RoadmapHow to implement GDPR in SAP?

1. Introduction to GDPR

2. GDPR security-related requirements

3. SAP security controls for GDPR

4. GDPR security implementation plan

5. Follow-up actions

2

Introduction to GDPRKey GDPR security provisions and challenges

Drivers of GDPRPrivacy concerns

4

25 May 2018: General Data Protection

Regulation

• cybertheft of personal data• tracking and predicting

individual behavior• misuse of personal data

control over their data level playing field

GDPR’s GoalTo facilitate digital economy

5

For citizens:

• easier access to their data• a new right to data portability• right to be forgotten• right to know when their

personal data has been hacked

For business:

• a single set of EU-wide rules• EU rules for non-EU companies• one-stop-shop• a data protection officer• innovation-friendly rules• privacy-friendly techniques • impact assessments

Are SAP users ready? 6

of users do not fully understand the implications of the GDPR in relation to their SAP estate, and their future use of SAP

Source: UK and Ireland SAP User Group, June 2017

By 25 May 2018, less than 50% of all organizations will fully comply with EU’s GDPR

Gartner Security & Risk Management Summit 2017

of companies expect sanction or remedial action per 25 May 2018Source: Symantec, October 2016

Turn GDPR into Lemonade

1. Elicit SAP-related GDPR security requirements

2. Learn suitable SAP security controls

3. Prepare GDPR security implementation plan

7

GDPR security-related requirements

Definitions

• Personal data• any information relating to an identified or identifiable natural person (‘data subject’);

• Data subject• an identifiable natural person is one who can be identified, directly or indirectly, in particular by

reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

• Data controller• the natural or legal person, public authority, agency or other body which, alone or jointly with

others, determines the purposes and means of the processing of personal data;

• Data processor• a natural or legal person, public authority, agency or other body which processes personal data

on behalf of the controllerGeneral Data Protection Regulation, Article 4

9

Online Store 10

GDPR Security ProvisionsOverview

• Data Subject Rights

• Privacy Principles (Privacy By Design and Privacy By Default)

• Data Protection Officer Duties

• Data Protection Impact Assessment

• Cybersecurity Requirements

• Data Breach Notification

11

Privacy PrinciplesEliciting requirements

• Lawfulness, fairness and transparency

• Purpose limited

• Data minimization

• Accuracy

• Storage limitation

• Integrity and confidentiality

• Accountability and compliance

12

SAP tasks:

• Identify data items

• Find users having access to personal data

• Restrict access to personal data

• Manage personal data lifecycle

• Implement and describe security controls to demonstrate compliance

• Monitor personal data access

• Implement incident response capabilities

GDPR Security Tasks 13

• Identify data items• Find users having access to personal data• Evaluate security controls• Assess risks to data subjects

• Restrict access to personal data

• Implement and describe security controls to demonstrate compliance

• Manage personal data lifecycle

• Monitor personal data access• Detect SAP security threats• Implement SAP incident response capabilities

SAP Security Controls for GDPR

1. Assess data processes 16

1.1 Identify data items

1.2 Find users having access to personal data

1.3 Evaluate security controls

1.4 Assess risks to data subjects

1.1 Find data

• Standard global master tables:o Customers: KNA1, KNBK, KNVKo Vendors: LFA1, LFBKo Addresses: ADRC, ADR2, ADR3, ARD6o Business partners: BP000, BP030o Users: USR03o Credit cards: VCNUM

• HR master records:o 0002 Personal Datao 0004 Challengeo 0006 Addresseso 0009 Bank Detailso 0021 Familyo 0028 Internal Medical Serviceso 0094 Residence Status

17

Typical locations of personal data

1.1 Find data

• Search in domains:o RSCRDOMA: Where-Used List of Domains in Tableso RPDINF01: Audit Information Systems – Technical Overview of Infotypes

• Search in table description:o tables and descriptions: DD02L, text table DD02To fields: DD03Lo data elements: DD04L, text table DD04To domain are in DD01L, text table DD01T

18

How to find personal data in SAP?

