The protection of corporate intellectual property is becoming more and more important in times of cybercrime. As Intellectual property is stored in the IT systems of companies Networks and IT systems today need comprehensive protection. This remains an eternal race against ever-new vectors of attack. In addition to intellectual property of companies, personal data in particular is another important area of sensitive data. These must not only be protected against unauthorised access from the outside but also from within the company.
Verticals like hospitals need to protect access to patient data, banks and insurance companies and across all verticals, organizations need to protect sensitive data from unauthorised access. The Data Protection Act of the EU underpins this and provides, inter alia, penalties for non-compliance or failure to take protective measures in the handling of personal data. Read access to sensitive data must be logged. Last but not least, intellectual property and personal data are available in SAP® systems. SAP offers its customers the so-called SAP Read Access Log as a means of logging access to sensitive data.
The configuration of SAP systems and their read access log, however, presents companies with major challenges.
- Where are the relevant and personal data?
- how to configure the read access log?
- Which transactions and input and output fields are important for logging?
- How can Read Access Logs be extracted?
- How is the read access log finally evaluated?
- And how can an alarm be generated?
The SAP Read Access Logs gained through configuration should then be monitored in so-called Security Log Management or SIEM (Security Information and Event Management) solutions. Here, the Read Access Logs of the entire, connected SAP systems are monitored centrally. The customer benefit is obvious
- Central, automated monitoring of Read Access Log with regards to suspicious access of personal data from unauthorised user group
- Monitoring of large number of access by one user
- Keeping an audit trail of Read Access for after-the-fact analysis
- All connected SAP systems are combined in one data sink
- Ad-hoc reports and
- Rules-based evaluation of the logs in the form of alerts
- Correlation of Read Access Log data with information from the network (Data Leakage Detection)
Monitoring of misuse of personal data using the SAP® Read Access Log
The SAP Read Access Log stores read and write access to specific fields of transactions, reports or programs, providing a very important component to meet the obligations under the EU Data Protection Regulation (GDPR or DS-GVO) – the logging of access to personal data. The below outlines some examples of how personal data can be exploited in a SAP system for misuse
- Social security or insurance numbers are important and highly personal data in many countries and many of these are stored in SAP systems, for example in government agencies. Unauthorized access to this information can easily result in this data being downloaded from the SAP system and sent out to a private email account
- Tax authorities carry information about tax evaders in the SAP systems. Specialists are instructed to use search helps in the SAP system, to look for certain individuals, only, with restrictions and search terms, for example to avoid loading the entire list of tax evaders. The use of an SAP input help with a “*” wildcard may result in the display of a large number of tax evaders in the system. Exporting and downloading this list is a simple step in SAP. Passing this list to the press with the information of celebrity tax evaders is a conceivable, already reported incident. Without the read access log, configured for these essential fields, the tax authorities, for example, face unsolvable problems, namely the traceability of the misuse of the SAP input help.
- Information about salary or pension payments can be been printed from a SAP systems and can be left on a printer or in a public place Of course, sensitive data requires confidentiality. A print-out itself is already a violation, and the disclosure of such data is certainly an abuse. How is it established who had access to this information? Which accounts have been accessed in the last few days and who printed the data?
- In companies, job rotation is welcome. Every 3 years, for example, employees may hold different positions in different business units or departments. It is questionable whether the SAP accounts of these employees and their authorizations are always adjusted, or whether the necessary roles for the new department and the required access are simply added. So it could well be that changing an employee from HR to Legal Department or vice versa yields interesting combinations of entitlements It may be that the old or newly acquired SAP roles are being exploited to access sensitive data, knowing that they are moving from one department to another. Thus, for example, starting from a computer and an account, access can be made to various accounts and their sensitive details about employees, by persons who should actually no longer have access to these details.
These or similar misuse of personal data can occur in SAP systems. The configuration of the Read-Access Logs and their evaluation is an essential element of SAPSecurity Monitoring, not least in times of GDPR. With the help of this log, at least logs of accesses to SAP can be generated, extracted from SAP and centrally collected, and at best automatically monitored with appropriate rules.
Using a Security Log Management Solutions or SIEM (Security Information and Event Management) solution, a wide variety of logs are collected and automatically monitored by rules or made available as a report. Integrating SAP logs into such systems not only has the advantage of setting up monitoring specifically for SAP, but also of correlating the SAP logs with information from the network. The mentioned scenario of displaying, downloading and sending information obtained from SAP to a private e-mail account can be made possible by the correlation of SAP® logs, logs from e-mail gateway and VPN access.