Let's Talk Data Security

Shared by our experts

Three ways to protect your SAP data from cyber criminals

Dec 15, 2017 1:43:20 AM

Security budgets have tripled in the past few years. Yet this is not enough to prevent data breaches. In 2016 alone, over 2 billion records were stolen; hacking expertise is escalating, and there are threats everywhere.  
According to an assessment released by Onapsis, 95% of SAP® systems remain a target for data criminals. Despite warnings from various experts, SAP systems installed in some of the largest organisations worldwide remain prone to data attacks.

Because of the growth of interconnectedness, SAP systems are no longer isolated from the outside world. Increased integration with third party systems and cloud solutions – along with increased focus on mobile and remote connections – leave your SAP systems more exposed than ever. The potential attack surface (or number of possible attack vectors) of your IT environment has increased. As “the internet of things” becomes mainstream, this will only accelerate. This is something which SAP themselves are looking to embrace with SAP Leonardo.
Here are three ways you can protect your SAP data from the threat of cybercriminals:

1. Look at internal breaches, not just external
Internal data breaches are on the rise. Nearly 50% of breaches are coming from within organisations, according to Verizon’s 2015 data breach investigations report. Anyone who has access to sensitive data could take advantage of their access rights. Although the technologies for securing systems from the outside world and encrypting traffic have become more robust, external attacks on systems are not always the largest concern. Data theft – both from trusted entities within the organisation, and from attackers who gain access via social engineering – is becoming the preferred way of intruding.

2. Secure non-production environments

Limiting the scope of access to production data isn’t enough anymore; the focus should extend to securing non-production environments and addressing the data. This should also accept that in non-production systems you may want users to have higher levels of access; securing your data is not all about access control. In fact, you can have secure data that is easily accessible, with less robust firewalls and security measures. All you need to do is approach the problem from a different angle.
Non-production environments are on average at least three to four times the size of production environments. Each record is copied several times into test and development systems, increasing the attack surface. Sensitive information such as customer, employee, vendor, credit card and supplier costing information are potentially unsecured and accessible to anyone who has access to your systems. The variety of people accessing non-production systems is usually also greater than that in production. Contractors for projects, external test teams, developers on temporary assignment, offshore teams and many others have access. The increased data footprint and number of personnel accessing your data in non-production environments substantially increase your attack surface. A solution is needed to limit the amount of sensitive data that can be stolen.

3. Scramble and anonymize sensitive data
Limit the amount of sensitive data that can be stolen by scrambling and anonymizing data. Protect sensitive data by changing the values of fields, while maintaining the integrity of the data and ensuring production-like behaviour. The quality of test and training data should remain the same, without exposing any confidential data. A solution is needed that replaces sensitive data with anonymous, but fully functional, test data – thereby removing the criminals ‘prize’ (your data) and the risk. At the same time, wider access can be granted to the non-production systems to allow more thorough testing, which will benefit your organisation.

Tim Barker, EPI-USE Labs Managing Director for the Asia Pacific region has seen a steep increase in the number of organisations demanding their Data Secure™ tool in the past few months. Due to the increase in data breaches and the security risk, organisations are looking for a solution that can scramble and anonymise sensitive data.


GDPR: the Data Adequacy and Data Minimisation principle

Nov 23, 2017 6:16:57 AM

The Data Protection Act (current law) requires companies to ensure that they only collect the personal data they need for the purposes they have specified. They are also required to ensure that the personal data they collect is sufficient for the purpose for which it was collected.

Retention period: A minimum or a maximum?

Nov 3, 2017 12:33:38 PM

GDPR: are retention periods being considered a minimum or a maximum?

I’ve recently been in several meetings where a Data Protection Officer (DPO) or internal legal advisor has been discussing GDPR with IT team members. Interesting to see people with very different backgrounds and responsibilities discussing the various challenges of GDPR they are facing jointly. Several of the DPOs were keen to stress that a lot of the elements affected by GDPR are already in force as a result of existing country legislation created to comply with  the 1995 Data Protection Directive. For them, GDPR was in many ways welcome, because it’s ensuring that organisations take their obligations very seriously - even if those obligations are already there now, but have perhaps been overlooked.

