Ways to Establish Cyber-Resiliency for Data Kept in SAP Solutions

The security of data processed by SAP systems such as SAP ERP and SAP S/4HANA is vital as they contain significant amounts of business-critical information.

For example, SAP Human Capital Management (HCM) is responsible for handling everything from payroll to employment contracts of employees. This data is stored and processed digitally. Therefore, this data must be guarded against unauthorized access, manipulation, or destruction. As more organizations shift from a reactive cybersecurity strategy to a proactive approach to build resilience, paying attention to how an organization protects its SAP data is essential.

Categorize SAP Data According to Confidentiality

Companies must clearly understand the value of individual SAP data segments that need protection, and apply suitable protection strategies and options. To understand the data’s value, IT personnel must specify which data assets need protection based on specific circumstances.

To determine which data is worth protecting, IT staff must consult data protection officers to establish a classification system. For instance, SAP’s data confidentiality categories can be structured into three simple categories: public, confidential, and secret. Therefore, to classify SAP data, companies must establish criteria to determine which level of confidentiality the data will fall into, such as the following:

• As the category implies, public data should include information that can be made accessible to the public without putting the company at risk of financial or reputational damage, and without providing any advantage to competitors. Additionally, there should not be any legal regulations that require the data to be protected.
• Contrary to public data, confidential data is information that should not be made public. This category can be further divided into subcategories based on the risk of a data breach. Confidential data is characterized by internal access not being critical, but it should not be accessible to outsiders.
• Secret data encompasses all trade secrets. This data must be protected from internal and external access and subject to the need-to-know principle.

This primary classification system allows organizations to categorize the data objects stored within the SAP database (i.e., by the attribution of the data table). Many IT departments may choose to delegate it to consultants. However, it’s recommended to take on this task and involve all relevant departments, from human resources to sales and accounts payable. This step is vital to define ownership of data, which in many cases resides within the individual business department. Data owners must accept their role and feel accountable for the data sets created within their business area. With this, it becomes a lot easier to establish a process to ensure that new data objects are classified and protected according to the organization's standards.

Protect SAP Data Using These Methods

Once an organization has identified data that needs protection, it can establish security measures. Most companies default to authorization management, the standard feature in SAP applications. However, standard authorization management can be enhanced by implementing additional methods such as:

• Disconnecting from unneeded data and implementing the data lifecycle manager (DLM). Typically, this is used for technical data, such as logs, that will be reorganized after a predefined period.
• Implementing SAP Information Lifecycle Management (ILM) to regulate data retention and comply with GDPR. In contrast to DLM, ILM allows the creation of rules that consider individual content. For example, the rule can check if a business partner record has any contractual dependency preventing deletion.
• Assessing the path of data through the IT landscape and SAP system, as well as evaluating any leftover data stored on the SAP application server. Accessing the data path and reviewing the stored data is essential because many data breaches occur through employee exports or batch processes, insecure communication channels, or inadequate storage protection.

Help is available in solutions that analyze data flows in the SAP context and present them in a graphical map. However, the information records still existing in the SAP systems also require adequate protection. Only relying on the SAP authorization concept can be difficult when protecting data exported to external sources, especially when the accounting department regularly exports Excel spreadsheets. To address these issues, companies can use third-party tools to detect anomalies and data leaks in real-time and protect data endangering system integrity, such as user password hash hacks in the USR02 database table.

SAP systems communicate with other systems through interfaces, including the end user's SAP logon client. Therefore, it's important to encrypt data traffic. SAP provides cryptolib for activating SNC, recommended for communication between client and server. Encrypting data traffic is essential to prevent the transmission of plaintext user passwords and ensure the user accessing classified data is legitimate.

Conclusion

Data processed by SAP systems such as SAP ERP and SAP S/4HANA is crucial as it contains essential business-critical information and must be protected from unauthorized access, exfiltration, manipulation, or destruction. In addition, organizations are shifting from a reactive to a proactive cybersecurity strategy, making it essential to focus on data protection in SAP.

When determining which data to protect, an organization should consult with data protection officers and establish a simple data classification system for public, confidential, and secret data. Once the data is classified, authorization management can be enhanced with additional measures such as disconnecting unneeded data, implementing DLM/ILM, analyzing data flows, and encrypting data traffic. Companies should understand that help is available to set these criteria and processes to detect data leaks in real-time and ensure secure communication through all associated interfaces.