How GDPR affects SAP security? · relation to their SAP estate, and their future use of SAP Source:...
Transcript of How GDPR affects SAP security? · relation to their SAP estate, and their future use of SAP Source:...
RoadmapHow to implement GDPR in SAP?
1. Introduction to GDPR
2. GDPR security-related requirements
3. SAP security controls for GDPR
4. GDPR security implementation plan
5. Follow-up actions
2
Introduction to GDPRKey GDPR security provisions and challenges
Drivers of GDPRPrivacy concerns
4
25 May 2018: General Data Protection
Regulation
• cybertheft of personal data• tracking and predicting
individual behavior• misuse of personal data
control over their data level playing field
GDPR’s GoalTo facilitate digital economy
5
For citizens:
• easier access to their data• a new right to data portability• right to be forgotten• right to know when their
personal data has been hacked
For business:
• a single set of EU-wide rules• EU rules for non-EU companies• one-stop-shop• a data protection officer• innovation-friendly rules• privacy-friendly techniques • impact assessments
Are SAP users ready? 6
of users do not fully understand the implications of the GDPR in relation to their SAP estate, and their future use of SAP
Source: UK and Ireland SAP User Group, June 2017
By 25 May 2018, less than 50% of all organizations will fully comply with EU’s GDPR
Gartner Security & Risk Management Summit 2017
of companies expect sanction or remedial action per 25 May 2018Source: Symantec, October 2016
Turn GDPR into Lemonade
1. Elicit SAP-related GDPR security requirements
2. Learn suitable SAP security controls
3. Prepare GDPR security implementation plan
7
GDPR security-related requirements
Definitions
• Personal data• any information relating to an identified or identifiable natural person (‘data subject’);
• Data subject• an identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Data controller• the natural or legal person, public authority, agency or other body which, alone or jointly with
others, determines the purposes and means of the processing of personal data;
• Data processor• a natural or legal person, public authority, agency or other body which processes personal data
on behalf of the controllerGeneral Data Protection Regulation, Article 4
9
Online Store 10
GDPR Security ProvisionsOverview
• Data Subject Rights
• Privacy Principles (Privacy By Design and Privacy By Default)
• Data Protection Officer Duties
• Data Protection Impact Assessment
• Cybersecurity Requirements
• Data Breach Notification
11
Privacy PrinciplesEliciting requirements
• Lawfulness, fairness and transparency
• Purpose limited
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability and compliance
12
SAP tasks:
• Identify data items
• Find users having access to personal data
• Restrict access to personal data
• Manage personal data lifecycle
• Implement and describe security controls to demonstrate compliance
• Monitor personal data access
• Implement incident response capabilities
GDPR Security Tasks 13
• Identify data items• Find users having access to personal data• Evaluate security controls• Assess risks to data subjects
• Restrict access to personal data
• Implement and describe security controls to demonstrate compliance
• Manage personal data lifecycle
• Monitor personal data access• Detect SAP security threats• Implement SAP incident response capabilities
SAP Security Controls for GDPR
1. Assess data processes 16
1.1 Identify data items
1.2 Find users having access to personal data
1.3 Evaluate security controls
1.4 Assess risks to data subjects
1.1 Find data
• Standard global master tables:o Customers: KNA1, KNBK, KNVKo Vendors: LFA1, LFBKo Addresses: ADRC, ADR2, ADR3, ARD6o Business partners: BP000, BP030o Users: USR03o Credit cards: VCNUM
• HR master records:o 0002 Personal Datao 0004 Challengeo 0006 Addresseso 0009 Bank Detailso 0021 Familyo 0028 Internal Medical Serviceso 0094 Residence Status
17
Typical locations of personal data
1.1 Find data
• Search in domains:o RSCRDOMA: Where-Used List of Domains in Tableso RPDINF01: Audit Information Systems – Technical Overview of Infotypes
• Search in table description:o tables and descriptions: DD02L, text table DD02To fields: DD03Lo data elements: DD04L, text table DD04To domain are in DD01L, text table DD01T
18
How to find personal data in SAP?
