Roadmap 2

How to implement GDPR in SAP?

1. Introduction to GDPR
2. GDPR security-related requirements
3. SAP security controls for GDPR
4. GDPR security implementation plan
5. Follow-up actions
Introduction to GDPR
Key GDPR security provisions
and challenges
 Drivers of GDPR 4

Privacy concerns
• cybertheft of personal data
• tracking and predicting
individual behavior
• misuse of personal data

control over their data 25 May 2018: General level playing field
Data Protection
Regulation
 GDPR’s Goal 5

To facilitate digital economy

For citizens: For business:

• easier access to their data • a single set of EU-wide rules
• a new right to data portability • EU rules for non-EU companies
• right to be forgotten • one-stop-shop
• right to know when their • a data protection officer
personal data has been hacked • innovation-friendly rules
• privacy-friendly techniques
• impact assessments
Are SAP users ready? 6

By 25 May 2018, less than 50% of all organizations will

fully comply with EU’s GDPR
Gartner Security & Risk Management Summit 2017

of users do not fully understand the implications of the GDPR in

relation to their SAP estate, and their future use of SAP
Source: UK and Ireland SAP User Group, June 2017

of companies expect sanction or remedial action per 25 May 2018

Source: Symantec, October 2016
 Turn GDPR into Lemonade 7

1. Elicit SAP-related GDPR security requirements

2. Learn suitable SAP security controls
3. Prepare GDPR security implementation plan
GDPR security-related
requirements
 Definitions 9

• Personal data
• any information relating to an identified or identifiable natural person (‘data subject’);

• Data subject
• an identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person.

• Data controller
• the natural or legal person, public authority, agency or other body which, alone or jointly with
others, determines the purposes and means of the processing of personal data;

• Data processor
• a natural or legal person, public authority, agency or other body which processes personal data
on behalf of the controller
General Data Protection Regulation, Article 4
Online Store 10
 GDPR Security Provisions 11

Overview

• Data Subject Rights

• Privacy Principles (Privacy By Design and Privacy By Default)
• Data Protection Officer Duties
• Data Protection Impact Assessment
• Cybersecurity Requirements
• Data Breach Notification
 Privacy Principles 12

Eliciting requirements

• Lawfulness, fairness and transparency SAP tasks:

• Identify data items

• Purpose limited • Find users having access to personal data
• Data minimization
• Restrict access to personal data
• Accuracy • Manage personal data lifecycle
• Implement and describe security controls
• Storage limitation to demonstrate compliance

• Integrity and confidentiality

• Monitor personal data access
• Accountability and compliance • Implement incident response capabilities
GDPR Security Tasks 13

• Identify data items

• Find users having access to personal data
• Evaluate security controls
• Assess risks to data subjects

• Restrict access to personal data

• Implement and describe security controls
to demonstrate compliance
• Manage personal data lifecycle

• Monitor personal data access

• Detect SAP security threats
• Implement SAP incident response capabilities
SAP Security Controls
for GDPR
 1. Assess data processes 16

1.1 Identify data items

1.2 Find users having access to personal data
1.3 Evaluate security controls
1.4 Assess risks to data subjects
 1.1 Find data 17

Typical locations of personal data

• Standard global master tables:
o Customers: KNA1, KNBK, KNVK
o Vendors: LFA1, LFBK
o Addresses: ADRC, ADR2, ADR3, ARD6
o Business partners: BP000, BP030
o Users: USR03
o Credit cards: VCNUM

• HR master records:
o 0002 Personal Data
o 0004 Challenge
o 0006 Addresses
o 0009 Bank Details
o 0021 Family
o 0028 Internal Medical Services
o 0094 Residence Status
 1.1 Find data 18

How to find personal data in SAP?

• Search in domains:
o RSCRDOMA: Where-Used List of Domains in Tables
o RPDINF01: Audit Information Systems – Technical Overview of Infotypes

• Search in table description:

o tables and descriptions: DD02L, text table DD02T
o fields: DD03L
o data elements: DD04L, text table DD04T
o domain are in DD01L, text table DD01T
 1.2 Find users 19

Overview of communication channels

• Business transactions and reports
• SAP tables:
o table browsing and maintenance transactions: SE16, SE16N, SE17, SM30, SM31 et al. Access controls
o proxy-transactions like SPRO (which call the aforementioned ones internally)
o SAP Query (SQVI, SQ01, …)

• RFC functions
• Databases (HANA, Oracle)
• SAP services: Other security
o Gateway
controls
o Message Server
o SOAP Interface
 20
1.2 Find users by S_TABU_* authorizations
 1.2 Find users of transaction 21

