SAP UI Data Security - a248.g.akamai.neta248.g.akamai.net/n/248/420835/95955b163c314843f6919eb5b64dcbe... · SAP UI Data Security ... UI Data Security: two step approach to protect

CUSTOMER

SAP UI Data SecurityUI Logging and UI Masking solutions

v.312 - 2017-08-30

6PUBLIC 2017 SAP SE or an SAP affiliate company. All rights reserved. Public

UI Data SecurityThreat vector: tackling the risk posed by insiders


UI Data SecurityHow much would a data leak cost you?

The Economist, 2014: A study [] of intellectual-property theft by insiders [] found that almost half involved losses of more than $1m.

Kasperski, 2014: On average enterprises pay US$551k to recover from a security breach [ ].

CSO online, 2015: The average total cost of a single data breach [is] $3.79m.

Silicon Angle, 2015: The real cost to Sonys reputation in the industry is probably in the hundreds of millions, perhaps even $1 billion plus.International Business Times, 2014: Targets [] executives estimate the total cost [of leaking 100m+ credit cards] at $1-2 bn.

Common targets of data theft HR data (salaries, knowledge, contact, org

charts) business critical know-how / IP (unpatented

research, prototypes, business processes) Customer data (contacts, business details,

payment information) Supplier information Recipes (e.g. in BOM)

Common damage elements Compliance costs: fines, litigation,

discovery/recovery, short-termcountermeasures

Deteriorating competitive situation(carriers or know-how lost)

Lost efficiency (suspicions amongemployees, disappointment regardingremuneration; management stability)

Lost business (customers, suppliers,financial markets losing trust, and cuttingbusiness/relations)

!


UI Data Security: two step approach to protect data from insidersUI Masking: hiding unnecessary data; UI Logging: enabling analysis of data access

to keep data accessible, but log & analyzeaccess, to take appropriate measures

The solution provides a detailed, structured data accesslog and allows for analysis who exactly received whichdata (output), how (input), and in which context (IP)?

prevent illegitimate data access and theftby inducing compliant behavior identify & prove irregular data access

to conceal specific data (values infields/columns) unless required for tasks

The solution masks sensitive (configured) values perdefault; unmasking requires explicit access rights (ontop of existing role/authorization setup)

make data elements unavailable for data abuse(opportunistic and targeted)

awareness for data security (human firewall) protect employees by decreasing inadvertent breaches top-of-class protection measures trust (employees, customers, and investors)

UI Masking UI Logging

the speed limiter the speed camera


SAP Backend System

SAP UI (user)

Dynpro ProcessorRequest

Response

Database LayerBusiness Logic

UI Loggingobserved data

trafficasynchronous call oflog & filtering service

Enterprise Threat DetectionAlert (e.g. email) Log Analyzer

UI Masking and UI Logging can be used individually or jointly, depending on the required functionality add-ons to SAP NetWeaver:

secure server-based logging/masking, modification free, minimal performance impact.

UI Data SecurityHigh level solution architecture (example: SAP GUI)

UI Maskingmasked data

original data configuration & BAdIs

Apply masking rules


UI Data SecurityAvailibility Matrix UIM/UIL by UI channel

UI channel UI Masking UI Logging

SAP GUI for Windows / HTML / Java

WebDynpro ABAP

CRM Web Client UI

RFC/BAPI and Web Services on request Business Warehouse Access (BExAnalyzer, BEx Web, BW-IP, BICS, MDX) on request

UI5/Fiori

Based on SAP NetWeaver (cf. RCS Availability Matrix or contact product management for detailed requirements) Available for ECC, HEC, Suite on HANA (for S4/H availability: please contact product management) Implementation: very straightforward no development small project sizes (ca. 15-25 person days per material) Maintenance: integrated into standard maintenance, planned until end 2025 Enhancements and adaptations can be delivered on request


Installation of UIM/UIL add-ons with SAINT conducted by customer (ERP/basis team)

Implementation support efforts based on experience (typical scope and requirements)UI Masking Service option 1: enabling by the product team. Installation support, sample configuration, KT and Ramp Up session.

Effort commonly 5 PD per channel, from remote, duration ca. 1-2 weeks. Service option 2: implementation by the product team close involvement of development team providing and

educating on basic settings and sample configuration. Effort ca. 20-25PD per channel; preferably 1 week onsite; then remote. This excludes complex business logic (BADI implementation) and additional custom development.

