The global and independent platform for the SAP community.

Stop data loss at the source

The unwanted outflow of business-critical SAP data can have threatening consequences for companies. With a joint approach from Virtual Forge and KPMG, users get to the root of the problem.
Schönhöfer/Lorenz, KPMG
November 24, 2016
[shutterstock:128689925, Artisticco]
avatar
This text has been automatically translated from German to English.

Whether through malicious Hacker or careless own Employees Caused: Catch sensitive Data into the wrong hands, have Company considerable financial and legal risks are to be expected.

For example, it can be particularly costly for companies in the pharmaceutical industry if formulations for medicines end up in the hands of competitors, thereby destroying many years of research work.

For credit institutions, the banking information of the Customers The risk of unauthorized outflow of funds is particularly high, as there is a risk of damage to the company's reputation as well as claims for damages.

Across all industries, all Company have an increased focus on personal employee information, as unauthorized leakage can also result in legal penalties.

Data Leak Prevention (DLP) provides a set of methods and tools for sealing potential data leaks.

Allen The common feature is that they control the data flow in the corporate network at defined exit points. monitor and then sound the alarm when business-critical Information reach the outside or have already reached it.

Exit points in sight

To achieve this, the individual DLP solutions rely on different levels of the IT-Infrastructure an. Thus, there are tools with which Company can monitor which Data from the laptops of the Employees be stored on mobile devices, such as USB sticks.

In SAP-environments, there are in principle several possibilities for data flow. Thus, during the execution of a certain Abap-program, the required Data from the SAP-database tables and read them out via different
communication channels to the users: starting with classic output lists via special SAPInterfaces to modern web services.

To avoid data loss, monitor the traditional DLP approaches precisely where the communication channels end in such a way that the Data can either be tapped by the end users or can be modified through technical Interfaces the SAP-system.

Another much-used option is that User from a AbapProgram create an email and send the SAPData send as an attachment.

As different as the individual technical DLP methods are, what they all have in common is that they require a great deal of effort in order to identify the critical SAPData and to effectively manage the multiple exit points from the corporate network. monitor.

Source code-Analysis

To reduce this expense, the SAP-With the CodeProfiler tool, security provider Virtual Forge has developed a new approach that starts much earlier and is more sustainable: With the so-called static DLP-Analysis the drainage channels can be made more sensitive. SAPData already in the SAPSource code Identify.

In contrast to the usual reactive DLP approaches, the static DLP-.Analysis thus preventive. Directly in the SAP-code identifies the locations that attackers use for fraudulent purposes or their own Employees could inadvertently use it to perform business-critical SAPData first from the database tables, then completely from the SAP-applications.

Since the installation of the CodeProfiler is technically very simple, it is ready for use in a short time and the results of a Analysis are quickly available.

At the same time, however, it must also be clarified which of the SAPInformation in a Company are particularly worthy of protection. Depending on the industry, these may be Data from specific areas of the company, such as finance, development, marketing or sales.

At the same time, constantly changing statutory data protection and Compliancecompany-specific company agreements as well as agreements reached with the works council.

Are the sensitive SAPData identified, it must be ensured that only those users can access it who have the appropriate SAP-authorizations.

Since the classification of business-critical SAPData requires extensive expertise, Virtual Forge works closely with the auditing and consulting firm KPMG on DLP customer projects.

Conversely, KPMG consultants rely on static DLP-Analyses from Virtual Forge when they become Customers be called, in which undesirable SAP-data outflows have been detected.

Increasingly, KPMG is also used for Customers actively seeking to anticipate such IT security incidents. For example, the specialist departments, representatives from the areas of Governance, Risk & Compliance (GRC), internal data protection officers and works councils are increasingly looking for effective DLP approaches to counter the risks of possible SAP-data loss at an early stage.

The growing demand is motivated by the fact that in many Company the number of SAPsystems has grown so much over the years that it has often become difficult to keep track of which business-critical Data from which SAPPrograms and - above all - in which context they are processed.

This increases the risks that the SAPData unauthorized addressees inside and outside the Company achieve. To Customers to facilitate collaboration on DLP projects, Virtual Forge and KPMG have combined their technology and expertise in a joint offering.

Each project is divided into five phases:

  1. Definition of the legal and technical requirements. At the start of the project, together with the Customers clarified which of the existing SAPInformation are business-critical and thus particularly worthy of protection.
  2. Identification of the relevant data fields and SAP-applications, which Data process. This determines which User for the execution of which SAPPrograms authorized and whether the existing authorizations are correct. The result is a target image that differentiates between permitted and non-permitted data outflows.
  3. Use of the CodeProfiler. For this purpose, the business requirements are transferred into a technical language, i.e. the DLP process is parameterized. The CodeProfiler combs through the AbapSource code with search algorithms and provides an actual picture of potential data outflows.
  4. Comparison of the target and actual image of possible SAP-data outflows. In this phase, the knowledge gained through the use of the CodeProfiler is compared with the legal and technical requirements of the Company compared.
  5. Definition of recommendations for action. As a result, the Company  concrete measures to achieve the target image and thereby prevent unauthorized SAP-to prevent data outflows. A central measure is the cleansing of the affected SAP-Source codes.

Continuous scans recommended

To ensure sustainable sealing of possible SAP-data leaks, it is recommended for the Company, the static DLP-Analyses apply not only once, but regularly.

In this way, the constant new developments and adjustments within SAP-systems, additional data leakage opportunities arise that can only be detected if the scans with CodeProfiler are continuously integrated into the development and security review processes.

avatar
Schönhöfer/Lorenz, KPMG


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.