Data security

An SAP authorization system has existed from the beginning, but in a closed and shielded system, data security and data protection can be realized with less effort than in a 7-x-24-hour ERP connected to the Internet.

Even in the R/2 and R/3 era, authorization management was no "child's play" and an ERP system is never a "pony farm". However, the opening up of the R/3 black box and cloud computing have brought completely new tasks and thus helped "authorization management" to become a discipline in its own right.

Secude has dedicated itself to the challenge of "data security" and is considered a leading provider in the global SAP community. E-3 Editor-in-Chief Peter Färbinger spoke with Andreas Opfer, Managing Director, and Holger Hügel, VP Products and Services at Secude.

Authorization system

When an existing SAP customer hears the word "security," the first thing that comes to mind is his own authorization system: Is this role-based approach to security still up to date?

"Access is and remains timely, as it provides sufficient protection within the SAP landscape"

Andreas Opfer explains.

"Our focus is the world outside SAP. Data leaves the SAP system to support established processes that are further processed in Microsoft applications."

Outside of the SAP landscape, the authorization system is no longer effective, the data is "free as a bird" - Secude sees this as a great danger. And Holger Hügel adds:

"The role-based authorization concept in SAP has always been cumbersome for customers when it comes to securing the mostly customized business processes mapped in it in an equally suitable way.

Many SAP customers jokingly say that they probably have as many SAP profiles as users. There are already many solutions that simplify security within the SAP system. Secude takes a data-centric approach based on automated data classification and focuses on the data export interfaces in SAP."

Everything that SAP customers consider business-critical or sensitive is data worth protecting in SAP, Andreas Opfer and Holger Hügel jointly define. On the part of the legislator, this also includes personal data.

The intellectual property of customers is often in the area of financial, material, production planning and design data. Customer data and pricing conditions are also sensitive, of course.

"For Secude, the key is to keep them in the protected space of the SAP system and only let them out in a controlled manner in the form of user downloads or data transfers. Unauthorized downloads must be prevented and necessary export files must be protected by encryption and integrated access profiles."

explains Holger Hügel in an E-3 interview. And Andreas Opfer specifies:

"We distinguish between business-critical information, which is crucial to the continued existence of the company, and personal data, which will require special protection in the future under the EU's General Data Protection Regulation."

What is worth protecting?

Relevant information is, for example, a new technology for the electric drive, which allows a range of more than 1000 kilometers and ensures the future success and thus profit of the car manufacturer.

Should this information be stolen on its journey through the Internet, on its way from Germany to a production facility in China, this is incalculable damage.

Personal data is not just the SAP HR information of the company's own employees. Stored customer data from a telecommunications provider must also be protected in the future or must not be lost.

"All companies that handle customer data are affected by the EU regulation, including companies from non-EU countries that do business in Europe"

emphasizes Andreas Opfer.

Global approach

Secude's data security approach for SAP naturally applies to all release levels, Andreas Opfer: "We are certified for all common release levels."

The Secude solution Halocore operates on the NetWeaver layer. Even though SAP no longer likes to use this designation with S/4, it is technically still the same layer. Holger Hügel: "That's why our solution is equally suitable for all SAP releases from 7.0 onwards."

Existing SAP customers consider all these layers in their data security concept. However, Holger Hügel knows from his professional experience that the individual layers are usually considered separately from the business processes and data flows:

"There is also a lack of synchronization of the respective technical implementations in many cases. Data security should start with the processes and the data processed in them.

The security requirements are derived from this, which are then implemented technically in the individual layers. However, the dynamics of SAP operations also require a central instance, a security solution that keeps all these layers consistent in an automated manner."

"We focus on all the data that is processed in SAP"

Andreas Opfer explains.

"That can be on a Hana database or on any other, it doesn't matter to us. We also refer to a CAD drawing from R&D of exactly this new electric battery - which I mentioned first - that is stored externally on a content server and that is processed as well as sent in SAP as data worth protecting. All the other components I mentioned, operating system, etc., are of secondary importance to us."

The only way to S/4 is via a Hana migration project: What security aspects should an existing SAP customer pay attention to here?

