SAP applications contain large amounts of sensitive data. From protected personal information to privileged financial data, this data always harbors risks that companies must deal with, because SAP ERP does not have any built-in masking functions for custom-tailored anonymization in views. As such, the unchecked disclosure of data represents a potential leak, opening up a huge target for potential exploitation. Although add-ons and solutions from SAP and third parties are available to tackle this problem, significant challenges still remain. This is where the concept of attribute-based data masking comes in.
“IT’S ABOUT PROTECTING DATA THAT IS NEEDED AND AVAILABLE, BUT SHOULDN’T BE SEEN BY EVERYONE, TO LIMIT THE VIEWS TO THE RELEVANT INFORMATION FOR THE GIVEN SITUATION.”
With increasing internationalization, the coronavirus pandemic, and more employees working from home, sensitive process-relevant data is at greater risk than ever of being disclosed to casual observers – whether internal or external – who do not need to see it, neither in the specific context nor in general. In other words, when an employee in HR is working from abroad and maintaining master data, neither passersby who glance over her shoulder nor the person sitting next to her should get an unimpeded view of this sensitive data. A packer needs to know material master numbers so he takes the right package, but doesn’t need to know the package contents in detail. When a salesperson works with master data to create quotations, she needs to be able to find the right product, identify the right packaging units, and see the container – but doesn’t have to know all the cost prices.
Data loss prevention
What all of this means: Data masking isn’t only limited to reducing unauthorized access to personal data (fraud) and involves much more than the mere anonymization or pseudonymization of personal information and address data. In fact, all conceivable data types can be masked. Data loss prevention is always the objective of masking the original data. Problems with data theft, data abuse, and other forms of cybercrime can be mitigated by changing the views of the dataset directly: “To put it simply,” says Ralf Kempf, CTO of SAP security specialist SAST SOLUTIONS and Vice President ABAP Architecture of the new, multinational Pathlock Group, “it’s about protecting data that is needed and is available, but shouldn’t be seen by everyone, to limit the views to the relevant information for each situation.”
Data masking in a rule set
In this regard, most data masking solutions from SAP and third-party providers still face challenges, because they work strictly at the authorization level. But static masking guidelines do not take the context of access risk into account and demand a compromise between data security and accessibility. Privileged users can access sensitive data fields even if this is unnecessary or undesired in the specific context. Add-ons for data masking also require modifications that have to be replicated in every field of the application, resulting an a non-scalable ad hoc solution. In contrast to standard masking solutions, the Pathlock approach from SAST SOLUTIONS centralizes enforcement of data masking in SAP in a single rule set, to define and mask data in the entire application, and also uses dynamic policies that include the risk context, to protect sensitive data more accurately without requiring the implementation of additional modifications in the SAP system.
This attribute-based masking function gives you highly granular control over which information should be masked for a specific user in a specific situation. This is especially important for multinational companies that want to prevent improper views, for example. Data can be masked for access from countries that do not host a company location, for instance; that originate from remote workplaces outside of the network, unknown IP addresses, or VPNs; or that take place outside of regular working hours or at implausible times. As a result, content that would otherwise be readable for the role involved can be rendered invisible, based on freely configurable attributes such as user, IP address, time, countries/locations, access type – remote work from outside the network or access from within, or the network type (such as VPN). “If access is made with unusual parameters, then data that is not needed for the specific case will not be readable, depending on the defined attributes,” summarizes Kempf.
Minimize risks
This cannot be achieved through user authorizations alone and also takes the criticality of the master data into account – depending on the industry sector – such as HR, location, and logistics data, as well as BOMs, cost prices, and recipes. Attribute-based data masking significantly improves the protection of sensitive enterprise data through finely grained restrictions of views. A policy-based, dynamic masking function of the centralized, scalable masking solutions also gives companies – in addition to authorization protection – individually customizable control over which sensitive data fields they want to mask for specific users in specific situations. By implementing full or partial masking of a dataset, you can minimize the risks of data leaks and also meet requirements for encryption and anonymization from supervisory authorities, for example.
Since the sensitive data is filtered at the presentation level, without requiring additional modifications to the SAP system, no additional effort is required for updates, but you will able to significantly improve the protection of ERP data and reduce your compliance risks – for sensitive data in both production and non-production environments. When attribute-based data masking is combined with a data loss detection concept and good real-time monitoring of violations of compliance rules, data protection can be increased significantly, to a level of quality unattained by hardly any other solution worldwide.
This article was originally published in IT Security magazine, October 2022 issue (in German, pages 52+53) and is available free of charge from the online reader service on it-daily.net:
https://www.it-daily.net/leser-service
Ralf Kempf (CTO SAST SOLUTIONS)
More info about data masking:
Get even deeper insights into the topic in our webinar recording “Attribute-based Data Masking: Improve the protection of sensitive data”. If you are interested, please use our contact form or visit our webinar on demand website.