1.2 Find users
• Business transactions and reports• SAP tables:
o table browsing and maintenance transactions: SE16, SE16N, SE17, SM30, SM31 et al.o proxy-transactions like SPRO (which call the aforementioned ones internally)o SAP Query (SQVI, SQ01, …)
• RFC functions• Databases (HANA, Oracle)• SAP services:
o Gatewayo Message Servero SOAP Interface
19
Overview of communication channels
Access controls
Other security controls
1.2 Find users by S_TABU_* authorizations 20
1.2 Find users of transaction 21
• Standard data-related transactions:o Customers: FD02o Vendors: FK02, M-01o Addresses: VCUSTo Business partners: BPo Users: SU01, SU10, SUGR, PA30o Credit cards: PRCCD,
• Find more:1. Search for programs using data-related tables (SE80\Repository Information System\ABAP
Dictionary\Database Tables)2. Find transactions related to the program (SE80, or table TSTC)3. Find users having S_TCODE authorizations to run the transactions
1.3 Evaluate security controls 22
Authentication• Password policy• Privileged users• SSO checks
Monitoring• Log settings: security audit log, system log,
gateway, HTTP, SQL logs …• CCMS settings
Access control• Assignment of authorization groups
to tables and ABAP programs
• RFC authorization checks
• Unblocked critical transactions(SM59, SCC5, SM32,…)
Encryption• SSL options• SNC options
Insecure configuration• Gateway, RFC, ICF, MMC, GUI, Web
Dispatcher, …
List of connected systems• RFC, DBCON, HANA, XI …
1.4 Assess risks to data subjects 23
• Health• Legal• Financial• Reputation
• weak access controls (no SoDenforced, weak passwords)
• transmission of data using unencrypted channels
• application vulnerabilities• misconfigurations• disabled logging
of personal data
disclosure
alteration
destruction or loss
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
CAUSE EFFECTRISK
Source: General Data Protection Regulation
2. Prevent the data breach 24
2.1 Restrict access to personal data
2.2 Implement and describe security controls to demonstrate compliance
2.3 Manage personal data lifecycle
2.1 Restrict access to personal dataOverview
25
LEVEL SOLUTION
Business
• Authorization objects• Segregation of Duties• Single sign-on and password auth.• UI Masking and Logging
Communications
• XI• SNC• VPN’s• Firewalls
Infrastructure• Secure configuration: servers, databases, SAP components and clients• Database and files encryption• Identity management
2.1 Restrict access to personal dataUI Masking
• Purposeo masking sensitive data in SAP GUIo logging of requests to selected data fields
• Functionso modifies data before being displayed at the backend
sideo tracks requests for sensitive datao configurable to what and how should be maskedo configurable who is authorized to see unmasked data
26
Source: SAP UI Masking presentation
2.1 Restrict access to personal dataUI Masking Architecture
27
Source: SAP UI Masking presentation
2.2 Implement security controlsArticle 32
(a) pseudonymization and encryption:SAP CSF. Data SecuritySAP CSF. Secure Architecture
(b) CIA:SAP CSF. Asset ManagementSAP CSF. Access Control
(c) continuity:SAP CSF. Business EnvironmentSAP CSF. Incident Response
(d) testing:SAP CSF. Vulnerability ManagementSAP CSF. Threat Detection
28
2.2 Implement security controls
System Security Plan: description of the approach to protect a system
• security plan roles and assignment of security responsibilities
• description of system: purpose, environment and interconnections
• description of assets: name, purpose, environmental context, severity and type of information
• laws, regulations, and policies affecting systems and data
• security control selection
• information about approving and completion
• security plan maintenance considerations
30
Source: NIST SP800-18, Guide for Developing Security Plans for Federal Information Systems
2.3 Manage personal data lifecycle 31
All the steps of the deal include processing personal datathat is needed to be blocked and erased after the ending of purpose
Source: D&IM Services
322.3 Manage personal data lifecycle
As soon as the original purpose ends, personal data must be deleted.However, if other fiscal/legal retention periods apply, the data must be blocked.
Source: D&IM Services
SAP Information Lifecycle Management
• Lifecycle Management of data with the following Retention Management functions:o Defining ILM rules (for example, retention rules) for the purpose of mapping legal requirements and their
application to live and archived data.o Putting legal holds on data that is relevant for legal cases in order to prevent early destruction.o Destroying data while taking legal requirements and legal holds into account.
