Data Protection Day: Secure your SAP without compromises

28 January 2021
Written by Salomé Jaussaud

Salomé is a Cloud and Security Marketing Specialist for Europe. She completed her master degree through Microsoft before joining the EPI-USE Labs team. Her goal is to research different challenges in the market and share SAP knowledge with the IT industry.

Data-Protection-Day---Secure-your-SAP-without-compromises

Today is Data Protection Day! A day dedicated to raising awareness and the importance of data privacy around the globe. This day has become more popular since GDPR has come into effect. Today we think about the definition of what constitutes personal data and how to protect it on a personal and business level. Let's go back in time to understand why a day like this was created.

Did you know that ... the ‘secret’ unlocking code of all American Minuteman nuclear missiles was set for nearly 20 years during the Cold War to the incredibly simple code of eight zeros: (00000000)?

 

Today, we think that is preposterous! The field of data security has developed radically with the internet and digitisation. It has brought a data explosion of unimaginable dimensions (experts estimate that in 2020, the world has accumulated around 44 zettabytes of data.) All this data also brought a need to protect this commodity. How much data is created each day?

 

Data Info-graphic Update

Content courtesy of: Raconteur, World Economic Forum, WhistleOut(Youtube), Gamesindustry.biz, Techjury, WhistleOut(Gaming) 

 

Data means richness and, like all richness, it attracts the appetite of thieves. There is a cyberattack every 39 seconds in the world. Data breaches exposed 36 billion records in the first half of 2020.

Data privacy is more than just a best practice, it is the law.

Data protection is a best practice that ensures not only the security of your company's intellectual property (prices, recipes, formulas…), but also the protection of your customers, suppliers and employees against damaging data breaches. However, new data protection regulations, such as the General Data Protection Regulation (GDPR), make data protection more than just good practice, it is the law.

 

Also, in other parts of the world, different regulations are in place that are similar to the GDPR.

Review of 2020’s GDPR fines

One thing is sure, the year 2020 has been strict. The European Union (EU) has published around €518.5 million of data protection sanctions.

 

A total of €272 million in fines has been imposed by European data protection authorities since 2018. The authorities with the highest fines are GPDP (Italy) and BfDI (Germany) who delivered over half of these penalties.

GDPR Fines Update

A significant case was the UK Information Commissioner's Office’s fine against British Airways for a data breach in 2018, which was lowered from £183 million to £20 million in consideration of the COVID-19 pandemic and its devastating impact on the airline industry. Still, it remains the fourth highest fine ever recorded for the GDPR.

 

The largest fine was issued in France. The CNIL (France) imposed a sanction of €50 million to Google, for the lack of transparency on how data was collected from the people concerned and used for targeting advertising.

SAP, a big target for cyberattacks

SAP® systems are not beyond the need to comply. As a matter of fact, SAP reported that “…77% of the world's transaction revenue touches an SAP system…” This makes GDPR in SAP landscape a very important topic.

 

To address these SAP security challenges, EPI-USE Labs developed a range of solutions to reduce the risk.

Data privacy options for production systems

The Data Privacy Suite combines solutions to locate and redact personal identifiable (PI) data in all your SAP landscape to adhere to articles 15 and 17 of the GDPR. Many organisations start off with a mass data clean up to remove any data that they no longer have legal basis for.

Data minimisation and anonymisation in non-production systems

The SAP data processing agreement says, “Customer shall not grant SAP access to Licensee systems or personal information (of Customer or any third party) unless such access is essential for the performance of SAP Services. Customer shall not store any Personal Data in non-production environments.” It means that SAP doesn’t take responsibility if any sensitive data is found unprotected within non-productive systems. EPI-USE Labs recommends that you use Data Sync Manager™ to copy only the data you need for testing and to anonymise all the sensitive data with Data Secure™.

Proactive risk monitoring

As mentioned at the start, external and internal threats to hack systems is a reality. Having visibility into what is happening across all your IT infrastructure can help you identify attacks as they occur and stop them by built-in artificial intelligence (AI). Splunk Enterprise Security is a market leader in threat detection and resolution. EPI-USE Labs developed a connector for Splunk and SAP. We have a deep understanding of SAP’s advanced semantic model which powers our well-established SAP landscape optimisation suite for large enterprises, Data Sync Manager. The Cenoti framework is underpinned by the same technology, and integrates natively into Splunk Enterprise Security and its common information model (CIM). Learn more about Cenoti.

Access risk and compliance

Another important aspect of security in SAP is only giving access to sensitive data to the people that need it. SAP has roles and authorisations in place and it can be a mammoth task to manage these. You want to have segregation of duties in place to hinder fraudulent activities. For example, Crowe UK estimates that fraud represents 40% of all cybercrime in the UK. Read more about why business-centric GRC is the best solution to ensure you get the best value.

 

Learn more about SAP security at the upcoming EPI-USE Labs virtual user group.

 

Virtual User Group 2021

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act POPIA SAP Data Security SAP GDPR SAP data privacy and compliance Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data encryption SIEM SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: