Protecting Sensitive Data in SAP and Other Critical Applications

The largest concentration of sensitive data within an enterprise resides in critical business applications. Your applications drive your business so securing your sensitive data against internal and external threats is crucial. Sensitive data protection should adhere to security and regulatory requirements, but it goes beyond being just an IT problem. Data protection is a business problem that affects the company’s top and bottom line.

Why are data breaches in SAP and other critical applications a threat to organizational health?

A data breach of individual or company data could result in lost revenue due to cyber threats, intellectual property theft or a breach in the privacy of customer or employee data. Organizations also need to comply with data protection and data privacy mandates from within the organization, industry standards and regulations, or they risk fines. Protecting your sensitive data requires identifying sensitive data types in your applications, controlling access to that data, and gaining visibility into the actions against sensitive data.

How can organizations prevent data breaches in SAP and other critical applications?

Organizations need to minimize the impact and limit exposure of their sensitive data to malicious insiders, inadvertent misuse, or external attackers. Attackers typically target and exploit data that reveals financial information, health data, customer/employee information or intellectual property.

Network and database level security solutions offer protections such as data encryption and network access controls, but malicious insiders or compromised users exploit the application itself to gain access to data. There are various types of sensitive data residing in your business-critical applications that are of interest to threat actors:

• ERP applications (like SAP, Oracle, and NetSuite) contain financial data, customer data, intellectual property and operational data such as inventory figures.
• CRM applications (like Salesforce) contain customer data, intellectual property and operational data such as customer lists.
• HRM applications (like Workday and SuccessFactors) contain employee data, intellectual property and operational data such as salaries.

Why is GDPR and CCPA compliance required in SAP and other critical applications?

Personal data such as social security number, driver’s license number or any other personally identifiable information (PII) is protected by information privacy laws that limit collection and usage of such data by public and private organizations. GDPR applies EU data protection laws to all foreign companies who process the data of EU residents. In the United States, California Consumer Privacy Protection Act of 2018 (CCPA) provides protections to sensitive personal data that is not publicly available. These laws require companies to protect personal data as well as inform on what data is stored and how it is used. Some also have breach notification obligations and can impose significant fines for non-compliance.

How should organizations address GDPR and CCPA compliance in SAP and other critical applications?

To address security and regulatory requirements on safeguarding data, processes and solutions to support data discovery, access management and user monitoring are necessary.

1. Data Discovery and Classification: Before you can protect data, you need to be aware of what data you have. Discovering the types of data your business application contain is critical. Classification of the sensitivity of the data types is also needed to determine the right level of protection required.
2. Access Management: Access controls should be enabled to provide levels of protection depending on the user privileges, business requirements and data types. Access should be strictly controlled with compliant provisioning processes to grant users access to business-critical applications. Additional authentications or data masking should be leveraged for very sensitive data. Periodic reviews of access are also required to identify excessive, inappropriate, and unused access rights to sensitive data.
3. User Monitoring: Continuous visibility is essential to detect access that may negatively impact protected data. Monitoring of user activities and transactions involving sensitive data should be done to establish baselines user access behaviors, analyze access anomalies and identify data leakage risks.

How do organizations discover sensitive data in SAP and Other Critical Applications?

Data discovery is the first step towards compliance and data protection. You need to assess your applications and identify where sensitive data exists. Identifying an organization’s sensitive data is an ongoing challenge because applications are complex and always changing. Sensitive information is often scattered across different applications and different database tables and fields. Organizational changes, mergers and acquisitions means new data is introduced into your landscape. Data may also be duplicated for testing environments or archived and eventually forgotten.

Performing manual, periodic data discovery is time-consuming, prone to gaps in discovery and becomes quickly outdated, especially when considered at an enterprise scale. Automated data discovery solutions are recommended to enable organization to track sensitive data continuously and more accurately.

How do organizations classify sensitive data in SAP and Other Critical Applications?

Within each organization, data classification depends on many factors, including regulations, company policy, contractual obligations, and user expectation. Policy requirements and data sensitivity can also change over time as the business evolves, as regulations update, and as new data sources are incorporated into the applications. Regardless of the type of data, there are a few key considerations to make when classifying data, including what data does your organization collects and creates as well as who needs access to the data.

Classification terms may be unique to each organization, but generally data can be categorized into the following:

1. Public: These data types have little-to-no risk to individuals or organizations if disclosed. This can be information that is already available in public domains such as press releases and market briefs.
2. Internal: These data types should be kept internal but there is minimal impact if it is disclosed. Examples include organizational charts and business plans.
3. Confidential: These data types could cause significant harm such as exposure to criminal liability and cyber-attacks if disclosed. Examples include customer and employee information.
4. Restricted: This is highly sensitive data that would have significant regulatory, financial and reputational impact if disclosed. This includes financial data, health records and intellectual property.

Step Up and Protect Sensitive Data in SAP and Other Critical Applications

Your data is the backbone of your organization, and protecting it is critical to maintaining both the top line and bottom line of your business. Once sensitive data has been identified and classified, you can start effectively protecting your business-critical applications.

Request a demo today to learn how Pathlock can help with data protection including:

• Discovering sensitive financial, employee, customer, and operational data across SAP and other non-SAP systems
• Classifying sensitive data according to its impact on organizational performance and health
• Automating data protection rules, including data masking, encryption, download blocking, and alerting to the SIEM
• Enforcing Attribute Based Access Control (ABAC) and Policy Based Access Control (PBAC) to protect sensitive data with fine-grained control
• Centralizing data catalogs and data access across all connected systems for a 360 view of data compliance

We look forward to supporting you on your journey to protect your sensitive data and stay compliant to ensure business continuity and health.