• Storage of archived data on an ILM-certified WebDAV server (to guarantee non-changeability of the data and to protect it from premature destruction)
332.3 Manage personal data lifecycle
3. Detect & Respond 34
3.1 Monitor personal data access
3.2 Notify incident response team
3.3 Respond to SAP incidents
3.1 Monitor personal data access
• UI Masking
• UI Logging
• Read Access Logging
• Security logs
35
Event sources
3.1 Monitor personal data accessUI Logging
• UI Logging is a non-modifying add-on based on SAP NetWeaver
• UI Logging captures the data stream between SAP GUI and the backend system
• Minimal impact on the application
36
Transaction BP (Business Partner) Log record
Source: SAP UI Logging presentation
3.1 Monitor personal data accessRead Access Logging
37
Read Access Logging Framework
3.1 Monitor personal data accessSecurity Audit Log
38
3.2 Notify incident response teamSAP Computing Center Management System
39
RZ21: create e-mail alert RZ20: assign e-mail alert to MTE
403.3 Respond to SAP incidents
GDPR Security Tasks 41
• Identify data items• Find users having access to personal data• Evaluate security controls• Assess risks to data subjects
• Restrict access to personal data
• Implement and describe security controls to demonstrate compliance
• Manage personal data lifecycle
• Manage personal data lifecycle• Notify incident response team• Implement SAP incident response capabilities
GDPR Security Implementation Plan
1. Understand your system:what personal data is processed in SAP andwho has access to it?
2. Restrict accessdevelop authorizations and SOD rulesprioritize remediations
3. Stay compliant and detect breachesmonitor accessdetect GDPR non-compliance and SAP threats
43GDPR Security Implementation Plan
1. Understand your system 44
tables
transactions, reports
RFC functions
database & OS access
platform vulnerabilities
misconfigurations
custom code vulnerabilities
Have you assigned table authorization groups to all critical tables?
Have you revoked unnecessary S_TCODE authorizations related to personal data?
Check the list of users with S_RFC authorizations
Are the database and OS hardened?
Is the SAP configuration secure?
Have you implemented all SAP patches and SAP security notes?
Does your custom code have any hardcoded stuff and missing authorizations?
1. Understand your systemSAP Security Audit
• Data flows description
• Analysis of authorizations, roles and SOD conflicts
• Vulnerability assessment and remediation guideline
• Security control evaluation & custom code security analysis
• Threat analysis:o security event analysiso roles profilingo RFC profiling
45
2. Restrict accessAction plan
1. Revoke unjustified access
2. Prepare remediation plan for vulnerabilities
3. Prepare action plan for security controls:o fix custom code issues and missing authorization checkso turn on logging of data accesso mask personal datao harden configurationo …
46
2. Restrict access 47
Constraints and requirements (example):
• Duration: not more than 60 days• Vulnerability risk level: medium and higher• Allowed remediation types: No kernel patch
Tasks:
1. Prioritizing vulnerabilities:- ease of exploitation: availability of public exploit, need for preparation,
need for credentials with special rights, etc.;- impact of a successful exploitation: full disclosure and OS-level access or
just revealing technical data;- prevalence of the vulnerability in SAP systems;- criticality of the SAP systems with the vulnerability.
2. Filtering vulnerabilities
Outcome:• Remediation Plan
Remediation planning
Aggregate logs
48
o SAP ABAP Security logo SAP ABAP Audit logo SAP ABAP HTTP logo SAP ABAP ICM Security logo SAP ABAP RFC logo SAP J2EE HTTP logo SAP HANA Security logo SAP HANA log
More than 30 logs
Log Management Solutions
3. Stay compliant and detect breaches
3. Detect SAP security threatsThreats & attacks examples
49
• Threats:• starting of critical RFC, report, transactions or web service access• unauthorized/unsuccessful access (e.g. RFC calls, logon attempts)• potential DDoS attack
• Attacks:• WEB-resource attacks (XSS, SQL Injection, etc.)• Using source code vulnerabilities• Authentication bypass (Verb Tampering, Invoker servlet)
• Anomalies:• first time access to personal data• location change of users processing personal data• unusually high traffic utilization
ERPScan GDPR SolutionsHow can ERPScan help?
50
• SAP Security Audit
• SAP Vulnerability Management Services
• SAP - SIEM integration services
• ERPScan VM module
• ERPScan Code scanning module
• ERPScan SOD module
• SOD services
Contact us:
[email protected] Phone: +31 20 8932892
Follow-up actions
Follow-up actions
• Conduct an SAP security audit
• Organize one-to-one demo
• Request more information
52
Thank you 53
USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255
HQ Netherlands:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892
Michael RakutkoHead of Professional [email protected]
Read our blogerpscan.com/category/press-center/blog/
Join our webinarserpscan.com/category/press-center/events/