how gdpr affects sap security? - · pdf filesap tables: o table browsing and maintenance...
TRANSCRIPT
RoadmapHow to implement GDPR in SAP?
1. Introduction to GDPR
2. GDPR security-related requirements
3. SAP security controls for GDPR
4. GDPR security implementation plan
5. Follow-up actions
2
Introduction to GDPRKey GDPR security provisions and challenges
Drivers of GDPRPrivacy concerns
4
25 May 2018: General Data Protection
Regulation
cybertheft of personal data tracking and predicting
individual behavior misuse of personal data
control over their data level playing field
GDPRs GoalTo facilitate digital economy
5
For citizens:
easier access to their data a new right to data portability right to be forgotten right to know when their
personal data has been hacked
For business:
a single set of EU-wide rules EU rules for non-EU companies one-stop-shop a data protection officer innovation-friendly rules privacy-friendly techniques impact assessments
Are SAP users ready? 6
of users do not fully understand the implications of the GDPR in relation to their SAP estate, and their future use of SAP
Source: UK and Ireland SAP User Group, June 2017
By 25 May 2018, less than 50% of all organizations will fully comply with EUs GDPR
Gartner Security & Risk Management Summit 2017
of companies expect sanction or remedial action per 25 May 2018Source: Symantec, October 2016
http://www.computerweekly.com/news/450420744/SAP-users-look-to-software-suppliers-to-help-with-fast-approaching-GDPRhttps://www.symantec.com/en/uk/about/newsroom/press-releases/2016/symantec_1018_01
Turn GDPR into Lemonade
1. Elicit SAP-related GDPR security requirements
2. Learn suitable SAP security controls
3. Prepare GDPR security implementation plan
7
GDPR security-related requirements
Definitions
Personal data any information relating to an identified or identifiable natural person (data subject);
Data subject an identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data controller the natural or legal person, public authority, agency or other body which, alone or jointly with
others, determines the purposes and means of the processing of personal data;
Data processor a natural or legal person, public authority, agency or other body which processes personal data
on behalf of the controllerGeneral Data Protection Regulation, Article 4
9
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
Online Store 10
GDPR Security ProvisionsOverview
Data Subject Rights
Privacy Principles (Privacy By Design and Privacy By Default)
Data Protection Officer Duties
Data Protection Impact Assessment
Cybersecurity Requirements
Data Breach Notification
11
Privacy PrinciplesEliciting requirements
Lawfulness, fairness and transparency
Purpose limited
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality
Accountability and compliance
12
SAP tasks:
Identify data items
Find users having access to personal data
Restrict access to personal data
Manage personal data lifecycle
Implement and describe security controls to demonstrate compliance
Monitor personal data access
Implement incident response capabilities
GDPR Security Tasks 13
Identify data items Find users having access to personal data Evaluate security controls Assess risks to data subjects
Restrict access to personal data
Implement and describe security controls to demonstrate compliance
Manage personal data lifecycle
Monitor personal data access Detect SAP security threats Implement SAP incident response capabilities
SAP Security Controls for GDPR
1. Assess data processes 16
1.1 Identify data items
1.2 Find users having access to personal data
1.3 Evaluate security controls
1.4 Assess risks to data subjects
1.1 Find data
Standard global master tables:o Customers: KNA1, KNBK, KNVKo Vendors: LFA1, LFBKo Addresses: ADRC, ADR2, ADR3, ARD6o Business partners: BP000, BP030o Users: USR03o Credit cards: VCNUM
HR master records:o 0002 Personal Datao 0004 Challengeo 0006 Addresseso 0009 Bank Detailso 0021 Familyo 0028 Internal Medical Serviceso 0094 Residence Status
17
Typical locations of personal data
1.1 Find data
Search in domains:o RSCRDOMA: Where-Used List of Domains in Tableso RPDINF01: Audit Information Systems Technical Overview of Infotypes
Search in table description:o tables and descriptions: DD02L, text table DD02To fields: DD03Lo data elements: DD04L, text table DD04To domain are in DD01L, text table DD01T
18
How to find personal data in SAP?
