Roadmap 2 How to implement GDPR in SAP? 1. Introduction to GDPR 2. GDPR security-related requirements 3. SAP security controls for GDPR 4. GDPR security implementation plan 5. Follow-up actions
Introduction to GDPR Key GDPR security provisions and challenges
Drivers of GDPR 4 Privacy concerns cybertheft of personal data tracking and predicting individual behavior misuse of personal data control over their data 25 May 2018: General Data Protection Regulation level playing field
GDPR s Goal 5 To facilitate digital economy For citizens: easier access to their data a new right to data portability right to be forgotten right to know when their personal data has been hacked For business: a single set of EU-wide rules EU rules for non-eu companies one-stop-shop a data protection officer innovation-friendly rules privacy-friendly techniques impact assessments
Are SAP users ready? 6 By 25 May 2018, less than 50% of all organizations will fully comply with EU s GDPR Gartner Security & Risk Management Summit 2017 of users do not fully understand the implications of the GDPR in relation to their SAP estate, and their future use of SAP Source: UK and Ireland SAP User Group, June 2017 of companies expect sanction or remedial action per 25 May 2018 Source: Symantec, October 2016
Turn GDPR into Lemonade 7 1. Elicit SAP-related GDPR security requirements 2. Learn suitable SAP security controls 3. Prepare GDPR security implementation plan
GDPR security-related requirements
Definitions 9 Personal data any information relating to an identified or identifiable natural person ( data subject ); Data subject an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data controller the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Data processor a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller General Data Protection Regulation, Article 4
Online Store 10
GDPR Security Provisions 11 Overview Data Subject Rights Privacy Principles (Privacy By Design and Privacy By Default) Data Protection Officer Duties Data Protection Impact Assessment Cybersecurity Requirements Data Breach Notification
Privacy Principles 12 Eliciting requirements Lawfulness, fairness and transparency Purpose limited Data minimization Accuracy Storage limitation Integrity and confidentiality Accountability and compliance SAP tasks: Identify data items Find users having access to personal data Restrict access to personal data Manage personal data lifecycle Implement and describe security controls to demonstrate compliance Monitor personal data access Implement incident response capabilities
GDPR Security Tasks 13 Identify data items Find users having access to personal data Evaluate security controls Assess risks to data subjects Restrict access to personal data Implement and describe security controls to demonstrate compliance Manage personal data lifecycle Monitor personal data access Detect SAP security threats Implement SAP incident response capabilities
SAP Security Controls for GDPR
1. Assess data processes 16 1.1 Identify data items 1.2 Find users having access to personal data 1.3 Evaluate security controls 1.4 Assess risks to data subjects
1.1 Find data 17 Standard global master tables: o Customers: KNA1, KNBK, KNVK o Vendors: LFA1, LFBK o Addresses: ADRC, ADR2, ADR3, ARD6 o Business partners: BP000, BP030 o Users: USR03 o Credit cards: VCNUM HR master records: o 0002 Personal Data o 0004 Challenge o 0006 Addresses o 0009 Bank Details o 0021 Family o 0028 Internal Medical Services o 0094 Residence Status Typical locations of personal data
1.1 Find data 18 How to find personal data in SAP? Search in domains: o RSCRDOMA: Where-Used List of Domains in Tables o RPDINF01: Audit Information Systems Technical Overview of Infotypes Search in table description: o tables and descriptions: DD02L, text table DD02T o fields: DD03L o data elements: DD04L, text table DD04T o domain are in DD01L, text table DD01T
1.2 Find users 19 Overview of communication channels Business transactions and reports SAP tables: o table browsing and maintenance transactions: SE16, SE16N, SE17, SM30, SM31 et al. o proxy-transactions like SPRO (which call the aforementioned ones internally) o SAP Query (SQVI, SQ01, ) Access controls RFC functions Databases (HANA, Oracle) SAP services: o o o Gateway Message Server SOAP Interface Other security controls
1.2 Find users by S_TABU_* authorizations 20