• Standard data-related transactions:

o Customers: FD02
o Vendors: FK02, M-01
o Addresses: VCUST
o Business partners: BP
o Users: SU01, SU10, SUGR, PA30
o Credit cards: PRCCD,

• Find more:
1. Search for programs using data-related tables (SE80\Repository Information System\ABAP
Dictionary\Database Tables)
2. Find transactions related to the program (SE80, or table TSTC)
3. Find users having S_TCODE authorizations to run the transactions
 1.3 Evaluate security controls 22

Authentication Monitoring
• Password policy • Log settings: security audit log, system log,
• Privileged users gateway, HTTP, SQL logs …
• SSO checks • CCMS settings

Access control Encryption

• Assignment of authorization groups • SSL options
to tables and ABAP programs • SNC options
• RFC authorization checks
• Unblocked critical transactions
(SM59, SCC5, SM32,…)
Insecure configuration List of connected systems
• Gateway, RFC, ICF, MMC, GUI, Web • RFC, DBCON, HANA, XI …
Dispatcher, …
 1.4 Assess risks to data subjects 23

CAUSE RISK EFFECT

• weak access controls (no SoD

enforced, weak passwords) disclosure • Health
• transmission of data using • Legal
alteration of personal data
unencrypted channels • Financial
• application vulnerabilities destruction or loss • Reputation
• misconfigurations
• disabled logging

In assessing the appropriate level of security account shall be taken in

particular of the risks that are presented by processing, in particular from
accidental or unlawful destruction, loss, alteration, unauthorised disclosure
of, or access to personal data transmitted, stored or otherwise processed.
Source: General Data Protection Regulation
 2. Prevent the data breach 24

2.1 Restrict access to personal data

2.2 Implement and describe security
controls to demonstrate compliance
2.3 Manage personal data lifecycle
 2.1 Restrict access to personal data 25

Overview
LEVEL SOLUTION
• Authorization objects
• Segregation of Duties
Business
• Single sign-on and password auth.
• UI Masking and Logging
• XI
• SNC
Communications
• VPN’s
• Firewalls

• Secure configuration: servers, databases, SAP components and clients

Infrastructure • Database and files encryption
• Identity management
 2.1 Restrict access to personal data 26

UI Masking

• Purpose
o masking sensitive data in SAP GUI
o logging of requests to selected data fields

• Functions
o modifies data before being displayed at the backend
side
o tracks requests for sensitive data
o configurable to what and how should be masked
o configurable who is authorized to see unmasked data

Source: SAP UI Masking presentation

2.1 Restrict access to personal data 27

UI Masking Architecture

Source: SAP UI Masking presentation

 2.2 Implement security controls 28

Article 32

(a) pseudonymization and encryption:

SAP CSF. Data Security
SAP CSF. Secure Architecture
(b) CIA:
SAP CSF. Asset Management
SAP CSF. Access Control
(c) continuity:
SAP CSF. Business Environment
SAP CSF. Incident Response
(d) testing:
SAP CSF. Vulnerability Management
SAP CSF. Threat Detection
 2.2 Implement security controls 30

System Security Plan:

description of the approach to protect a system

• security plan roles and assignment of security responsibilities

• description of system: purpose, environment and interconnections
• description of assets: name, purpose, environmental context, severity and type of information
• laws, regulations, and policies affecting systems and data
• security control selection
• information about approving and completion
• security plan maintenance considerations

Source: NIST SP800-18, Guide for Developing Security

Plans for Federal Information Systems
 2.3 Manage personal data lifecycle 31

All the steps of the deal include processing personal data

that is needed to be blocked and erased after the ending of purpose
Source: D&IM Services
 2.3 Manage personal data lifecycle 32

As soon as the original purpose ends, personal data must be deleted.

However, if other fiscal/legal retention periods apply, the data must be blocked.

Source: D&IM Services

 2.3 Manage personal data lifecycle 33

SAP Information Lifecycle Management

• Lifecycle Management of data with the following Retention Management

functions:
o Defining ILM rules (for example, retention rules) for the purpose of mapping legal requirements and their
application to live and archived data.
o Putting legal holds on data that is relevant for legal cases in order to prevent early destruction.
o Destroying data while taking legal requirements and legal holds into account.

