Roadmap. How to implement GDPR in SAP?

Similar documents
ERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

About ERPScan. ERPScan and Oracle. ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Baseline Information Security and Privacy Requirements for Suppliers

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

SECURITY & PRIVACY DOCUMENTATION

Onapsis: The CISO Imperative Taking Control of SAP

The Common Controls Framework BY ADOBE

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Data Protection Policy

Altius IT Policy Collection Compliance and Standards Matrix

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Site Builder Privacy and Data Protection Policy

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Embedding GDPR into the SDLC

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

Data Protection and GDPR

Juniper Vendor Security Requirements

IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

EU DATA PROTECTION COMPLIANCE WHEN SECURING SAAS APPLICATIONS

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Security Information for SAP Asset Strategy and Performance Management

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

THE GDPR PCLOUD'S ROAD TO FULL COMPLIANCE

ADIENT VENDOR SECURITY STANDARD

2015 HFMA What Healthcare Can Learn from the Banking Industry

Putting It All Together:

Cybersecurity Considerations for GDPR

Learning Management System - Privacy Policy

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

HPE DATA PRIVACY AND SECURITY

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Altius IT Policy Collection Compliance and Standards Matrix

Oracle Data Cloud ( ODC ) Inbound Security Policies

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Rev.1 Solution Brief

Checklist: Credit Union Information Security and Privacy Policies

Red Flags/Identity Theft Prevention Policy: Purpose

Data Processing Agreement

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

A Security Admin's Survival Guide to the GDPR.

Islam21c.com Data Protection and Privacy Policy

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Technical Requirements of the GDPR

HIPAA Security and Privacy Policies & Procedures

SAP, dos, dos, race conditions => rce. Dmitry Chastuhin, Dmitry Yudin

Accelerate GDPR compliance with the Microsoft Cloud

ZIMBRA & THE IMPACT OF GDPR

Cybersecurity Roadmap: Global Healthcare Security Architecture

T H E P H A N T O M S E C U R I T Y. By Vahagn Vardanyan and Vladimir Egorov

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Employee Security Awareness Training Program

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

GDPR: A QUICK OVERVIEW

NYDFS Cybersecurity Regulations

Cyber Risks in the Boardroom Conference

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

GDPR - Are you ready?

EAS- SEC: Framework for Securing Enterprise Business Applica;ons

Prohire Software Systems Limited ("Prohire")

GDPR Controls and Netwrix Auditor Mapping

General Data Protection Regulation (GDPR) The impact of doing business in Asia

File Transfer and the GDPR

Overview of Akamai s Personal Data Processing Activities and Role

GDPR: A technical perspective from Arkivum

SAC PA Security Frameworks - FISMA and NIST

Secure Access & SWIFT Customer Security Controls Framework

DATA PROTECTION POLICY THE HOLST GROUP

WORKSHARE SECURITY OVERVIEW

Understand & Prepare for EU GDPR Requirements

Jeff Wilbur VP Marketing Iconix

Machine Learning for User Behavior Anomaly Detection EUGENE NEYOLOV, HEAD OF R&D

Information Security Policy

Altitude Software. Data Protection Heading 2018

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

A company built on security

How the GDPR will impact your software delivery processes

Mapping Cyber-Protections to Regulatory Requirements for Fintech

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

NW NATURAL CYBER SECURITY 2016.JUNE.16

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

Security Audit What Why

SAP Security in a Hybrid World. Kiran Kola

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Transcription:

Roadmap 2 How to implement GDPR in SAP? 1. Introduction to GDPR 2. GDPR security-related requirements 3. SAP security controls for GDPR 4. GDPR security implementation plan 5. Follow-up actions

Introduction to GDPR Key GDPR security provisions and challenges

Drivers of GDPR 4 Privacy concerns cybertheft of personal data tracking and predicting individual behavior misuse of personal data control over their data 25 May 2018: General Data Protection Regulation level playing field

