Three Critical SAP Data Security Lessons from the HealthEquity Breach

The recent data breach at HealthEquity, a leading health savings account provider, serves as a stark reminder of the growing risks organizations face in safeguarding sensitive data. The incident, which resulted in the exposure of 4.5 million customers’ personally identifiable information (PII), highlights the urgent need for robust data security measures, especially within complex ERP systems like SAP.

SAP: A Prime Target for Cybercriminals

The specific system(s) compromised in the HealthEquity breach remain unknown, but the incident underscores the increasing vulnerability of SAP environments to cyberattacks. As businesses increasingly rely on SAP to streamline operations and manage critical business processes, SAP is a more attractive target for threat actors now more than ever. In fact, in 2023 there was a 400% increase in ransomware incidents that involved compromising SAP systems and data at victim’s organizations.

Safeguarding Your SAP Systems: Three Essential Data Security Strategies

While HealthEquity acted swiftly once they discovered the breach, several lessons are evident from this cyberattack for organizations handling sensitive data.

Lesson 1: Comprehensive Data Discovery and Classification

A key takeaway from the HealthEquity breach is the necessity of knowing exactly where sensitive data resides within your IT landscape. Many organizations are unaware of the extent of sensitive data stored in external repositories, making them vulnerable to unauthorized access.

To mitigate this risk, organizations should:

• Implement automated data discovery and classification tools: These tools can identify and categorize data based on sensitivity and regulatory compliance requirements.
• Classify data within SAP systems: By understanding the location of sensitive data in various SAP modules, security teams can prioritize protection efforts.

With a clear understanding of where sensitive data resides in various SAP modules, security teams can take appropriate measures to prioritize the protection of data that is sensitive vs. the data that is not.

Lesson 2: Dynamic Data Masking for Prevention

The HealthEquity breach highlights the importance of preventing data exposure, even if unauthorized access occurs. Dynamic data masking can help by ensuring that sensitive information is masked or obfuscated, rendering it useless to attackers.

Organizations should:

• Leverage dynamic data masking solutions within SAP: This can protect sensitive data in modules like HR, FI/CO, CRM, and Supply Chain.
• Ensure masked data is only visible to authorized users: This can prevent data exposure during cyberattacks or unauthorized access.

If the third-party cloud provider had data security controls like Dynamic Data Masking in place, the breach could have been mitigated by ensuring that unauthorized users could only see masked or obfuscated data, rendering it useless even if they accessed the repository.

Lesson 3: Robust Access Controls with Attribute-Based Access Control

Strong access control policies are essential to prevent unauthorized access to sensitive data. Beyond traditional role-based access control (RBAC), organizations should adopt Attribute-Based Access Control (ABAC) for more granular authorization.

ABAC allows for:

• Fine-grained access control based on contextual user attributes: This includes department, location, time of day, action performed, and data sensitivity.
• Dynamic governance of access based on real-time conditions: This can help minimize the risk of unauthorized access and data leakage.

By dynamically governing access based on user attributes, organizations can minimize the risk of unauthorized access and data leakage.

Pathlock: A Comprehensive SAP Data Security Solution

Pathlock offers a comprehensive suite of tools to help organizations protect their SAP environments from both external and internal threats. These tools include:

• Dynamic Data Classification: Comprehensively discover, classify, and map data across various SAP modules by sensitivity and specific regulatory requirement, ensuring PII and other sensitive information are properly secured.
• Dynamic Data Masking: Apply real-time data masking to ensure that sensitive fields such as financials or employee and vendor PII are obfuscated to prevent risk of costly data exfiltration.
• Attribute-Based Access Control: Establish fine-grained access control in SAP by implementing ABAC to ensure that access to sensitive data is governed and restricted by contextual attributes such as location, time, or data sensitivity.

Pathlock’s Dynamic Access Controls (DAC) product can help your organization apply and streamline the implementation of these necessary data-centric security controls to prevent a data breach.

Conclusion

By implementing comprehensive data discovery, dynamic data masking, and robust access controls, organizations can significantly reduce their risk of experiencing a data breach similar to the HealthEquity incident. Pathlock’s solutions provide a powerful and effective way to achieve these objectives and safeguard sensitive SAP data.

Get in touch with our SAP security experts to know more.