UI Logging Service option 1: enabling by SAP Consulting. Set-up workshop for requirements, installation support, baseline

configuration, education and documentation. Commonly 5 PD per channel, preferably onsite, duration ca. 1-2 weeks. Service option 2: implementation by SAP Consulting as above, but also implementation of functional scope, test

support, go-live support. Preferable setup: 1 week onsite; then remote. Optionally, build interface structure to external log.

Customer enablement of an in-house resource to handle the main parts of the execution phase of the implementation, and supportsubsequent changes in requirement and configuration.

UI Data SecurityImplementation example


UI Data SecurityWhos using it and for what?

UI Logging Prevent unwanted data access while keeping data openly available (Medical

High School Hannover reference customer; other clinics worldwide)

Log access to payment run data (Public sector, Germany; Payroll servicesprovider, US)

Data access may not be restricted for a certain group, e.g. awarehouse/depot, or GRC firefighter access, but it must be controlled whoaccesses which information (Armed Forces, Europe; TelCo provider,Europe)

Decrease authorization system stringency/tightness to allow users to takeon tasks more flexibly and efficiently, while logging individual access toinduce users to access data based on specific tasks (Pharma, Europe)

Decrease authorization system complexity/cost as well as resultingfragility (complexity kills security) (Pharma, Europe)

Log access to reports to be able to identify and sanction abuse bymanagement who may intend to measure employee performance, e.g. howmany records employees processed per week (Workers council, Europe)

After a recent leak log everything now and think later about what to dowith the data and identify specific use cases (Airport operator, Europe)

active leak identify and stop the source; collaborate with authorities onseverity of the leak; and identify system/authorization setup weaknesses

Detailed logging; enrichment of UIL log data and integration against 3rdparty SIEM system for further (automated) analysis

UI Masking Prevent theft of massive amounts of data by masking mass access (e.g.

from SE16n, and similar transactions, reports (Chemicals producer, US)

Protect IP in BOMs (=recipes) (Chemicals, Switzerland) Mask specific fields in HR to protect sensitive private data; specifically Social

Security Number (South Korea, legal requirement)

Mask pricing/costing information (conditions, end prices, resulting pricelist) to avoid leaking to customers/vendors (Trading, USA)

Mask customer data & pricing/costing information (conditions, endprices, resulting price list) for 3rd parties (usually partners/vendors) workingin the system (TelCo services provider, Germany)

Divestiture company split of spin offs: virtually segregate data accessuntil systems are physically separated/split (Utilities, Europe)

Enable IT/system support from outside of EU (Utilities, Germany;Maintenance providers US/India)

Masking depending on attributes of data/user (country, company code,org unit) to decrease authorization system setup and ensure seamlessdata protection in case of role/job changes (Pharmaceuticals producer,Europe) and to comply with ITAR requirements (chemicals producers, US)

Mask data for external/temporary roles (e.g. call center: show only what isrequired for the task; e.g. only last names, only parts of identifying numberslike bank accounts, telephone and customer numbers) (Utilities, Italy)


UI Data SecurityValue Proposition

Architecture: deep integration high performance and security Masking/logging on server side Integrated in NW modification free

Installation & implementation: small project sizes Configurable; options to introduce more logic (BADIs)

Maintenance: planned till end 2025; provided directly by product team

Market position: stable & proven 150+ customers

Products are in growth mode SAP investment additional requirements on request directly from the makers of the solutions UI channels, functional enhancements, integration

UI Masking


What is UI Masking? active form of suppressing display of sensitive data in SAP GUI logging of requests to access configured data fieldsHow does it work? technically modify sensitive data before being displayed configure which (and how) data is masked configure who (role/user) is authorized to see unmasked data tracking of requests for sensitive data (who, when, what, IP address) with archiving the for log fileWhat do I get from this? avoid abuse of information avoid damaging cases of data loss ensure compliance with data privacy regulations increase transparency of access to sensitive data with audit trail on field level.

UI MaskingElevator Pitch


UI MaskingRefine data access into transactions

Data masking: UI layer on server side business and technical transactions download, export, print

Highly configurable what: on field level (inside transactions) how: pattern who: role required for unmasked access BADIs to introduce additional logic

Aligned with SAP standard

Based on SAP NetWeaver releases 7.00 7.50

Maintenance: planned until 31.12.2025

Further enhancements on request


UI MaskingConfiguration: two simple steps

1. Define fields to be masked, and rules

Define which field are masked. Configure on field level how a field is displayed. Define

on digit base whether and how data are masked.