GDPR s Goal 5 To facilitate digital economy For citizens: easier access to their data a new right to data portability right to be forgotten right to know when their personal data has been hacked For business: a single set of EU-wide rules EU rules for non-eu companies one-stop-shop a data protection officer innovation-friendly rules privacy-friendly techniques impact assessments

Are SAP users ready? 6 By 25 May 2018, less than 50% of all organizations will fully comply with EU s GDPR Gartner Security & Risk Management Summit 2017 of users do not fully understand the implications of the GDPR in relation to their SAP estate, and their future use of SAP Source: UK and Ireland SAP User Group, June 2017 of companies expect sanction or remedial action per 25 May 2018 Source: Symantec, October 2016

Turn GDPR into Lemonade 7 1. Elicit SAP-related GDPR security requirements 2. Learn suitable SAP security controls 3. Prepare GDPR security implementation plan

GDPR security-related requirements

Definitions 9 Personal data any information relating to an identified or identifiable natural person ( data subject ); Data subject an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data controller the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Data processor a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller General Data Protection Regulation, Article 4

Online Store 10

GDPR Security Provisions 11 Overview Data Subject Rights Privacy Principles (Privacy By Design and Privacy By Default) Data Protection Officer Duties Data Protection Impact Assessment Cybersecurity Requirements Data Breach Notification

Privacy Principles 12 Eliciting requirements Lawfulness, fairness and transparency Purpose limited Data minimization Accuracy Storage limitation Integrity and confidentiality Accountability and compliance SAP tasks: Identify data items Find users having access to personal data Restrict access to personal data Manage personal data lifecycle Implement and describe security controls to demonstrate compliance Monitor personal data access Implement incident response capabilities

GDPR Security Tasks 13 Identify data items Find users having access to personal data Evaluate security controls Assess risks to data subjects Restrict access to personal data Implement and describe security controls to demonstrate compliance Manage personal data lifecycle Monitor personal data access Detect SAP security threats Implement SAP incident response capabilities

SAP Security Controls for GDPR

1. Assess data processes 16 1.1 Identify data items 1.2 Find users having access to personal data 1.3 Evaluate security controls 1.4 Assess risks to data subjects

1.1 Find data 17 Standard global master tables: o Customers: KNA1, KNBK, KNVK o Vendors: LFA1, LFBK o Addresses: ADRC, ADR2, ADR3, ARD6 o Business partners: BP000, BP030 o Users: USR03 o Credit cards: VCNUM HR master records: o 0002 Personal Data o 0004 Challenge o 0006 Addresses o 0009 Bank Details o 0021 Family o 0028 Internal Medical Services o 0094 Residence Status Typical locations of personal data

1.1 Find data 18 How to find personal data in SAP? Search in domains: o RSCRDOMA: Where-Used List of Domains in Tables o RPDINF01: Audit Information Systems Technical Overview of Infotypes Search in table description: o tables and descriptions: DD02L, text table DD02T o fields: DD03L o data elements: DD04L, text table DD04T o domain are in DD01L, text table DD01T

1.2 Find users 19 Overview of communication channels Business transactions and reports SAP tables: o table browsing and maintenance transactions: SE16, SE16N, SE17, SM30, SM31 et al. o proxy-transactions like SPRO (which call the aforementioned ones internally) o SAP Query (SQVI, SQ01, ) Access controls RFC functions Databases (HANA, Oracle) SAP services: o o o Gateway Message Server SOAP Interface Other security controls

1.2 Find users by S_TABU_* authorizations 20

1.2 Find users of transaction 21 Standard data-related transactions: o Customers: FD02 o Vendors: FK02, M-01 o Addresses: VCUST o Business partners: BP o Users: SU01, SU10, SUGR, PA30 o Credit cards: PRCCD, Find more: 1. Search for programs using data-related tables (SE80\Repository Information System\ABAP Dictionary\Database Tables) 2. Find transactions related to the program (SE80, or table TSTC) 3. Find users having S_TCODE authorizations to run the transactions

