Three ways to protect your SAP data from cyber criminals

15 December 2017
Written by Daniel Parker

With more than 15 years of SAP experience, Daniel Parker specialises in data copy automation and data security. He leads an experienced consulting team, and delivers a variety of landscape solutions to organisations in the APJ region.

Reduce your attack surface cyber criminals

Reduce your attack surface
Security budgets have tripled in the past few years. Yet this is not enough to prevent data breaches. In 2016 alone, over 2 billion records were stolen; hacking expertise is escalating, and there are threats everywhere.  
 
According to an assessment released by Onapsis, 95% of SAP® systems remain a target for data criminals. Despite warnings from various experts, SAP systems installed in some of the largest organisations worldwide remain prone to data attacks.

 
SAP systems remain a target for data criminals
 
Because of the growth of interconnectedness, SAP systems are no longer isolated from the outside world. Increased integration with third party systems and cloud solutions – along with increased focus on mobile and remote connections – leave your SAP systems more exposed than ever. The potential attack surface (or number of possible attack vectors) of your IT environment has increased. As “the internet of things” becomes mainstream, this will only accelerate. This is something which SAP themselves are looking to embrace with SAP Leonardo.
 
Here are three ways you can protect your SAP data from the threat of cybercriminals:
 
1. Look at internal breaches, not just external
Internal data breaches are on the rise. Nearly 50% of breaches are coming from within organisations, according to Verizon’s 2015 data breach investigations report. Anyone who has access to sensitive data could take advantage of their access rights. Although the technologies for securing systems from the outside world and encrypting traffic have become more robust, external attacks on systems are not always the largest concern. Data theft – both from trusted entities within the organisation, and from attackers who gain access via social engineering – is becoming the preferred way of intruding.
 
2. Secure non-production environments

Limiting the scope of access to production data isn’t enough anymore; the focus should extend to securing non-production environments and addressing the data. This should also accept that in non-production systems you may want users to have higher levels of access; securing your data is not all about access control. In fact, you can have secure data that is easily accessible, with less robust firewalls and security measures. All you need to do is approach the problem from a different angle.
 
Non-production environments are on average at least three to four times the size of production environments. Each record is copied several times into test and development systems, increasing the attack surface. Sensitive information such as customer, employee, vendor, credit card and supplier costing information are potentially unsecured and accessible to anyone who has access to your systems. The variety of people accessing non-production systems is usually also greater than that in production. Contractors for projects, external test teams, developers on temporary assignment, offshore teams and many others have access. The increased data footprint and number of personnel accessing your data in non-production environments substantially increase your attack surface. A solution is needed to limit the amount of sensitive data that can be stolen.
 
3. Scramble and anonymize sensitive data
Limit the amount of sensitive data that can be stolen by scrambling and anonymizing data. Protect sensitive data by changing the values of fields, while maintaining the integrity of the data and ensuring production-like behaviour. The quality of test and training data should remain the same, without exposing any confidential data. A solution is needed that replaces sensitive data with anonymous, but fully functional, test data – thereby removing the criminals ‘prize’ (your data) and the risk. At the same time, wider access can be granted to the non-production systems to allow more thorough testing, which will benefit your organisation.

Tim Barker, EPI-USE Labs Managing Director for the Asia Pacific region has seen a steep increase in the number of organisations demanding their Data Secure™ tool in the past few months. Due to the increase in data breaches and the security risk, organisations are looking for a solution that can scramble and anonymise sensitive data.

GDPR Webinar Replay: Forget data in your SAP Systems

 

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act SAP data privacy and compliance POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Client Sync Data Protection Day Data Sync Manager (DSM) Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP RISE SAP S/4HANA SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Proportional Data Protect personal employee data RISE BRIDGE Managed Services Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP Data Processing Agreement SAP SuccessFactors SAP access risk simulations SAP data SAP data encryption SAP system refresh SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security for SAP. Live Sensitive HCM data South African data privacy legislation Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: