In an age where digitizing information is the norm, organizations large and small rely on a myriad of applications, systems, and tools to create, collaborate, analyze, and report large volumes of data critical to the success of their businesses. One such tool, SAP, is used by a remarkable 282,000 customers around the world to run their businesses.
In addition to being an enterprise resource planning (ERP) tool, SAP is also a primary storage vault for a vast amount of sensitive and business-critical data. The data stored in SAP ranges from personally identifiable information (PII) such as Social Security numbers and financial metrics (such as unreleased quarterly results) to bill of material (BOM) information – often related to products that are subject to export control regulations (EAR and ITAR) and trade secrets.
SAP represents a mission-critical piece of IT infrastructure companies spend a lot of time and effort protecting, but many often fail to integrate SAP and its sensitive data into their overall data protection strategy. A comprehensive enterprise defense model is a key requirement in today’s age of digitized data, and ERP software should be an incremental part of that ecosystem. In this slideshow, SECUDE highlights five steps organizations should take to ensure SAP is integrated in their security framework.
Improving SAP Security
Click through for five steps organizations should take to ensure their SAP system is tied into their overall security framework, as identified by SECUDE.
Conduct an Audit to Identify Sensitive Data Movement
Building a company-wide protection framework is impossible without understanding where and how sensitive information is used, stored, and moved. Unfortunately, tracking data as it moves within your IT perimeter and beyond is rarely an easy task. It is especially true for data that gets extracted from SAP systems and applications by users on a daily basis to run reports, crunch and analyze numbers, and share information with colleagues and partners.
An audit can reveal sensitive data tucked away in places that you’d never expect: stored (unprotected) in applications and databases across the network, and in employee-owned mobile devices, cloud-based services, and more.
The necessary first step is to conduct a full audit on applications that act as data source, such as SAP, and then identify all the places where sensitive data is processed, transmitted and stored. Data flows in and out of an enterprise in enormous volumes and rates. It is precisely this flow that needs to be the focus of a comprehensive security approach. Many companies approach security by trying to patch holes in the IT perimeter, but lose sight of the importance of securing the actual flow of information.
Existing Classification Framework
Incorporate SAP Data into an Existing Classification Framework
In the modern day enterprise, information is one of its most powerful assets. In order to preserve its value, organizations have to first identify what data is business-critical, sensitive, meant for internal eyes only, or accessible to the public. Having the same security controls over a document containing Social Security numbers of employees in North America and a customer-facing product presentation is extremely inefficient.
Organizations have to identify levels of sensitivity and establish different access policies and other security measures for each layer. Many companies have already implemented data classification tools that assist them in this process. However, SAP data often gets left out of this process. This is especially true for any data that organizations routinely lose track of and that gets extracted from SAP.
By identifying and classifying data at the moment of its creation, enterprises can enable efficient management of sensitive data. Integrating SAP data in the overall classification framework is necessary for ensuring consistent data handling across the entire organization.
Roles and Authorizations
Extend Roles and Authorizations Beyond SAP
Roles and authorizations configured in SAP are a crucial part of SAP security, as they ensure that only authorized users can access certain data. However, in order to do their jobs, users often have to extract such information from SAP for the purpose of collaboration with co-workers and partners, or for analytics or reporting. Unfortunately, the configured roles and authorizations in SAP do not extend to the data exported from SAP. Once the data has been exported, it is left vulnerable and exposed on users’ computers, mobile devices or cloud storage.
Information moves in and out of the enterprise in enormous volumes and rates, with sensitive data being sent beyond the enterprise borders every 49 minutes. By extending roles and authorizations configured in SAP to documents downloaded or extracted from SAP systems, enterprises can ensure persistent protection of their sensitive data, no matter how that data is accessed, stored or moved. The latest document security technologies, such as information rights management (IRM), allow companies to ensure that only authorized users can open protected content, while also controlling what they can do with it, such as printing, editing or saving it.
Extend Existing Data Loss Prevention (DLP) Processes to SAP
Data loss prevention (DLP) is a rule-based security solution that examines file contents and prevents confidential or critical information from leaving the corporate perimeter. When configured effectively, a DLP solution can monitor user activity, restrict confidentially classified information from being exported on a USB stick, etc. SAP contains a lot of sensitive information that should never leave its systems, (e.g., password hashes or certain compliance-restricted data). Unfortunately, DLP policies are often not integrated with SAP processes.
While companies typically invest heavily in technologies that protect them from external security threats, internal violations often pose an even greater risk, as they can go unnoticed for extended periods of time. This problem is worsened when temporary contractors working on key projects have access to sensitive data in SAP. With that access, it becomes very easy for an employee or a contractor to download massive amounts of sensitive information in a matter of minutes. By extending the existing DLP framework to SAP, enterprises can prevent potential malicious or accidental data loss and identify possible inside threats.
Include SAP in Your Compliance Framework
News about data theft, loss, and misuse makes headlines. The subject generates a large amount of publicity in a wide variety of industries, such as insurance, energy, banking and health care sectors, which generate, store and process a particularly large amount of sensitive information. If data containing compliance-regulated information is stolen or breached, the threat of negative headlines, penalties and/or loss of reputation grows exponentially.
SAP modules can contain information impacted by corporate governance mandates and a variety of regulatory requirements and standards, from the U.S. Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley Act (SOX) to export control regulations, like ITAR and EAR. Compliance regulations often require companies to show that they can track and monitor who accessed a particular type of sensitive data and what actions they took with it. To gain control over compliance-sensitive data, organizations should be able to oversee access and movement of regulated data, inside and outside SAP, including mobile and cloud channels. Movement of compliance-regulated data both inside and outside the enterprise borders should be made an integral part of an overall security and SAP audit.