Let's Talk Data Security

Data Protection Day: Secure your SAP without compromises

Written by Salomé Jaussaud | Jan 28, 2021 12:48:18 PM

Today is Data Protection Day! A day dedicated to raising awareness and the importance of data privacy around the globe. This day has become more popular since GDPR has come into effect. Today we think about the definition of what constitutes personal data and how to protect it on a personal and business level. Let's go back in time to understand why a day like this was created.

Did you know that ... the ‘secret’ unlocking code of all American Minuteman nuclear missiles was set for nearly 20 years during the Cold War to the incredibly simple code of eight zeros: (00000000)?

 

Today, we think that is preposterous! The field of data security has developed radically with the internet and digitisation. It has brought a data explosion of unimaginable dimensions (experts estimate that in 2020, the world has accumulated around 44 zettabytes of data.) All this data also brought a need to protect this commodity. How much data is created each day?

 

Content courtesy of: Raconteur, World Economic Forum, WhistleOut(Youtube), Gamesindustry.biz, Techjury, WhistleOut(Gaming) 

 

Data means richness and, like all richness, it attracts the appetite of thieves. There is a cyberattack every 39 seconds in the world. Data breaches exposed 36 billion records in the first half of 2020.

Data privacy is more than just a best practice, it is the law.

Data protection is a best practice that ensures not only the security of your company's intellectual property (prices, recipes, formulas…), but also the protection of your customers, suppliers and employees against damaging data breaches. However, new data protection regulations, such as the General Data Protection Regulation (GDPR), make data protection more than just good practice, it is the law.

 

Also, in other parts of the world, different regulations are in place that are similar to the GDPR.

Review of 2020’s GDPR fines

One thing is sure, the year 2020 has been strict. The European Union (EU) has published around €518.5 million of data protection sanctions.

 

A total of €272 million in fines has been imposed by European data protection authorities since 2018. The authorities with the highest fines are GPDP (Italy) and BfDI (Germany) who delivered over half of these penalties.

A significant case was the UK Information Commissioner's Office’s fine against British Airways for a data breach in 2018, which was lowered from £183 million to £20 million in consideration of the COVID-19 pandemic and its devastating impact on the airline industry. Still, it remains the fourth highest fine ever recorded for the GDPR.

 

The largest fine was issued in France. The CNIL (France) imposed a sanction of €50 million to Google, for the lack of transparency on how data was collected from the people concerned and used for targeting advertising.

SAP, a big target for cyberattacks

SAP® systems are not beyond the need to comply. As a matter of fact, SAP reported that “…77% of the world's transaction revenue touches an SAP system…” This makes GDPR in SAP landscape a very important topic.

 

To address these SAP security challenges, EPI-USE Labs developed a range of solutions to reduce the risk.

Data privacy options for production systems

The Data Privacy Suite combines solutions to locate and redact personal identifiable (PI) data in all your SAP landscape to adhere to articles 15 and 17 of the GDPR. Many organisations start off with a mass data clean up to remove any data that they no longer have legal basis for.

Data minimisation and anonymisation in non-production systems

The SAP data processing agreement says, “Customer shall not grant SAP access to Licensee systems or personal information (of Customer or any third party) unless such access is essential for the performance of SAP Services. Customer shall not store any Personal Data in non-production environments.” It means that SAP doesn’t take responsibility if any sensitive data is found unprotected within non-productive systems. EPI-USE Labs recommends that you use Data Sync Manager™ to copy only the data you need for testing and to anonymise all the sensitive data with Data Secure™.

Proactive risk monitoring

As mentioned at the start, external and internal threats to hack systems is a reality. Having visibility into what is happening across all your IT infrastructure can help you identify attacks as they occur and stop them by built-in artificial intelligence (AI). Splunk Enterprise Security is a market leader in threat detection and resolution. EPI-USE Labs developed a connector for Splunk and SAP. We have a deep understanding of SAP’s advanced semantic model which powers our well-established SAP landscape optimisation suite for large enterprises, Data Sync Manager. The Cenoti framework is underpinned by the same technology, and integrates natively into Splunk Enterprise Security and its common information model (CIM). Learn more about Cenoti.

Access risk and compliance

Another important aspect of security in SAP is only giving access to sensitive data to the people that need it. SAP has roles and authorisations in place and it can be a mammoth task to manage these. You want to have segregation of duties in place to hinder fraudulent activities. For example, Crowe UK estimates that fraud represents 40% of all cybercrime in the UK. Read more about why business-centric GRC is the best solution to ensure you get the best value.

 

Learn more about SAP security at the upcoming EPI-USE Labs virtual user group.