1.2 Find users

• Business transactions and reports• SAP tables:

o table browsing and maintenance transactions: SE16, SE16N, SE17, SM30, SM31 et al.o proxy-transactions like SPRO (which call the aforementioned ones internally)o SAP Query (SQVI, SQ01, …)

• RFC functions• Databases (HANA, Oracle)• SAP services:

o Gatewayo Message Servero SOAP Interface

19

Overview of communication channels

Access controls

Other security controls

1.2 Find users by S_TABU_* authorizations 20

1.2 Find users of transaction 21

• Standard data-related transactions:o Customers: FD02o Vendors: FK02, M-01o Addresses: VCUSTo Business partners: BPo Users: SU01, SU10, SUGR, PA30o Credit cards: PRCCD,

• Find more:1. Search for programs using data-related tables (SE80\Repository Information System\ABAP

Dictionary\Database Tables)2. Find transactions related to the program (SE80, or table TSTC)3. Find users having S_TCODE authorizations to run the transactions

1.3 Evaluate security controls 22

Authentication• Password policy• Privileged users• SSO checks

Monitoring• Log settings: security audit log, system log,

gateway, HTTP, SQL logs …• CCMS settings

Access control• Assignment of authorization groups

to tables and ABAP programs

• RFC authorization checks

• Unblocked critical transactions(SM59, SCC5, SM32,…)

Encryption• SSL options• SNC options

Insecure configuration• Gateway, RFC, ICF, MMC, GUI, Web

Dispatcher, …

List of connected systems• RFC, DBCON, HANA, XI …

1.4 Assess risks to data subjects 23

• Health• Legal• Financial• Reputation

• weak access controls (no SoDenforced, weak passwords)

• transmission of data using unencrypted channels

• application vulnerabilities• misconfigurations• disabled logging

of personal data

disclosure

alteration

destruction or loss

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

CAUSE EFFECTRISK

Source: General Data Protection Regulation

2. Prevent the data breach 24

2.1 Restrict access to personal data

2.2 Implement and describe security controls to demonstrate compliance

2.3 Manage personal data lifecycle

2.1 Restrict access to personal dataOverview

25

LEVEL SOLUTION

Business

• Authorization objects• Segregation of Duties• Single sign-on and password auth.• UI Masking and Logging

Communications

• XI• SNC• VPN’s• Firewalls

Infrastructure• Secure configuration: servers, databases, SAP components and clients• Database and files encryption• Identity management

2.1 Restrict access to personal dataUI Masking

• Purposeo masking sensitive data in SAP GUIo logging of requests to selected data fields

• Functionso modifies data before being displayed at the backend

sideo tracks requests for sensitive datao configurable to what and how should be maskedo configurable who is authorized to see unmasked data

26

Source: SAP UI Masking presentation

2.1 Restrict access to personal dataUI Masking Architecture

27

Source: SAP UI Masking presentation

2.2 Implement security controlsArticle 32

(a) pseudonymization and encryption:SAP CSF. Data SecuritySAP CSF. Secure Architecture

(b) CIA:SAP CSF. Asset ManagementSAP CSF. Access Control

(c) continuity:SAP CSF. Business EnvironmentSAP CSF. Incident Response

(d) testing:SAP CSF. Vulnerability ManagementSAP CSF. Threat Detection

28

2.2 Implement security controls

System Security Plan: description of the approach to protect a system

• security plan roles and assignment of security responsibilities

• description of system: purpose, environment and interconnections

• description of assets: name, purpose, environmental context, severity and type of information

• laws, regulations, and policies affecting systems and data

• security control selection

• information about approving and completion

• security plan maintenance considerations

30

Source: NIST SP800-18, Guide for Developing Security Plans for Federal Information Systems

2.3 Manage personal data lifecycle 31

All the steps of the deal include processing personal datathat is needed to be blocked and erased after the ending of purpose

Source: D&IM Services

322.3 Manage personal data lifecycle

As soon as the original purpose ends, personal data must be deleted.However, if other fiscal/legal retention periods apply, the data must be blocked.

Source: D&IM Services

SAP Information Lifecycle Management

• Lifecycle Management of data with the following Retention Management functions:o Defining ILM rules (for example, retention rules) for the purpose of mapping legal requirements and their

application to live and archived data.o Putting legal holds on data that is relevant for legal cases in order to prevent early destruction.o Destroying data while taking legal requirements and legal holds into account.

• Storage of archived data on an ILM-certified WebDAV server (to guarantee non-changeability of the data and to protect it from premature destruction)

332.3 Manage personal data lifecycle

3. Detect & Respond 34

3.1 Monitor personal data access

3.2 Notify incident response team

3.3 Respond to SAP incidents

3.1 Monitor personal data access

• UI Masking

• UI Logging

• Read Access Logging

• Security logs

35

Event sources

3.1 Monitor personal data accessUI Logging

• UI Logging is a non-modifying add-on based on SAP NetWeaver

• UI Logging captures the data stream between SAP GUI and the backend system

• Minimal impact on the application

36

Transaction BP (Business Partner) Log record

Source: SAP UI Logging presentation

3.1 Monitor personal data accessRead Access Logging

37

Read Access Logging Framework

3.1 Monitor personal data accessSecurity Audit Log

38

3.2 Notify incident response teamSAP Computing Center Management System

39

RZ21: create e-mail alert RZ20: assign e-mail alert to MTE

403.3 Respond to SAP incidents

GDPR Security Tasks 41

• Identify data items• Find users having access to personal data• Evaluate security controls• Assess risks to data subjects

• Restrict access to personal data

• Implement and describe security controls to demonstrate compliance

• Manage personal data lifecycle

• Manage personal data lifecycle• Notify incident response team• Implement SAP incident response capabilities

GDPR Security Implementation Plan

1. Understand your system:what personal data is processed in SAP andwho has access to it?

2. Restrict accessdevelop authorizations and SOD rulesprioritize remediations

3. Stay compliant and detect breachesmonitor accessdetect GDPR non-compliance and SAP threats

43GDPR Security Implementation Plan

1. Understand your system 44

tables

transactions, reports

RFC functions

database & OS access

platform vulnerabilities

misconfigurations

custom code vulnerabilities

Have you assigned table authorization groups to all critical tables?

Have you revoked unnecessary S_TCODE authorizations related to personal data?

Check the list of users with S_RFC authorizations

Are the database and OS hardened?

Is the SAP configuration secure?

Have you implemented all SAP patches and SAP security notes?

Does your custom code have any hardcoded stuff and missing authorizations?

1. Understand your systemSAP Security Audit

• Data flows description

• Analysis of authorizations, roles and SOD conflicts

• Vulnerability assessment and remediation guideline

• Security control evaluation & custom code security analysis

• Threat analysis:o security event analysiso roles profilingo RFC profiling

45

2. Restrict accessAction plan

1. Revoke unjustified access

2. Prepare remediation plan for vulnerabilities

3. Prepare action plan for security controls:o fix custom code issues and missing authorization checkso turn on logging of data accesso mask personal datao harden configurationo …

46

2. Restrict access 47

Constraints and requirements (example):

• Duration: not more than 60 days• Vulnerability risk level: medium and higher• Allowed remediation types: No kernel patch

Tasks:

1. Prioritizing vulnerabilities:- ease of exploitation: availability of public exploit, need for preparation,

need for credentials with special rights, etc.;- impact of a successful exploitation: full disclosure and OS-level access or

just revealing technical data;- prevalence of the vulnerability in SAP systems;- criticality of the SAP systems with the vulnerability.

2. Filtering vulnerabilities

Outcome:• Remediation Plan

Remediation planning

Aggregate logs

48

o SAP ABAP Security logo SAP ABAP Audit logo SAP ABAP HTTP logo SAP ABAP ICM Security logo SAP ABAP RFC logo SAP J2EE HTTP logo SAP HANA Security logo SAP HANA log

More than 30 logs

Log Management Solutions

3. Stay compliant and detect breaches

3. Detect SAP security threatsThreats & attacks examples

49

• Threats:• starting of critical RFC, report, transactions or web service access• unauthorized/unsuccessful access (e.g. RFC calls, logon attempts)• potential DDoS attack

• Attacks:• WEB-resource attacks (XSS, SQL Injection, etc.)• Using source code vulnerabilities• Authentication bypass (Verb Tampering, Invoker servlet)

• Anomalies:• first time access to personal data• location change of users processing personal data• unusually high traffic utilization

ERPScan GDPR SolutionsHow can ERPScan help?

50

• SAP Security Audit

• SAP Vulnerability Management Services

• SAP - SIEM integration services

• ERPScan VM module

• ERPScan Code scanning module

• ERPScan SOD module

• SOD services

Contact us:

inbox@erpscan.com Phone: +31 20 8932892

Follow-up actions

Follow-up actions

• Conduct an SAP security audit

• Organize one-to-one demo

• Request more information

52

Thank you 53

USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255

HQ Netherlands:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892

erpscan.cominbox@erpscan.com

Michael RakutkoHead of Professional Servicesm.rakutko@erpscan.com

Read our blogerpscan.com/category/press-center/blog/

Join our webinarserpscan.com/category/press-center/events/