Effectively prevent data theft

In general, there is no "one" solution that can guarantee complete security for the entire SAP system. Oracle naturally offers solutions in the database area (in addition to the functionalities already implemented by SAP at application level), but also solutions at infrastructure level - i.e. below applications and databases - as well as at superstructure level - across applications and databases. In the infrastructure area, these are in particular secure operating systems.

In the superstructure area, these are solutions for identity and access management that lay a layer over all applications, including SAP.

Hardened operating system

With Oracle Solaris and Oracle Linux, two operating systems are available that are suitable for operating SAP (application server as well as database).

Both offer a comprehensive range of tools and technologies to protect IT environments and reduce threats, including firewall control and security policies for access management.

Using Oracle Solaris as an example, some strategies and features that make up a secure operating system are presented below.

With Oracle Solaris, not only rights for users and applications, but also for administrators can be finely differentiated. This prevents one administrator alone from paralyzing the entire operating system.

Furthermore, the operating system provides secure authentication of all active subjects and encrypts the communication between the endpoints. Oracle Solaris can also be seamlessly integrated with other security architectures.

The system also independently checks its security status and has integrated virtualization with Oracle Solaris Zones.

Good trust, better control

Identity and access management is now about much more than simply ensuring that authorized employees have access to their applications.

A comprehensive understanding of who has physical and logical access to facilities, networks and information is required. Here are just a few of the current IT trends: mixed and virtualized operating systems, application and database installations with different user administrations, service-oriented architectures, cloud computing, mobile computing (including BYOD), IT governance, compliance guidelines and, last but not least, the Internet of Things.

All of this must be coherently combined with a security approach for the SAP system, while retaining the flexibility to integrate additional platforms.

Suite for Identity Management under SAP

Oracle's Identity Governance Suite, for example, works seamlessly with the SAP GRC stack. This ensures compliance with laws according to which sensitive SAP data must be classified.

At the same time, it ensures that there is no threat from expired rights and unauthorized accounts and that the activities of administrators are logged.

The Oracle Identity Manager included in the suite supports companies in managing identities and assigning rights to users. It has special connectors to SAP ERP (Abap and Java), supports special SAP HCM scenarios and integrates with SAP BusinessObjects Access Control (V 5.3 and V10) for SAP-specific validation of segregation of duty. At the same time, it uses SAP Org Structures as the basis for developing a company-wide business role model.

Access rights are set up via the Oracle Access Management Suite. It meets all requirements, including modern functions for granting access from mobile devices, user management via social networks and the integration of cloud and on-premise applications.

Especially in the SAP environment, Oracle's Access Management Suite can be used as a comprehensive WebSSO solution for SAP NetWeaver enterprise portals, which also works together with third-party applications.

Protection mechanisms for the database

Access and access controls are also becoming more important because the consolidation of data centers and systems down to database level has massively increased the consequences of a single data theft.

In addition, outsourcing and external hosting are increasingly giving people who are only loosely or no longer involved in a company access to databases.

With Oracle Advanced Security and Oracle Database Vault as additions to the database server, the risk of data theft can be significantly minimized. Both can also be used in SAP environments without any problems.

Their protective mechanisms take effect when criminals attempt to gain direct access to the database by bypassing the application level.

For example, criminals could try to obtain copies of the database files, such as a backup, and read out the contents. Encrypting the data provides a remedy here.

The Oracle Advanced Security add-on package includes the Transparent Data Encryption and Backup Set Encryption functions, which can be used in SAP environments since database version 11g.

Privilege management against danger from within

The more rights a user has, the greater the potential danger they pose. In principle, a distinction is made between system and object privileges in order to allow an administrator to manage the database objects, but not to access the data they contain.

However, according to the traditional security concept, a sufficient number of system privileges entail implicit object privileges. On the other hand, there is a risk that the assignment of authorizations is no longer controllable because administrators can help themselves.

With Oracle Database Vault, a new privilege management is possible that makes a much stricter separation between system and object privileges and allows the establishment of differentiated access rules that go beyond the pure object-user assignment.

Access rights can therefore be linked to IP addresses, times or applications or even enforce the dual control principle by "forcing" several employees to work together.

Oracle Database Vault is initially just a "toolbox" that security administrators can use to develop sets of rules according to their company's requirements and guidelines. For SAP customers, however, Oracle already provides a default policy that usually covers 70 to 90 percent of the requirements.

With the regularly recurring reports of major data thefts, the question always arises afterwards as to whether the data theft could have been prevented.

One thing is clear: if you use all security-relevant components of the operating system, implement, enforce and maintain an identity and access management solution and also install protection mechanisms at database level, data theft becomes fairly unlikely.

The protection of competitive advantages and intellectual property should actually be worth it to companies - not to mention the threat of loss of image.