Data protection only with data security

Not least because of the new EU rules, the presentations on data protection at this year's DSAG Technology Days were well attended - especially those on functions in SAP that can ensure data protection.

Conclusion: SAP is well positioned for data protection, even if you would have to use SAP GRC for some functions.

However, data protection is worth little if data security is not guaranteed. Here, it is necessary to close some open backdoors. In the SAP system itself, data is well protected by the authorization concept.

However, data exports, print jobs and e-mails from SAP cause SAP data to leave the "protective harbor". This is because in SAP you can either download everything to which you have access or export no data at all if this authorization is missing.

In the age of the "open economy", in which companies are increasingly collaborating with partners, external and freelancers, exports cannot be banned - otherwise important processes will come to a standstill.

What is needed, therefore, is control over who is allowed to process what data for what purpose outside the SAP system. The automatic exchange of data between applications and systems, for example by means of RFC or web service interfaces, also weakens data protection.

It is almost impossible to ensure that access and transfer control migrates with the data to the target system. This is because different systems usually also have different authorization concepts.

The ongoing digitization of recent years has led to numerous smaller non-SAP satellite applications around SAP ERP that exchange data very intensively with the central SAP. With the Internet of Things (IoT), data traffic is becoming even more intense and data endpoints are becoming even more numerous.

So anyone thinking about data protection in the coming months should definitely create the appropriate conditions and invest in data security. It is difficult to secure all endpoints that generate and consume data and all channels that transport data.

Attackers will always look for the weakest point and quickly gain access to sensitive or business-critical data due to the strong networking of systems.

Therefore, an intelligent and future-oriented approach is to protect the data itself. This can be implemented by classifying the information as it is created as the basis for granular control of downloads.

In this way, only the data that is actually needed in the target systems leaves the source system. The prerequisite is that the target system can also guarantee data protection.

A deep integration of the classification solution in SAP is important here, so that this process can be implemented automatically. Manual classification slows down processes and is therefore often not implemented consistently in everyday work.

In addition, the SAP authorization concept can already be extended to data exports using DRM technologies such as RMS from Microsoft. Users can thus control who can access the encrypted document and which usage options (reading, writing, printing, etc.) are permitted.

Looking at the world of data exports and processing by employees, which traditionally pose the greatest risk to data security, there are already very good solutions available today to ensure security even for new compliance requirements.

Experts are therefore already working on the next challenge: securing the data that is automatically transferred between applications in the background.

This is because this "machine-to-machine" communication will increase even more in the future, and access control is even more complex here.