1.2 Find users
Business transactions and reports SAP tables:
o table browsing and maintenance transactions: SE16, SE16N, SE17, SM30, SM31 et al.o proxy-transactions like SPRO (which call the aforementioned ones internally)o SAP Query (SQVI, SQ01, )
RFC functions Databases (HANA, Oracle) SAP services:
o Gatewayo Message Servero SOAP Interface
19
Overview of communication channels
Access controls
Other security controls
1.2 Find users by S_TABU_* authorizations 20
1.2 Find users of transaction 21
Standard data-related transactions:o Customers: FD02o Vendors: FK02, M-01o Addresses: VCUSTo Business partners: BPo Users: SU01, SU10, SUGR, PA30o Credit cards: PRCCD,
Find more:1. Search for programs using data-related tables (SE80\Repository Information System\ABAP
Dictionary\Database Tables)2. Find transactions related to the program (SE80, or table TSTC)3. Find users having S_TCODE authorizations to run the transactions
1.3 Evaluate security controls 22
Authentication Password policy Privileged users SSO checks
Monitoring Log settings: security audit log, system log,
gateway, HTTP, SQL logs CCMS settings
Access control Assignment of authorization groups
to tables and ABAP programs
RFC authorization checks
Unblocked critical transactions(SM59, SCC5, SM32,)
Encryption SSL options SNC options
Insecure configuration Gateway, RFC, ICF, MMC, GUI, Web
Dispatcher,
List of connected systems RFC, DBCON, HANA, XI
1.4 Assess risks to data subjects 23
Health Legal Financial Reputation
weak access controls (no SoDenforced, weak passwords)
transmission of data using unencrypted channels
application vulnerabilities misconfigurations disabled logging
of personal data
disclosure
alteration
destruction or loss
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
CAUSE EFFECTRISK
Source: General Data Protection Regulation
2. Prevent the data breach 24
2.1 Restrict access to personal data
2.2 Implement and describe security controls to demonstrate compliance
2.3 Manage personal data lifecycle
2.1 Restrict access to personal dataOverview
25
LEVEL SOLUTION
Business
Authorization objects Segregation of Duties Single sign-on and password auth. UI Masking and Logging
Communications
XI SNC VPNs Firewalls
Infrastructure Secure configuration: servers, databases, SAP components and clients Database and files encryption Identity management
2.1 Restrict access to personal dataUI Masking
Purposeo masking sensitive data in SAP GUIo logging of requests to selected data fields
Functionso modifies data before being displayed at the backend
sideo tracks requests for sensitive datao configurable to what and how should be maskedo configurable who is authorized to see unmasked data
26
Source: SAP UI Masking presentation
https://assets.cdn.sap.com/sapcom/docs/2015/06/0a0d918e-5b7c-0010-82c7-eda71af511fa.pdf
2.1 Restrict access to personal dataUI Masking Architecture
27
Source: SAP UI Masking presentation
https://assets.cdn.sap.com/sapcom/docs/2015/06/0a0d918e-5b7c-0010-82c7-eda71af511fa.pdf
2.2 Implement security controlsArticle 32
(a) pseudonymization and encryption:SAP CSF. Data SecuritySAP CSF. Secure Architecture
(b) CIA:SAP CSF. Asset ManagementSAP CSF. Access Control
(c) continuity:SAP CSF. Business EnvironmentSAP CSF. Incident Response
(d) testing:SAP CSF. Vulnerability ManagementSAP CSF. Threat Detection
28
2.2 Implement security controls
System Security Plan: description of the approach to protect a system
security plan roles and assignment of security responsibilities
description of system: purpose, environment and interconnections
description of assets: name, purpose, environmental context, severity and type of information
laws, regulations, and policies affecting systems and data
security control selection
information about