In addition to the NetWeaver stack, Hana also brings the option of accessing data directly or via Hana XSA. As a result, Hana also has its own authorization concept. Holger Hügel comments:

"This has to be integrated into the existing concept or the existing concept has to be extended to Hana. Hana as a platform offers numerous new application interfaces, all of which inherently carry security risks. Technical solutions are needed that minimize these risks."

Cloud computing

For some existing SAP customers, SAP on Azure is a very interesting alternative to their own data center. Security from the process and data perspective is in itself independent of the operating model or operating platform of the application, says Holger Hügel.

"However, it's only in the cloud that customers ask who can access the data there and in what form. At the same time, data misuse by the insider, i.e. already on-premise, represents two-thirds of all incidents."

The cloud doesn't change anything, as Andreas Opfer knows. Even if the data center is outsourced, SAP users load data onto their local computer, for example into an Excel spreadsheet, and are therefore just as vulnerable as in on-premise environments. And he points out an important fact:

"However, SAP customers should ensure that protective mechanisms are also in place for administration by service providers in the case of external operating models.

An SAP operations unit based in India that maintains the customer's systems, including firefighter sessions, has every opportunity to download sensitive and business-critical data at any time. That's a significant risk that can't be protected with just contractual penalties."

Machine downloads to other applications are also part of Secude's range of services. And Andreas Opfer emphatically emphasizes in the E-3 interview that these downloads are mostly unknown, as they are passed on to the third-party applications via an interface without the active intervention of the user.

"Secude monitors this as well, enabling 100 percent visibility of all SAP data downloads."

explains Andreas Opfer. When data is transferred from SAP to another system, the question arises as to how the SAP security profile of this data is adopted and mapped in the other system. Holger Hügel describes the scenario like this:

"In many cases, as mentioned earlier, these profiles are not technically matched. Basically, this is a data security risk. If the standard software is even Microsoft Office, which is very often the case, there is no data security at all without Microsoft AIP/RMS. This is exactly where Secude steps in seamlessly and automatically, connecting the SAP world with the Microsoft world."

The challenge is to view security as an ongoing, proactive and preventative discipline in operations.

"Just plugging security holes as soon as they are discovered is not enough"

warns Hügel. Clouds reinforce this need because the attack surfaces are simply larger, more diverse and more complex. Andreas Opfer knows the situation well:

"Cloud providers are reluctant to invest in data security or want to pass the cost on to their customers. Customers, on the other hand, expect this protection from the service provider, but don't push them to act. Hornberger shooting!"

And Holger Hügel adds:

"Cloud providers usually focus on attacks from the outside, i.e., by hackers. The insider who has access to the SAP application is not the focus."

General Data Protection Regulation

The General Data Protection Regulation (GDPR) came into force in May 2016. Andreas Opfer:

"Many companies have not even realized this yet. We are in the implementation phase, which was generously set for two years. It ends on May 25, 2018, and it's being handled very differently."

The GDPR has essentially drastically increased the penalties for violations, so CFOs have taken notice. The other aspects are nothing new, at least for SAP customers in Germany.

"SAP customers should identify exactly in which processes they process personal data"

recommends Holger Hügel. As long as the data does not leave the SAP system during the process, data protection is usually satisfied. SAP is quite well positioned in this regard.

"However, it is imperative that data exports are controlled in an automated manner"

emphasizes Hill.

"Only necessary and authorized exports are allowed to leave the system. Data protection must follow the data, which is technically the biggest challenge and needs lead time to implement appropriate solutions."

Existing SAP customers should react now, not when the first customer complains.

"Secude delivers a solution that complies with the requirements of the General Data Protection Regulation for all personal data in an SAP landscape"

Andreas Opfer declares himself ready to go.

"Recording all intentional and unintentional downloads - that's several thousand downloads a day that can't be monitored or controlled without a 'machine'."

For example, in the event of a breach of the guidelines set out by the General Data Protection Regulation, Secude uses SIEM to alert customers and enable them to respond within the specified 72-hour period and report the incident to the authorities.

Accordingly, data security remains an important and essential topic that no CIO can ignore in 2018.