Security Threats are on the Rise: Is Your SAP Data Really Protected?
Michael Kummer, President Americas, SECUDE
In recent years, securing sensitive information has become both more important and more challenging. Targeted attacks, insider threats, and data loss through mobile and cloud channels are all on the rise. Adding to the challenge is the increasing complexity of compliance regulations, and the need for secure collaboration across global and partner organizations.
With sensitive data sent outside the enterprise an average of every 49 minutes, traditional borders are blurring, as information cannot be locked in one location. Companies find themselves patching holes in their complex security infrastructures, while massive,high profile data breaches appear in the news with an unprecedented frequency.
Companies that use SAP as their Enterprise Resource Planning (ERP) solution rely on SAP systems and applications to run their businesses, while storing a tremendous amount of sensitive and business-critical data inside of SAP modules. Information contained in these modules includes Personally Identifiable Information (PII) such as Social Security numbers; financial metrics such as unreleased quarterly results; vendor information that could indicate product components used; Bill of Material (BOM) information, often related to products that are subject to export control regulations (EAR and ITAR); and much more.
Protecting SAP Data
While inside of SAP, sensitive data is usually well protected by roles and authorizations that ensure that only authorized users can access certain information. However, in order to do their jobs, users often have to extract such information from SAP for the purpose of collaboration with co-workers and partners, analytics, or reporting. Unfortunately, all those roles and authorizations configured in SAP do not extend to the data exported SAP, leaving data vulnerable and exposed on users computers, mobile devices, or cloud storage.
The Traditional Approach to Solve this Issue
In an attempt to reduce the risk, companies have implemented solutions such as Data Loss Prevention (DLP). Traditional DLP solutions monitor communication channels (i.e. ports, protocols or storage locations) and prevent certain data from leaving the corporate perimeter based on pre-defined rules and/or learned user behavior. DLP is an important tool in an organization's data-protection toolkit, and it has the advantage of providing generic protection without the need for deep integration into third-party applications. For example, DLP could be configured to automatically remove or quarantine a spreadsheet saved to a file server if it contains PII or financial data.
However, this advantage is also a disadvantage. Because DLP is far away from where data is created (applications), it often lacks the context and understanding of the user's intention in order to make a reliable decision. For example, deciding whether or not a certain file should be quarantined or allowed. This lack of understanding usually results in a negative impact on productivity for the end users who are unable to access the information they need to perform their job duties. Leaving the task of protecting your most valuable asset, your data, up to your end-users is not a very smart move either.
Why Context-Awareness is the Next Big Thing
Instead of hoping for your end-users to make the right decision or your DLP solution to make the right guess, data protection solutions need to be context-aware. Context-awareness can be achieved through direct integration with applications themselves. This approach gives security technologies information about the user (roles and authorizations), the data itself (transaction and table), and the technical environment (front-end and functional module of application server). The application of context aware technology improves security decisions as they are made by analyzing the who, what, where, when, and why of sensitive data in an enterprise.
By being aware of what sensitive data resides within different documents, who created it, where it was created, and for what purpose, a context aware solution can make intelligent security decisions regarding which policy to apply to enterprise data, leaving it out of the end-users hands. By aggregating and analyzing this detailed information, context-aware technologies can make more reliable decisions and significantly reduce the number of false positive results, thus improving efficiency of downstream solutions, such as traditional DLP and classification tools.
Not relying on your end-users to make data protection decisions doesn't mean they shouldn't be involved. In fact, it is highly encouraged to involve end-users for various reasons, including:
Users need to be aware about the sensitivity of the data they are handling. Users who are aware make better decisions and those who choose to make the wrong decision have done so knowingly.
Legal ramifications: Showing a user a disclaimer that access to a particular system is monitored or that they have access to sensitive information doesn't prevent them from ignoring the disclaimer. But in cases of abuse, there will be proof that the user was aware and still made the wrong decision. Plus, it may deter a less motivated malicious user from doing the wrong thing.
Instead of trying to have complete control over data by implementing all, or as many security mechanisms as possible, it is more advantageous to have “smart technology” that understands the actions of the users, reads the data, and applies the best policy. It is important to understand who is moving data, where it is coming from, the destination, and through which channel of movement to determine the sensitivity of the data, what it contains, and whether or not the transfer of information is in violation of enterprise security policy.
Combining context-aware protection with traditional broad coverage is a solid recommendation for SAP customers looking to build a comprehensive security strategy for their most sensitive data.
As President Americas for SECUDE, Michael Kummer is in charge of the company's push into the North American market. Kummer previously had been in charge of SECUDE's product management and business development for Switzerland and the United States. Michael was previously managing director at Austrian-based MKI and was a Corporal in the Austrian Armed Forces.