SAP Data Security 101: Importance of data security

SAP Data Security

This article is about data security and data protection, specifically for digital data collected and processed via SAP applications. SAP Data Security is important because plenty of business-critical information gets processed with the SAP ERP, CRM, and SRM applications. The SAP Human Capital Management (HCM) manages employee matters from payroll to employment contracts. All this information is processed digitally and needs protection against unauthorized access, manipulation, or deletion.  

With more companies moving from a reactive cybersecurity approach for SAP to building cyber-resilience, it is crucial to address the area of data protection for SAP. 

What are the SAP Data Assets worth protecting?

Start with the classification

Firstly, we need to explain what data is worth protecting, and after, we will look at what strategies and protection options exist. We cannot conclusively tell you what data assets are worth protecting.  

Therefore, you should talk with the data protection officers from your company to develop a data classification strategy. It is worth noting here that simple concepts usually work best.  

Here is an example: You could start with the idea of throwing your data into three pots. On the first one, you write Public, the second one you label Confidential, and the last one stands for Secret. You can work with these three simple data classifications. 

Define classification criteria

Before we define how you can classify SAP data, we must determine which criteria must be met to put the data into one of the three pots. 

Public: Data that may be publicly accessible without risk of damage (financial or reputational) to the company. Also, this data should not give any advantage to your competitor, and you must ensure that there are no legal regulations that require protection.  

Confidential: To this category, you should add data that should not become public. You can divide the Confidential section into many subsections depending on the severity or risk of a data breach. Depending on the company’s interpretation, confidential data can be characterized by the fact that internal access is not critical, but no outsider may access the data.  

Secret: All types of trade secrets fall within this scope. This data must be protected from internal and external access and is subject to the need-to-know principle. 

Start assigning SAP data assets

With this simple and incomplete definition of classes, you can start classifying the data objects stored in the SAP database. This is a mammoth task that many IT departments fail at or are happy to outsource to the business departments and their consultants. We recommend that you take on these tasks and bring all departments from Human Resources to Accounts Payable and Sales on board. You should also define a process that ensures that newly collected data objects are directly classified and that you can establish a corresponding protection standard. 

What protective measures should you take to achieve SAP Data Security?

Now that you know what data you need to protect, you can define the measures. In general, authorization management is available in every SAP application. Since there is already a lot of literature on this function, we turn to more advanced methods. Here are a few examples to give you a helpful hint on how you can increase the protection beyond the pure SAP authorization handling. 

Delete data assets not needed

Disconnect from data you no longer need. Define a Data Lifecycle Management (DLM) for SAP, which regulates how long data is current and valuable for your company. Usually, a DLM/ILM (Information Lifecycle Management) is used to reduce the database size. However, the introduction of GDPR has also regulated the deletion of specific data.  

Know your data flow

sap data security

What path does your data take through your IT landscape and SAP system? Do you have some leftovers here and there, maybe when you store files on the SAP application server?

A lot of data breaches occur because single employees or batch processes (i.e., interfaces) exported relevant data from the SAP database. 

Threat actors gain access due to insecure communication channels or when the selected storage location does not have sufficient protection. What path does your data take through your IT landscape and SAP system? Do you have some leftovers here and there, maybe when you store files on the SAP application server? A lot of data breaches occur because single employees or batch processes (i.e., interfaces) exported relevant data from the SAP database. Threat actors gain access due to insecure communication channels or when the selected storage location does not have sufficient protection.

SecurityBridge’s Interface Traffic Monitor helps you analyze the data flows carried out in the SAP context to a large extent as “remote function calls” and displays them on a graphical map. 

sap data security

You quickly reach the limits of the SAP authorization concept when you realize that the accounting department regularly extracts the entire customer base and the price conditions into an Excel spreadsheet to present them to the managing director. Not only does the resulting Excel file elude your protection measures, but it is also difficult for you to distinguish whether the data download was legitimate. At the same time, you should also start paying attention to protecting data that supports system integrity. For example, you must prevent threat actors from accessing user password hashes in the USR02 database table. Also, such data must not leave your system. SecurityBridge helps you detect such leaks in real-time. 

Encrypt data in transfer

SAP systems exist in a network and exchange data with the end user’s SAP Logon Client and other SAP and non-SAP systems via interfaces. This communication must be encrypted. For this purpose, SAP offers the use of its cyptolib to activate SNC. We recommend the use of SNC, especially between client and server. If the data traffic is not encrypted here, then the user passwords are transmitted in plain text. Furthermore, you cannot distinguish whether the user is accessing classified data with user connections. 

Summary

SAP systems offer sufficient protection for your data if you operate them securely. However, to counter today’s threats, you need to consider additional measures for SAP data security. This is especially true if your authorization concept is no longer effective, and data needs to be transferred out of the secure premise of your SAP system. In addition to assigning authorizations based on a need-to-know principle, you should monitor user activities to implement active threat detection.  

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

S/4HANA migration
SAP Cybersecurity- SAP Security Automation- Security News
“There are a few constants in life” – a statement that also applies to the SAP user community. It has always been a challenge for SAP customers to bring their large SAP environments to a current release level. Although the vendor has done a lot in the past to simplify this, it is still not a complex undertaking.
SecurityBridge
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.
SAP Cycling event
Life at SecurityBridge- Partner News- Security News
It was John F. Kennedy who once said: “nothing compares to the simple pleasure of a bike ride”. And what a pleasure it has been! We had our annual bike ride with friends from Accenture, Deloitte, CGI, McCoy, Thales, KPN, Hunt &Hacket, and security leaders from major customers. We had a lot of opportunities for exchange in the cozy atmosphere among like-minded people who all love road cycling and have SAP Security improvement in mind.