How SAP Customers Use Data Masking To Manage Global Business Risks
Here are two use cases that might sound familiar…
While organizations spend millions combatting external threats, for example, hacking, phishing, and ransomware, we at Pathlock have found most data security use cases are focused on data governance across the enterprise. Simply put, what can someone access depending on where they’re located, what business unit they belong to, or even what time of day it is? Ensuring SAP data security policies are followed without over-restricting access or hurting productivity is a serious juggling act. Sadly, most organizations get it wrong. Fortunately, the solution can come down to a concept as simple as data masking – what, when, and how?
I had the opportunity to learn about two specific use cases (from Pathlock customers) and how they used dynamic data masking to protect sensitive data—all without adding bottlenecks or complexity to their organization.
Transportation Company Use Case
While many industries struggled through the COVID-19 pandemic, a transportation and rail company based in Canada thrived. This was due to being a critical delivery component for many supply chains. The company had to transform its office-based workers into a flex-work model (hybrid workforce) and hire additional employees for fieldwork. The hybrid workers needed to continue their day-to-day managerial tasks, which contained sensitive information that the company was not comfortable exposing outside its secure corporate office. Securing access to this data was further complicated by remote workers traveling from city to city and logging into the self-service SAP modules on mobile devices from wherever they had a Wi-Fi connection.
The company turned to Pathlock to enable a dynamic data masking solution by leveraging contextual access controls that determined which sensitive data fields and Tcodes employees could access based on attributes such as location, IP address, time, data sensitivity, and more.
International Consumer Packaged Goods Use Case
Where one company was dealing with multiple employee/user locations, an international consumer packaged goods company was dealing with multiple office locations around the world, each with its own installation of SAP. The company needed the means to protect sensitive personal data (stored in 1 of 5 unique SAP systems) while abiding by each location’s unique PII protection requirement (GDPR, PIPA, LGPD, etc.).
For this unique situation, the company needed a centralized data masking solution that could follow each location’s unique governance policies. All while being flexible enough to manage scenarios involving multiple locations and protecting sensitive data in production and non-production environments.
For example, a US-based employee could access the SAP system in the South American office. Yet, the dynamic policy could mask certain pieces of information or Tcodes because of the user’s nationality. The user’s location is from a legitimate IP address, but their nationality forbids them from accessing certain personal or sensitive information due to international regulations or company policies—even if that user can access that information in their own instance of SAP.
Protecting SAP Data with a Dynamic Data Masking Solution
The key to a successful dynamic data masking solution is the use of contextual access control policies (ABAC). ABAC allows companies to work in conjunction with existing roles-based controls (RBAC). Without it, neither one of these companies could successfully enable data masking without extensive customization, resulting in an unscalable ad-hoc solution.
Pathlock’s dynamic data masking capabilities provide fine-grained control over which sensitive data fields can be masked for any specified user in the context of any situation. For example, ASP allowed both companies to:
- Centralize data masking enforcement throughout ECC and S/4HANA with a single ruleset.
- Deploy dynamic policies that account for risk based on the context of access, such as location, IP address, time, data sensitivity, and more.
- Protect sensitive data in production and non-production environments.
- Align SAP data masking controls with existing governance (corporate) policies.
- Mask sensitive PII based on the data subjects’ residency (country/nationality).
- Mask data fields in transactions (Tcodes) that are unnecessary for a role.
Contact the SAP experts at Pathlock and see for yourself how ASP can improve SAP data security and reduce compliance risk with a fully dynamic data masking solution.