GDPR for SAP: How to monitor personal data access?
This is the final article of “GDPR for SAP” series devoted to implementation of GDPR requirements in SAP environments. Today we’ll review a number of ways provided by SAP to monitor access to personal data in SAP systems.
Why is it important? SAP systems are constantly changing: people come and go; authorization concept becomes obsolete and new vulnerabilities are coming through all the time. Not surprisingly, the system, that was secured yesterday, tomorrow might be compromised. That is why we can’t blindly trust blocking mechanisms, but rather constantly monitor the true situation of data flows.
It’s specially vital for the needs of protecting personal data.
Identity fraud is one of the fastest-growing types of cybercrime, exposing affected subjects to significant personal risks. At the same time, potential data breach can result in criminal investigation, reputational damages, indemnification, penalties and fines for the affected company.
That is why we can’t miss an opportunity to prepare for GDPR in advance.
GDPR security provisions can be boiled down to 3 groups of requirements (look more in “GDPR Explained: What are the Security Requirements?”):
- Assessing the existing data processes and systems
- Restricting personal data processing
- Monitoring data breaches
As we’ve already mention, GDPR requires us not only to know and protect the personal data in SAP systems, but also to monitor real data access, recognize data breaches and notify affected data subjects.
Obviously, personal data monitoring is not a one-time action, but should be implemented as a process in a system of organization’s security activities. When it comes to a unified view on SAP security, we refer to EAS-SEC SAP Cybersecurity Framework.
Let’s see what SAP Cybersecurity Framework says about the detection processes.
The following picture illustrates Incident Respond workflow according to SAP Cybersecurity Framework:
Typically, you collect SAP events, configure correlation rules and develop response plans for the most severe and frequent cases.
So, SAP Cybersecurity Framework underlines four key contributors to personal data security monitoring:
- Event Management
- Threat Detection
- User Behavior
- Data Leakage
Let us look how these processes help to recognize data breaches.
1. Event Management
First, we need raw information about all events related to personal data records. At the present moment, we already understand what data we want to monitor. If not, have a look at the article devoted to identification of personal data in SAP.
Event Management is a process of collecting and normalizing SAP security events.
SAP includes following components with logging capability:
- Network Level:
- ICM and WebDispatcher
- Message Server
- HTTP logs
- SAP system level:
- System Log
- Security Audit Log
- Authorization Traces
- User Actions:
- Transport System Changes
- Table Changes
- Document Changes
- SAP system changes:
- Read Access Logging
- UI Masking
- UI Logging
So, what you need to do is to constantly collect events from these sources for all the SAP systems that store and process personal data. These events should be sent to one unified platform responsible for SAP event collection or to SIEM and there you need to configure alert and correlation rules for the critical use cases: data exfiltration, system changes on production systems, and so on.
Additionally, with the help of 3rd party product you can add more data to enhance correlation rules: unpatched vulnerabilities, weak configuration, SoD conflicts, critical user actions and other issues on SAP systems with personal data.
That will enable you to investigate such SIEM use cases as: access to personal data tables after successful attack, download of data without proper login in system, access to personal data via custom transaction and many others.
That moves us to the next processes – analysis of personal data related events.
2. Threat Detection
First group of use-cases are SAP-related threat events on SAP systems with personal data:
- Password bruteforcing attempts
- Unauthorized access to RFC-services
- Attacks on web-resources (XSS, SQL Injection, Buffer overflow, etc.)
- Attacks via source code vulnerabilities
- Authentication bypass (Verb Tampering, Invoker servlet)
- Critical actions (transaction, programs, URL’s)
- SoD conflicts
Combining these use-cases with data access events we will recognize when data exfiltrate after successful attack.
3. User Behavior
User Behavior provides statistics related to normal and unusual work patterns of SAP users and connected applications. So, with that we can understand situations of “unusual” personal data access:
- Atypical behavior of HR department user in comparison to their colleagues, e.g. three times more frequent access to telephone numbers then most of the HR users.
- Running an administrative transaction (e.g. SE16) by a non-privileged user.
- First time access to particular category of personal data records.
- Access to sensitive personal data (e.g. SSN).
- User generates unusual amount of traffic, possibly trying to download the whole content of client database.
4. Data Leakage
Third group of use-cases relates to DLP solutions and integration of their findings into personal data access monitoring.
There are solutions which can mark exported data from SAP on the basis of a set of rules considering name of the report. Later this marking is tracked in office applications, mail server, and so on.
So, if you have implemented DLP system or SAP DLP solutions, make sure that they contribute to personal data monitoring use-cases.
SAP provides a number of tools to monitor state of security and access to personal data and this article has described a set of personal data monitoring use-cases.
However, the main task is to understand what you want to monitor in each particular system, and to keep the number of events as small as possible. The fact is that a security team not always has enough time to analyze all the amount and types of personal data in each of the SAP systems in a large landscape.
To get a quick visibility what personal data you process and how secure they are, consider SAP GDPR Security Audit service. The project will result in complete understanding of your personal data processing, state of security and quick-win recommendations.
Specifically, you will get the following outcomes:
- Description of personal data records stored in SAP systems in scope of the project;
- List of users that have access to the personal data;
- Evaluation of SAP security controls;
- Prioritized list of SAP security weaknesses along with remediation guidelines.
Now, fill in the form below to schedule a call with Professional Services to learn how we can help you to audit personal data.