Stop data loss at the source

Whether through malicious Hacker or careless own Employees Caused: Catch sensitive Data into the wrong hands, have Company considerable financial and legal risks are to be expected.

For example, it can be particularly costly for companies in the pharmaceutical industry if formulations for medicines end up in the hands of competitors, thereby destroying many years of research work.

For credit institutions, the banking information of the Customers The risk of unauthorized outflow of funds is particularly high, as there is a risk of damage to the company's reputation as well as claims for damages.

Across all industries, all Company have an increased focus on personal employee information, as unauthorized leakage can also result in legal penalties.

Data Leak Prevention (DLP) provides a set of methods and tools for sealing potential data leaks.

Allen The common feature is that they control the data flow in the corporate network at defined exit points. monitor and then sound the alarm when business-critical Information reach the outside or have already reached it.

Exit points in sight

To achieve this, the individual DLP solutions rely on different levels of the IT-Infrastructure an. Thus, there are tools with which Company can monitor which Data from the laptops of the Employees be stored on mobile devices, such as USB sticks.

In SAP-environments, there are in principle several possibilities for data flow. Thus, during the execution of a certain Abap-program, the required Data from the SAP-database tables and read them out via different
communication channels to the users: starting with classic output lists via special SAP–Interfaces to modern web services.

To avoid data loss, monitor the traditional DLP approaches precisely where the communication channels end in such a way that the Data can either be tapped by the end users or can be modified through technical Interfaces the SAP-system.

Another much-used option is that User from a Abap–Program create an email and send the SAP–Data send as an attachment.

As different as the individual technical DLP methods are, what they all have in common is that they require a great deal of effort in order to identify the critical SAP–Data and to effectively manage the multiple exit points from the corporate network. monitor.

Source code-Analysis

To reduce this expense, the SAP-With the CodeProfiler tool, security provider Virtual Forge has developed a new approach that starts much earlier and is more sustainable: With the so-called static DLP-Analysis the drainage channels can be made more sensitive. SAP–Data already in the SAP–Source code Identify.

In contrast to the usual reactive DLP approaches, the static DLP-.Analysis thus preventive. Directly in the SAP-code identifies the locations that attackers use for fraudulent purposes or their own Employees could inadvertently use it to perform business-critical SAP–Data first from the database tables, then completely from the SAP-applications.

Since the installation of the CodeProfiler is technically very simple, it is ready for use in a short time and the results of a Analysis are quickly available.

At the same time, however, it must also be clarified which of the SAP–Information in a Company are particularly worthy of protection. Depending on the industry, these may be Data from specific areas of the company, such as finance, development, marketing or sales.

At the same time, constantly changing statutory data protection and Compliancecompany-specific company agreements as well as agreements reached with the works council.

Are the sensitive SAP–Data identified, it must be ensured that only those users can access it who have the appropriate SAP-authorizations.

Since the classification of business-critical SAP–Data requires extensive expertise, Virtual Forge works closely with the auditing and consulting firm KPMG on DLP customer projects.

Conversely, KPMG consultants rely on static DLP-Analyses from Virtual Forge when they become Customers be called, in which undesirable SAP-data outflows have been detected.

Increasingly, KPMG is also used for Customers actively seeking to anticipate such IT security incidents. For example, the specialist departments, representatives from the areas of Governance, Risk & Compliance (GRC), internal data protection officers and works councils are increasingly looking for effective DLP approaches to counter the risks of possible SAP-data loss at an early stage.

The growing demand is motivated by the fact that in many Company the number of SAPsystems has grown so much over the years that it has often become difficult to keep track of which business-critical Data from which SAPPrograms and - above all - in which context they are processed.

This increases the risks that the SAP–Data unauthorized addressees inside and outside the Company achieve. To Customers to facilitate collaboration on DLP projects, Virtual Forge and KPMG have combined their technology and expertise in a joint offering.

Each project is divided into five phases:

1. Definition of the legal and technical requirements. At the start of the project, together with the Customers clarified which of the existing SAP–Information are business-critical and thus particularly worthy of protection.
2. Identification of the relevant data fields and SAP-applications, which Data process. This determines which User for the execution of which SAP–Programs authorized and whether the existing authorizations are correct. The result is a target image that differentiates between permitted and non-permitted data outflows.
3. Use of the CodeProfiler. For this purpose, the business requirements are transferred into a technical language, i.e. the DLP process is parameterized. The CodeProfiler combs through the Abap–Source code with search algorithms and provides an actual picture of potential data outflows.
4. Comparison of the target and actual image of possible SAP-data outflows. In this phase, the knowledge gained through the use of the CodeProfiler is compared with the legal and technical requirements of the Company compared.
5. Definition of recommendations for action. As a result, the Company  concrete measures to achieve the target image and thereby prevent unauthorized SAP-to prevent data outflows. A central measure is the cleansing of the affected SAP-Source codes.

Continuous scans recommended

To ensure sustainable sealing of possible SAP-data leaks, it is recommended for the Company, the static DLP-Analyses apply not only once, but regularly.

In this way, the constant new developments and adjustments within SAP-systems, additional data leakage opportunities arise that can only be detected if the scans with CodeProfiler are continuously integrated into the development and security review processes.