The global and independent platform for the SAP community.
The opinion of the SAP community, IT Security Column, MAG 17-04

Data protection only with data security

With the new EU GDPR, data protection has become a matter for the boss. As of May 2018, violations of this regulation will no longer be punished with a maximum fine of 300,000 euros, but with up to 20 million euros or four percent of global sales, whichever is higher. This is making CFOs and CIOs sit up and take notice.
Holger Hügel, Secude
March 31, 2017
Content:
It Security
avatar
This text has been automatically translated from German to English.

Not least because of the new EU rules, the presentations on data protection at this year's DSAG Technology Days were well attended - especially those on functions in SAP that can ensure data protection.

Conclusion: SAP is well positioned for data protection, even if you would have to use SAP GRC for some functions.

However, data protection is worth little if data security is not guaranteed. Here, it is necessary to close some open backdoors. In the SAP system itself, data is well protected by the authorization concept.

However, data exports, print jobs and e-mails from SAP cause SAP data to leave the "protective harbor". This is because in SAP you can either download everything to which you have access or export no data at all if this authorization is missing.

In the age of the "open economy", in which companies are increasingly collaborating with partners, external and freelancers, exports cannot be banned - otherwise important processes will come to a standstill.

What is needed, therefore, is control over who is allowed to process what data for what purpose outside the SAP system. The automatic exchange of data between applications and systems, for example by means of RFC or web service interfaces, also weakens data protection.

It is almost impossible to ensure that access and transfer control migrates with the data to the target system. This is because different systems usually also have different authorization concepts.

The ongoing digitization of recent years has led to numerous smaller non-SAP satellite applications around SAP ERP that exchange data very intensively with the central SAP. With the Internet of Things (IoT), data traffic is becoming even more intense and data endpoints are becoming even more numerous.

So anyone thinking about data protection in the coming months should definitely create the appropriate conditions and invest in data security. It is difficult to secure all endpoints that generate and consume data and all channels that transport data.

Attackers will always look for the weakest point and quickly gain access to sensitive or business-critical data due to the strong networking of systems.

Therefore, an intelligent and future-oriented approach is to protect the data itself. This can be implemented by classifying the information as it is created as the basis for granular control of downloads.

In this way, only the data that is actually needed in the target systems leaves the source system. The prerequisite is that the target system can also guarantee data protection.

A deep integration of the classification solution in SAP is important here, so that this process can be implemented automatically. Manual classification slows down processes and is therefore often not implemented consistently in everyday work.

In addition, the SAP authorization concept can already be extended to data exports using DRM technologies such as RMS from Microsoft. Users can thus control who can access the encrypted document and which usage options (reading, writing, printing, etc.) are permitted.

Looking at the world of data exports and processing by employees, which traditionally pose the greatest risk to data security, there are already very good solutions available today to ensure security even for new compliance requirements.

Experts are therefore already working on the next challenge: securing the data that is automatically transferred between applications in the background.

This is because this "machine-to-machine" communication will increase even more in the future, and access control is even more complex here.

CI-SECUDE

avatar
Holger Hügel, Secude

Holger Hügel is Vice President Products and Sercvices at Secude


All articles of the author

Write a comment

SAP and Nvidia

Purchase requisition: SAP Ariba Guided Buying

All for One announces Rise One

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.