2. Register authorized users per field

In transaction PFCG, assign users to the UI Maskingauthorization a role.

Users assigned to these roles will be able to seeunmasked values for the applicable fields

BAdIs available to introduce customized business logicdetermining who has access


UI Maskingresulting in masked data

3. Result: data masking

Data is masked in GUI transaction display forun-authorized users.

This also affects high-level admin systemusers (in dynamic transactions, e.g. SE11,SE12, SE16, SE16n) unless they are explicitlyauthorized for a field

UI Masking also protects data duringdownload, export, and print


Masking values in sensitive data fields in parallel to existing security/authorization setup Mass configuration utility to speed up definition of masking scope (fields to be masked) Consistent protection, also for download and printouts BADI on field level can be implemented with complex business logic Auditable access trace configurable on field level Archiving functionality for the trace file integration into SAP native roles (PFCG)

UI MaskingFunctional scope & highlights


UI MaskingSuccess Story: CF Industries, Chemicals (US)

A take on what other customers think:Check out CF Industries' experience!

UI Logging


What? record & analyze data displayed in a SAP user interface Input-/output fields, headers, tables, lists, etc. all data base accesses are implicitly logged (search / read / store / update) Meaningful usage and analysis of the log:

on demand: detailed analysis of log file via Log Analyzer with powerful filtering options real time: configurable alerts/notifications automated: integrated with ETD usable as powerful data source

How? grab data sent to user interfaces and write these to the log Logging based on roundtrips (frontendserverfrontend) Optimal performance: UI Logging runs in the background with minimal impact on system resources Optimized log file size with filtering and archiving function

Lightweight, uncomplicated solution Rapid and efficient implementation No system functionality is touched/changed

UI LoggingElevator Pitch


UI LoggingThe log the key element of UI Logging

transaction: PA30Maintain HR Data

Infotype 8Basic Pay

a log record is created for each roundtrip between frontend and server. the header of a log record contains metadata on the data access (like

transaction, time stamp, user, IP, client/machine identification) screen data is stored as name/value pairs, where is a concatenated,

unique identifier in the system this allows for efficient analysis of the log. Filters for log entries (fields, tabs) can be configured to control log file size


UI LoggingLog record analysis with UI Logging LogAnalyzer

Set of filters for retrieving relevant log entriesMore specific questions more specific (and meaningful) answers!

generic section (UIL meta information); can be usede.g. for a chronological list of all actions of a givenuser, IP, or machine; or for listing all accesses to aspecific field/value, in a given period/system etc.

additional filter criteria for installed UIL channels

on the UI channel level, the most details can bemaintained for strongest indications (list of all

accesses to the CEOs salary information)


UI LoggingAlerting scenario: configurable mail notification for critical data access

email alertemail alert

message definitionmessage definitionalerting definitionalerting definition

temporary log filetemporary log filedata accessdata access


UI LoggingIntegration with Enterprise Threat Detection: transfer of log to ETD

ETD SystemETD SystemETD System

Transfer Log to ETD (call standard TA SECM_LOG_2_ESP)Transfer Log to ETD (call standard TA SECM_LOG_2_ESP)

Configuration (technology/UI channel specific)Configuration (technology/UI channel specific)

temporary log file external repository

prerequisite:SAP Note 2386528

No Transfer to ETD

Temp. Log relevant for Alerting

Ext. Repository relevant for Alerting

Temp. Log

Ext. Repository


UI LoggingSuccess Story: Hannover Medical School (Germany)

A take on what customers think:Check out Hannover Medical School's experience!

Tobias KellerSolution Owner UI Data Security

SAP SE, Custom Development

T +49 6227-7-74995

E [email protected]

[email protected]@sap.com

Deepak GuptaSolution Manager UI Masking


T +91 124 385-7195

E [email protected]

Contact usMartin LoitzSolution Manager UI Logging


T +49 6227-7-48810

E [email protected]


Field Masking

UI Logging

Run compliant andprotect sensitive data better

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software componentsof other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliatedcompanies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that areset forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or releaseany functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future developments, products,and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. Theinformation in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to variousrisks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

2017 SAP SE or an SAP affiliate company. All rights reserved.

Documents

SAP UI Data Security - a248.g.akamai.neta248.g.akamai.net/n/248/420835/95955b163c314843f6919eb5b64dcbe... · SAP UI Data Security ... UI Data Security: two step approach to protect