1.2 Find users of transaction 21 Standard data-related transactions: o Customers: FD02 o Vendors: FK02, M-01 o Addresses: VCUST o Business partners: BP o Users: SU01, SU10, SUGR, PA30 o Credit cards: PRCCD, Find more: 1. Search for programs using data-related tables (SE80\Repository Information System\ABAP Dictionary\Database Tables) 2. Find transactions related to the program (SE80, or table TSTC) 3. Find users having S_TCODE authorizations to run the transactions
1.3 Evaluate security controls 22 Authentication Password policy Privileged users SSO checks Access control Assignment of authorization groups to tables and ABAP programs RFC authorization checks Unblocked critical transactions (SM59, SCC5, SM32, ) Insecure configuration Gateway, RFC, ICF, MMC, GUI, Web Dispatcher, Monitoring Log settings: security audit log, system log, gateway, HTTP, SQL logs CCMS settings Encryption SSL options SNC options List of connected systems RFC, DBCON, HANA, XI
1.4 Assess risks to data subjects 23 CAUSE RISK EFFECT weak access controls (no SoD enforced, weak passwords) transmission of data using unencrypted channels application vulnerabilities misconfigurations disabled logging disclosure alteration destruction or loss of personal data Health Legal Financial Reputation In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Source: General Data Protection Regulation
2. Prevent the data breach 24 2.1 Restrict access to personal data 2.2 Implement and describe security controls to demonstrate compliance 2.3 Manage personal data lifecycle
2.1 Restrict access to personal data 25 Overview LEVEL Business Communications Infrastructure Authorization objects Segregation of Duties Single sign-on and password auth. UI Masking and Logging XI SNC VPN s Firewalls SOLUTION Secure configuration: servers, databases, SAP components and clients Database and files encryption Identity management
2.1 Restrict access to personal data 26 UI Masking Purpose o masking sensitive data in SAP GUI o logging of requests to selected data fields Functions o modifies data before being displayed at the backend side o tracks requests for sensitive data o configurable to what and how should be masked o configurable who is authorized to see unmasked data Source: SAP UI Masking presentation
2.1 Restrict access to personal data 27 UI Masking Architecture Source: SAP UI Masking presentation
2.2 Implement security controls 28 Article 32 (a) pseudonymization and encryption: SAP CSF. Data Security SAP CSF. Secure Architecture (b) CIA: SAP CSF. Asset Management SAP CSF. Access Control (c) continuity: SAP CSF. Business Environment SAP CSF. Incident Response (d) testing: SAP CSF. Vulnerability Management SAP CSF. Threat Detection
2.2 Implement security controls 30 System Security Plan: description of the approach to protect a system security plan roles and assignment of security responsibilities description of system: purpose, environment and interconnections description of assets: name, purpose, environmental context, severity and type of information laws, regulations, and policies affecting systems and data security control selection information about approving and completion security plan maintenance considerations Source: NIST SP800-18, Guide for Developing Security Plans for Federal Information Systems
2.3 Manage personal data lifecycle 31 All the steps of the deal include processing personal data that is needed to be blocked and erased after the ending of purpose Source: D&IM Services
2.3 Manage personal data lifecycle 32 As soon as the original purpose ends, personal data must be deleted. However, if other fiscal/legal retention periods apply, the data must be blocked. Source: D&IM Services
2.3 Manage personal data lifecycle 33 SAP Information Lifecycle Management Lifecycle Management of data with the following Retention Management functions: o Defining ILM rules (for example, retention rules) for the purpose of mapping legal requirements and their application to live and archived data. o Putting legal holds on data that is relevant for legal cases in order to prevent early destruction. o Destroying data while taking legal requirements and legal holds into account. Storage of archived data on an ILM-certified WebDAV server (to guarantee non-changeability of the data and to protect it from premature destruction)
3. Detect & Respond 34 3.1 Monitor personal data access 3.2 Notify incident response team 3.3 Respond to SAP incidents
3.1 Monitor personal data access 35 Event sources UI Masking UI Logging Read Access Logging Security logs
3.1 Monitor personal data access 36 UI Logging is a nonmodifying add-on based on SAP NetWeaver UI Logging captures the data stream between SAP GUI and the backend system Minimal impact on the application UI Logging Transaction BP (Business Partner) Log record Source: SAP UI Logging presentation
3.1 Monitor personal data access 37 Read Access Logging Read Access Logging Framework
3.1 Monitor personal data access 38 Security Audit Log
3.2 Notify incident response team 39 SAP Computing Center Management System RZ21: create e-mail alert RZ20: assign e-mail alert to MTE
3.3 Respond to SAP incidents 40
GDPR Security Tasks 41 Identify data items Find users having access to personal data Evaluate security controls Assess risks to data subjects Restrict access to personal data Implement and describe security controls to demonstrate compliance Manage personal data lifecycle Manage personal data lifecycle Notify incident response team Implement SAP incident response capabilities
GDPR Security Implementation Plan
GDPR Security Implementation Plan 43 1. Understand your system: what personal data is processed in SAP and who has access to it? 2. Restrict access develop authorizations and SOD rules prioritize remediations 3. Stay compliant and detect breaches monitor access detect GDPR non-compliance and SAP threats
1. Understand your system 44 tables transactions, reports RFC functions Have you assigned table authorization groups to all critical tables? Have you revoked unnecessary S_TCODE authorizations related to personal data? Check the list of users with S_RFC authorizations database & OS access platform vulnerabilities misconfigurations custom code vulnerabilities Are the database and OS hardened? Have you implemented all SAP patches and SAP security notes? Is the SAP configuration secure? Does your custom code have any hardcoded stuff and missing authorizations?
1. Understand your system 45 SAP Security Audit Data flows description Analysis of authorizations, roles and SOD conflicts Vulnerability assessment and remediation guideline Security control evaluation & custom code security analysis Threat analysis: o security event analysis o roles profiling o RFC profiling
2. Restrict access 46 Action plan 1. Revoke unjustified access 2. Prepare remediation plan for vulnerabilities 3. Prepare action plan for security controls: o fix custom code issues and missing authorization checks o turn on logging of data access o mask personal data o harden configuration o
Constraints and requirements (example): Tasks: 2. Restrict access 47 Duration: not more than 60 days Vulnerability risk level: medium and higher Allowed remediation types: No kernel patch 1. Prioritizing vulnerabilities: - ease of exploitation: availability of public exploit, need for preparation, need for credentials with special rights, etc.; - impact of a successful exploitation: full disclosure and OS-level access or just revealing technical data; - prevalence of the vulnerability in SAP systems; - criticality of the SAP systems with the vulnerability. 2. Filtering vulnerabilities Outcome: Remediation Plan Remediation planning
3. Stay compliant and detect breaches 48 Aggregate logs More than 30 logs o SAP ABAP Security log o SAP ABAP Audit log o SAP ABAP HTTP log o SAP ABAP ICM Security log o SAP ABAP RFC log o SAP J2EE HTTP log o SAP HANA Security log o SAP HANA log Log Management Solutions
3. Detect SAP security threats 49 Threats & attacks examples Threats: starting of critical RFC, report, transactions or web service access unauthorized/unsuccessful access (e.g. RFC calls, logon attempts) potential DDoS attack Attacks: WEB-resource attacks (XSS, SQL Injection, etc.) Using source code vulnerabilities Authentication bypass (Verb Tampering, Invoker servlet) Anomalies: first time access to personal data location change of users processing personal data unusually high traffic utilization
ERPScan GDPR Solutions 50 How can ERPScan help? SAP Security Audit ERPScan VM module ERPScan Code scanning module ERPScan SOD module SOD services SAP Vulnerability Management Services SAP - SIEM integration services Contact us: inbox@erpscan.com Phone: +31 20 8932892
Follow-up actions
Follow-up actions 52 Conduct an SAP security audit Organize one-to-one demo Request more information
Thank you 53 Michael Rakutko Head of Professional Services m.rakutko@erpscan.com USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 Phone 650.798.5255 Read our blog erpscan.com/category/press-center/blog/ Join our webinars erpscan.com/category/press-center/events/ HQ Netherlands: Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam Phone +31 20 8932892 erpscan.com inbox@erpscan.com