The global and independent platform for the SAP community.

Effectively prevent data theft

For many companies, SAP with an Oracle database forms the backbone of their business. The data that is processed there is correspondingly sensitive. How can Oracle databases be secured in the SAP environment? With a holistic approach, other applications and the entire IT infrastructure can also be protected.
Christoph Kersten, Oracle
November 1, 2015
2015
avatar
This text has been automatically translated from German to English.

In general, there is no "one" solution that can guarantee complete security for the entire SAP system. Oracle naturally offers solutions in the database area (in addition to the functionalities already implemented by SAP at application level), but also solutions at infrastructure level - i.e. below applications and databases - as well as at superstructure level - across applications and databases. In the infrastructure area, these are in particular secure operating systems.

In the superstructure area, these are solutions for identity and access management that lay a layer over all applications, including SAP.

Hardened operating system

With Oracle Solaris and Oracle Linux, two operating systems are available that are suitable for operating SAP (application server as well as database).

Both offer a comprehensive range of tools and technologies to protect IT environments and reduce threats, including firewall control and security policies for access management.

Using Oracle Solaris as an example, some strategies and features that make up a secure operating system are presented below.

With Oracle Solaris, not only rights for users and applications, but also for administrators can be finely differentiated. This prevents one administrator alone from paralyzing the entire operating system.

Furthermore, the operating system provides secure authentication of all active subjects and encrypts the communication between the endpoints. Oracle Solaris can also be seamlessly integrated with other security architectures.

The system also independently checks its security status and has integrated virtualization with Oracle Solaris Zones.

Good trust, better control

Identity and access management is now about much more than simply ensuring that authorized employees have access to their applications.

A comprehensive understanding of who has physical and logical access to facilities, networks and information is required. Here are just a few of the current IT trends: mixed and virtualized operating systems, application and database installations with different user administrations, service-oriented architectures, cloud computing, mobile computing (including BYOD), IT governance, compliance guidelines and, last but not least, the Internet of Things.

All of this must be coherently combined with a security approach for the SAP system, while retaining the flexibility to integrate additional platforms.

Suite for Identity Management under SAP

Oracle's Identity Governance Suite, for example, works seamlessly with the SAP GRC stack. This ensures compliance with laws according to which sensitive SAP data must be classified.

At the same time, it ensures that there is no threat from expired rights and unauthorized accounts and that the activities of administrators are logged.

The Oracle Identity Manager included in the suite supports companies in managing identities and assigning rights to users. It has special connectors to SAP ERP (Abap and Java), supports special SAP HCM scenarios and integrates with SAP BusinessObjects Access Control (V 5.3 and V10) for SAP-specific validation of segregation of duty. At the same time, it uses SAP Org Structures as the basis for developing a company-wide business role model.

Access rights are set up via the Oracle Access Management Suite. It meets all requirements, including modern functions for granting access from mobile devices, user management via social networks and the integration of cloud and on-premise applications.

Especially in the SAP environment, Oracle's Access Management Suite can be used as a comprehensive WebSSO solution for SAP NetWeaver enterprise portals, which also works together with third-party applications.

Protection mechanisms for the database

Access and access controls are also becoming more important because the consolidation of data centers and systems down to database level has massively increased the consequences of a single data theft.

In addition, outsourcing and external hosting are increasingly giving people who are only loosely or no longer involved in a company access to databases.

With Oracle Advanced Security and Oracle Database Vault as additions to the database server, the risk of data theft can be significantly minimized. Both can also be used in SAP environments without any problems.

Their protective mechanisms take effect when criminals attempt to gain direct access to the database by bypassing the application level.

For example, criminals could try to obtain copies of the database files, such as a backup, and read out the contents. Encrypting the data provides a remedy here.

The Oracle Advanced Security add-on package includes the Transparent Data Encryption and Backup Set Encryption functions, which can be used in SAP environments since database version 11g.

Privilege management against danger from within

The more rights a user has, the greater the potential danger they pose. In principle, a distinction is made between system and object privileges in order to allow an administrator to manage the database objects, but not to access the data they contain.

However, according to the traditional security concept, a sufficient number of system privileges entail implicit object privileges. On the other hand, there is a risk that the assignment of authorizations is no longer controllable because administrators can help themselves.

With Oracle Database Vault, a new privilege management is possible that makes a much stricter separation between system and object privileges and allows the establishment of differentiated access rules that go beyond the pure object-user assignment.

Access rights can therefore be linked to IP addresses, times or applications or even enforce the dual control principle by "forcing" several employees to work together.

Oracle Database Vault is initially just a "toolbox" that security administrators can use to develop sets of rules according to their company's requirements and guidelines. For SAP customers, however, Oracle already provides a default policy that usually covers 70 to 90 percent of the requirements.

With the regularly recurring reports of major data thefts, the question always arises afterwards as to whether the data theft could have been prevented.

One thing is clear: if you use all security-relevant components of the operating system, implement, enforce and maintain an identity and access management solution and also install protection mechanisms at database level, data theft becomes fairly unlikely.

The protection of competitive advantages and intellectual property should actually be worth it to companies - not to mention the threat of loss of image.

avatar
Christoph Kersten, Oracle

Christoph Kersten is Principal Sales Consultant Database at Oracle. He has been with the company since 1989 and at the Oracle Database for SAP Global Technology Center in Walldorf since 1999.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

FourSide Hotel Salzburg,
Trademark Collection by Wyndham
Am Messezentrum 2, 5020 Salzburg, Austria
+43-66-24355460

Event date

Wednesday, June 10, and
Thursday, June 11, 2026

Early Bird Ticket

Regular ticket

EUR 390 excl. VAT
available until 1.10.2025
EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, April 22 and
Thursday, April 23, 2026

Tickets

Regular ticket
EUR 590 excl. VAT
Subscribers to the E3 magazine
reduced with promocode STAbo26
EUR 390 excl. VAT
Students*
reduced with promocode STStud26.
Please send proof of studies by e-mail to office@b4bmedia.net.
EUR 290 excl. VAT
*The first 10 tickets are free of charge for students. Try your luck! 🍀
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2026, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.