Ready for GDPR: Non-Production Data Security

Aug 9, 2017 11:21:23 AM

My previous post explains how with the use of Data Sync Manager (DSM) and EPI-USE Labs you can ensure that the Data held in your non-production environments is proportional to its use, and therefore more compliant with Article 5 of GDPR. Of course, being proportionate is not the only method required to prove your compliance with GDPR; you can also consider obfuscating sensitive data. EPI-USE Labs is ready to assist here too.

From my research, Article 89 of GDPR deals with data security; this is a far-reaching topic, and rather than moving into network and security again, I’d like to focus on the SAP data and landscape.

Ready for GDPR: Proportional data usage

Jul 26, 2017 7:15:47 AM

As per my previous post, the deadline for GDPR compliance is looming - and it will affect any company which holds data for a European Union citizen. In this post, I highlight how EPI-USE Labs can help you prepare your non-productive SAP landscape to hold only a “proportional amount of data” for the use case of each system.

What is proportional data?

Under GDPR, a clear use case for the processing of data will be required. In its simplest form, the use case for production would be that real customer data needs to be maintained in order to service that customer.

GDPR in SAP: Redact rather than Archive?

Jul 13, 2017 10:02:00 AM

How widely will companies provide the Right to be Forgotten? Will this be commonplace in SAP systems? Will companies decide to delete data in SAP anyway, simply to lessen their liability?

This is clearly a story still unfolding. SAP by its very nature doesn’t make deletion of data easy. The data and processes of different departments are so intertwined that there are dependencies everywhere.

The Road to Data Protection and GDPR

Jun 29, 2017 8:58:13 AM

I have worked in the UK utilities industry for the last 15 years, and I've spent the last ten years using SAP in this industry. For the last year I have worked with EPI-USE Labs in SAP Data and Landscape Management. This is a highly complex industry where vast amounts of personal data have to be stored in order to service the customer effectively, but with this amount of data also comes a strong focus on Data Protection Compliance. Over the next year, we are going to see a large change in the requirements for compliance as the General Data Protection Regulation (GDPR) comes into force on 25 May 2018. There is a lot of information available on GDPR, and as mentioned I am not a lawyer or process expert in your business, so I’m not going to promise you the golden bullet to compliance.

GDPR: When is the Right to be Forgotten applicable?

May 25, 2017 11:26:00 AM

I’m watching a wonderful programme at the moment where the opening credits state ‘This is a true story’; then the word ‘true’ disappears a few seconds before the others. Then it follows with something along the lines of ‘the story not being changed to honour the victims, but the names have been changed to protect the innocent’. Strange how the core subject of my days at the moment has morphed into my evenings as well.

GDPR: almost a year to go. What are people aiming for?

May 11, 2017 12:49:00 PM

In my last blog, I wrote about the GDPR compliance projects sprouting up at most companies. We seem to have moved past confusion around whether GDPR will apply after Brexit (the Information Commissioners Office (ICO) has been very clear on this). I’ve even seen a surge in GDPR interest from the US, although at this stage I would say that is about where Europe was in 2016, so I would expect the subject to really gain traction there in 2018.

It’s time to start thinking about GDPR

May 2, 2017 5:08:00 AM

You have probably heard the distant drumbeat of GDPR and the shock headlines of “over 92% of businesses have not prepared for the upcoming GDPR legislation”. Well, whether you’re ready or not, GDPR is coming.

This new legislation will kick in on May 2018, and it has raised some eyebrows due to its somewhat stringent rules and the hefty fines it carries for companies  that don’t take adequate measures, especially for global companies (up to 4% of annual turnover or 20 million Euros, whichever is greater). But if adequate preparation is made by companies in their approach to people’s personal data then this shouldn’t become an issue. If they prepare themselves.