Security budgets have tripled in the past few years. Yet this is not enough to prevent data breaches. In 2016 alone, over 2 billion records were stolen; hacking expertise is escalating, and there are threats everywhere.
According to an assessment released by Onapsis, 95% of SAP® systems remain a target for data criminals. Despite warnings from various experts, SAP systems installed in some of the largest organisations worldwide remain prone to data attacks.
Because of the growth of interconnectedness, SAP systems are no longer isolated from the outside world. Increased integration with third party systems and cloud solutions – along with increased focus on mobile and remote connections – leave your SAP systems more exposed than ever. The potential attack surface (or number of possible attack vectors) of your IT environment has increased. As “the internet of things” becomes mainstream, this will only accelerate. This is something which SAP themselves are looking to embrace with SAP Leonardo.
Here are three ways you can protect your SAP data from the threat of cybercriminals:
1. Look at internal breaches, not just external
Internal data breaches are on the rise. Nearly 50% of breaches are coming from within organisations, according to Verizon’s 2015 data breach investigations report. Anyone who has access to sensitive data could take advantage of their access rights. Although the technologies for securing systems from the outside world and encrypting traffic have become more robust, external attacks on systems are not always the largest concern. Data theft – both from trusted entities within the organisation, and from attackers who gain access via social engineering – is becoming the preferred way of intruding.
2. Secure non-production environments
Limiting the scope of access to production data isn’t enough anymore; the focus should extend to securing non-production environments and addressing the data. This should also accept that in non-production systems you may want users to have higher levels of access; securing your data is not all about access control. In fact, you can have secure data that is easily accessible, with less robust firewalls and security measures. All you need to do is approach the problem from a different angle.
Non-production environments are on average at least three to four times the size of production environments. Each record is copied several times into test and development systems, increasing the attack surface. Sensitive information such as customer, employee, vendor, credit card and supplier costing information are potentially unsecured and accessible to anyone who has access to your systems. The variety of people accessing non-production systems is usually also greater than that in production. Contractors for projects, external test teams, developers on temporary assignment, offshore teams and many others have access. The increased data footprint and number of personnel accessing your data in non-production environments substantially increase your attack surface. A solution is needed to limit the amount of sensitive data that can be stolen.
3. Scramble and anonymize sensitive data
Limit the amount of sensitive data that can be stolen by scrambling and anonymizing data. Protect sensitive data by changing the values of fields, while maintaining the integrity of the data and ensuring production-like behaviour. The quality of test and training data should remain the same, without exposing any confidential data. A solution is needed that replaces sensitive data with anonymous, but fully functional, test data – thereby removing the criminals ‘prize’ (your data) and the risk. At the same time, wider access can be granted to the non-production systems to allow more thorough testing, which will benefit your organisation.
Tim Barker, EPI-USE Labs Managing Director for the Asia Pacific region has seen a steep increase in the number of organisations demanding their Data Secure™ tool in the past few months. Due to the increase in data breaches and the security risk, organisations are looking for a solution that can scramble and anonymise sensitive data.