• Storage of archived data on an ILM-certified WebDAV server (to

guarantee non-changeability of the data and to protect it from premature
destruction)
 3. Detect & Respond 34

3.1 Monitor personal data access

3.2 Notify incident response team
3.3 Respond to SAP incidents
 3.1 Monitor personal data access 35

Event sources

• UI Masking
• UI Logging
• Read Access Logging
• Security logs
 3.1 Monitor personal data access 36

UI Logging
Transaction BP (Business Partner) Log record
• UI Logging is a non-
modifying add-on
based on SAP
NetWeaver
• UI Logging captures the
data stream between
SAP GUI and the
backend system
• Minimal impact on the
application

Source: SAP UI Logging presentation

3.1 Monitor personal data access 37

Read Access Logging

Read Access Logging Framework

3.1 Monitor personal data access 38

Security Audit Log

 3.2 Notify incident response team 39

SAP Computing Center Management System

RZ21: create e-mail alert RZ20: assign e-mail alert to MTE
3.3 Respond to SAP incidents 40
GDPR Security Tasks 41

• Identify data items

• Find users having access to personal data
• Evaluate security controls
• Assess risks to data subjects

• Restrict access to personal data

• Implement and describe security controls
to demonstrate compliance
• Manage personal data lifecycle

• Manage personal data lifecycle

• Notify incident response team
• Implement SAP incident response capabilities
GDPR Security
Implementation Plan
GDPR Security Implementation Plan 43

1. Understand your system:

what personal data is processed in SAP and
who has access to it?
2. Restrict access
develop authorizations and SOD rules
prioritize remediations
3. Stay compliant and detect breaches
monitor access
detect GDPR non-compliance and SAP threats
1. Understand your system 44

Have you assigned table authorization

tables
groups to all critical tables?

transactions, Have you revoked unnecessary S_TCODE

reports authorizations related to personal data?

RFC functions Check the list of users with S_RFC authorizations

database & OS Are the database and OS hardened?

access

platform Have you implemented all SAP patches and SAP

vulnerabilities security notes?

misconfigurations Is the SAP configuration secure?

custom code Does your custom code have any hardcoded stuff
vulnerabilities and missing authorizations?
 1. Understand your system 45

SAP Security Audit

• Data flows description

• Analysis of authorizations, roles and SOD conflicts
• Vulnerability assessment and remediation guideline
• Security control evaluation & custom code security analysis
• Threat analysis:
o security event analysis
o roles profiling
o RFC profiling
 2. Restrict access 46

Action plan

1. Revoke unjustified access

2. Prepare remediation plan for vulnerabilities
3. Prepare action plan for security controls:
o fix custom code issues and missing authorization checks
o turn on logging of data access
o mask personal data
o harden configuration
o …
 2. Restrict access 47

Remediation planning
Constraints and requirements (example):
• Duration: not more than 60 days
• Vulnerability risk level: medium and higher
• Allowed remediation types: No kernel patch
Tasks:
1. Prioritizing vulnerabilities:
- ease of exploitation: availability of public exploit, need for preparation,
need for credentials with special rights, etc.;
- impact of a successful exploitation: full disclosure and OS-level access or
just revealing technical data;
- prevalence of the vulnerability in SAP systems;
- criticality of the SAP systems with the vulnerability.
2. Filtering vulnerabilities
Outcome:
• Remediation Plan
 48
3. Stay compliant and detect breaches
Aggregate logs

More than 30 logs

o SAP ABAP Security log
o SAP ABAP Audit log
o SAP ABAP HTTP log
o SAP ABAP ICM Security log
o SAP ABAP RFC log
o SAP J2EE HTTP log
o SAP HANA Security log
o SAP HANA log
Log Management
Solutions
 3. Detect SAP security threats 49

Threats & attacks examples

• Threats:
• starting of critical RFC, report, transactions or web service access
• unauthorized/unsuccessful access (e.g. RFC calls, logon attempts)
• potential DDoS attack
• Attacks:
• WEB-resource attacks (XSS, SQL Injection, etc.)
• Using source code vulnerabilities
• Authentication bypass (Verb Tampering, Invoker servlet)
• Anomalies:
• first time access to personal data
• location change of users processing personal data
• unusually high traffic utilization
ERPScan GDPR Solutions 50

How can ERPScan help?

• SAP Security Audit

• ERPScan VM module
• ERPScan Code scanning module
• ERPScan SOD module
• SOD services

• SAP Vulnerability Management Services

• SAP - SIEM integration services

Contact us:

[email protected]
Phone: +31 20 8932892
Follow-up actions
 Follow-up actions 52

• Conduct an SAP security audit

• Organize one-to-one demo
• Request more information
 Thank you 53

Michael Rakutko USA:

Head of Professional Services 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
[email protected] Phone 650.798.5255

HQ Netherlands:
Luna ArenA 238 Herikerbergweg, 1101 CM
Amsterdam
Read our blog Phone +31 20 8932892
erpscan.com/category/press-center/blog/

Join our webinars erpscan.com

erpscan.com/category/press-center/events/ [email protected]