from SAP, leaving data vulnerable and exposed on users computers, mobile devices, or cloud storage. The latest document security technologies such as Information Rights Management (IRM) allow companies to ensure that only authorized users can open protected content, while also controlling what they can do with it, such as print, edit or save. It is important to find tools that can bridge a gap between IRM and SAP itself and extend roles and authorizations configured in SAP to any device and any location.
4. Extend Existing Data Loss Prevention (DLP) Processes to SAP
DLP is a rule-based security solution that examines file contents and prevents confidential or critical information from leaving the corporate perimeter. When configured effectively, a DLP solution can monitor user activity, restrict confidentially classified information from being exported on a USB stick, etc. SAP contains a lot of sensitive information that should never leave its systems, e.g. password hashes or certain compliance-restricted data. Unfortunately, DLP policies are often not integrated with SAP processes. By extending the existing DLP framework to SAP, enterprises can prevent potential malicious or accidental data loss and identify possible inside threats.
By Michael Kummer President Americas at SECUDE
Michael previously held IT positions as managing director at Austrian-based MKI, where he increased the footprint of key data security vendors in Austrian market and at UPC Broadband. Michael was a Corporal in the Austrian Armed Forces.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.