1.3 Evaluate security controls 22 Authentication Password policy Privileged users SSO checks Access control Assignment of authorization groups to tables and ABAP programs RFC authorization checks Unblocked critical transactions (SM59, SCC5, SM32, ) Insecure configuration Gateway, RFC, ICF, MMC, GUI, Web Dispatcher, Monitoring Log settings: security audit log, system log, gateway, HTTP, SQL logs CCMS settings Encryption SSL options SNC options List of connected systems RFC, DBCON, HANA, XI

1.4 Assess risks to data subjects 23 CAUSE RISK EFFECT weak access controls (no SoD enforced, weak passwords) transmission of data using unencrypted channels application vulnerabilities misconfigurations disabled logging disclosure alteration destruction or loss of personal data Health Legal Financial Reputation In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Source: General Data Protection Regulation

2. Prevent the data breach 24 2.1 Restrict access to personal data 2.2 Implement and describe security controls to demonstrate compliance 2.3 Manage personal data lifecycle

2.1 Restrict access to personal data 25 Overview LEVEL Business Communications Infrastructure Authorization objects Segregation of Duties Single sign-on and password auth. UI Masking and Logging XI SNC VPN s Firewalls SOLUTION Secure configuration: servers, databases, SAP components and clients Database and files encryption Identity management

2.1 Restrict access to personal data 26 UI Masking Purpose o masking sensitive data in SAP GUI o logging of requests to selected data fields Functions o modifies data before being displayed at the backend side o tracks requests for sensitive data o configurable to what and how should be masked o configurable who is authorized to see unmasked data Source: SAP UI Masking presentation

2.1 Restrict access to personal data 27 UI Masking Architecture Source: SAP UI Masking presentation

2.2 Implement security controls 28 Article 32 (a) pseudonymization and encryption: SAP CSF. Data Security SAP CSF. Secure Architecture (b) CIA: SAP CSF. Asset Management SAP CSF. Access Control (c) continuity: SAP CSF. Business Environment SAP CSF. Incident Response (d) testing: SAP CSF. Vulnerability Management SAP CSF. Threat Detection

2.2 Implement security controls 30 System Security Plan: description of the approach to protect a system security plan roles and assignment of security responsibilities description of system: purpose, environment and interconnections description of assets: name, purpose, environmental context, severity and type of information laws, regulations, and policies affecting systems and data security control selection information about approving and completion security plan maintenance considerations Source: NIST SP800-18, Guide for Developing Security Plans for Federal Information Systems

2.3 Manage personal data lifecycle 31 All the steps of the deal include processing personal data that is needed to be blocked and erased after the ending of purpose Source: D&IM Services

2.3 Manage personal data lifecycle 32 As soon as the original purpose ends, personal data must be deleted. However, if other fiscal/legal retention periods apply, the data must be blocked. Source: D&IM Services

2.3 Manage personal data lifecycle 33 SAP Information Lifecycle Management Lifecycle Management of data with the following Retention Management functions: o Defining ILM rules (for example, retention rules) for the purpose of mapping legal requirements and their application to live and archived data. o Putting legal holds on data that is relevant for legal cases in order to prevent early destruction. o Destroying data while taking legal requirements and legal holds into account. Storage of archived data on an ILM-certified WebDAV server (to guarantee non-changeability of the data and to protect it from premature destruction)

3. Detect & Respond 34 3.1 Monitor personal data access 3.2 Notify incident response team 3.3 Respond to SAP incidents

3.1 Monitor personal data access 35 Event sources UI Masking UI Logging Read Access Logging Security logs

3.1 Monitor personal data access 36 UI Logging is a nonmodifying add-on based on SAP NetWeaver UI Logging captures the data stream between SAP GUI and the backend system Minimal impact on the application UI Logging Transaction BP (Business Partner) Log record Source: SAP UI Logging presentation

3.1 Monitor personal data access 37 Read Access Logging Read Access Logging Framework

3.1 Monitor personal data access 38 Security Audit Log

3.2 Notify incident response team 39 SAP Computing Center Management System RZ21: create e-mail alert RZ20: assign e-mail alert to MTE

3.3 Respond to SAP incidents 40

GDPR Security Tasks 41 Identify data items Find users having access to personal data Evaluate security controls Assess risks to data subjects Restrict access to personal data Implement and describe security controls to demonstrate compliance Manage personal data lifecycle Manage personal data lifecycle Notify incident response team Implement SAP incident response capabilities

GDPR Security Implementation Plan

GDPR Security Implementation Plan 43 1. Understand your system: what personal data is processed in SAP and who has access to it? 2. Restrict access develop authorizations and SOD rules prioritize remediations 3. Stay compliant and detect breaches monitor access detect GDPR non-compliance and SAP threats

1. Understand your system 44 tables transactions, reports RFC functions Have you assigned table authorization groups to all critical tables? Have you revoked unnecessary S_TCODE authorizations related to personal data? Check the list of users with S_RFC authorizations database & OS access platform vulnerabilities misconfigurations custom code vulnerabilities Are the database and OS hardened? Have you implemented all SAP patches and SAP security notes? Is the SAP configuration secure? Does your custom code have any hardcoded stuff and missing authorizations?

1. Understand your system 45 SAP Security Audit Data flows description Analysis of authorizations, roles and SOD conflicts Vulnerability assessment and remediation guideline Security control evaluation & custom code security analysis Threat analysis: o security event analysis o roles profiling o RFC profiling

2. Restrict access 46 Action plan 1. Revoke unjustified access 2. Prepare remediation plan for vulnerabilities 3. Prepare action plan for security controls: o fix custom code issues and missing authorization checks o turn on logging of data access o mask personal data o harden configuration o

Constraints and requirements (example): Tasks: 2. Restrict access 47 Duration: not more than 60 days Vulnerability risk level: medium and higher Allowed remediation types: No kernel patch 1. Prioritizing vulnerabilities: - ease of exploitation: availability of public exploit, need for preparation, need for credentials with special rights, etc.; - impact of a successful exploitation: full disclosure and OS-level access or just revealing technical data; - prevalence of the vulnerability in SAP systems; - criticality of the SAP systems with the vulnerability. 2. Filtering vulnerabilities Outcome: Remediation Plan Remediation planning

3. Stay compliant and detect breaches 48 Aggregate logs More than 30 logs o SAP ABAP Security log o SAP ABAP Audit log o SAP ABAP HTTP log o SAP ABAP ICM Security log o SAP ABAP RFC log o SAP J2EE HTTP log o SAP HANA Security log o SAP HANA log Log Management Solutions

3. Detect SAP security threats 49 Threats & attacks examples Threats: starting of critical RFC, report, transactions or web service access unauthorized/unsuccessful access (e.g. RFC calls, logon attempts) potential DDoS attack Attacks: WEB-resource attacks (XSS, SQL Injection, etc.) Using source code vulnerabilities Authentication bypass (Verb Tampering, Invoker servlet) Anomalies: first time access to personal data location change of users processing personal data unusually high traffic utilization

ERPScan GDPR Solutions 50 How can ERPScan help? SAP Security Audit ERPScan VM module ERPScan Code scanning module ERPScan SOD module SOD services SAP Vulnerability Management Services SAP - SIEM integration services Contact us: inbox@erpscan.com Phone: +31 20 8932892

Follow-up actions

Follow-up actions 52 Conduct an SAP security audit Organize one-to-one demo Request more information

Thank you 53 Michael Rakutko Head of Professional Services m.rakutko@erpscan.com USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 Phone 650.798.5255 Read our blog erpscan.com/category/press-center/blog/ Join our webinars erpscan.com/category/press-center/events/ HQ Netherlands: Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam Phone +31 20 8932892 erpscan.com inbox@erpscan.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback