erpscan smart solutions for gdpr compliance · erpscan smart solutions for gdpr compliance. by...
TRANSCRIPT
ERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCEBY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES
How to implement GDPR in SAP?
1. GDPR security requirements2. How to discover personal data?3. How to evaluate security controls?4. How to track personal data activities?5. How to detect data breaches?
2
ROADMAP
GDPR Security Requirements
To facilitate digital economy
4
For citizens:
• easier access to their data• a new right to data
portability• right to be forgotten• right to know when their
personal data has been hacked
For business:
• a single set of EU-wide rules• EU rules for non-EU companies• one-stop-shop• a data protection officer• innovation-friendly rules• privacy-friendly techniques • impact assessments
GDPR’S GOAL
• Personal dataany information relating to an identified or identifiable natural person (‘data subject’);
• Data subjectan identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Data controllerthe natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
• Data processora natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
General Data Protection Regulation, Article 4
5
DEFINITIONS
GDPR SECURITY PROVISIONSOverview
• Data Subject Rights
• Privacy Principles (Privacy By Design and Privacy By Default)
• Data Protection Officer Duties
• Data Protection Impact Assessment
• Cybersecurity Requirements
• Data Breach Notification
6
GDPR CYBERSECURITY REQUIREMENTSArticle 32
• (a) the pseudonymisation and encryption of personal data;
• (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
7
Controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
GDPR IMPLEMENTATION PLAN
8
• Find personal data• Find users with access to personal data• Evaluate security controls• Assess risks to data subjects
• Restrict access to personal data• Implement and describe security controls
to demonstrate compliance
• Regularly assess security measures• Monitor personal data access• Detect SAP security attacks
ERPSCAN SOLUTIONS
9
1. Discover personal data in SAP systems:• SAP GDPR Data & Security Audit (service)
2. Evaluate compliance and security:• ERPScan Security Monitoring Suite (product):
- Vulnerability Management, ABAP Code Scan, Segregation of Duties• SAP Security Audit (service)
3. Track personal data access and data breaches:• ERPScan Smart Cybersecurity Platform (product)
How to discover personal data?
10
BP VA11 VA21
VA41
VA31
VA01
SAP SD ORDER TO CASH
11
• Standard global master tables:• Customers: KNA1, KNBK, KNVK• Vendors: LFA1, LFBK• Addresses: ADRC, ADR2, ADR3, ARD6• Business partners: BP000, BP030• Users: USR03• Credit cards: VCNUM
• HR master records:• 0002 Personal Data• 0004 Challenge• 0006 Addresses• 0009 Bank Details• 0021 Family• 0028 Internal Medical Services• 0094 Residence Status
12
Typical locations of personal data1. FIND DATA
1. FIND DATA
• Search in domains/elements:• RSCRDOMA: Where-Used List of Domains in Tables• RPDINF01: Audit Information Systems – Technical Overview of Infotypes
• Follow links
• Search in table description:• tables and descriptions: DD02L, text table DD02T• fields: DD03L• data elements: DD04L, text table DD04T• domain are in DD01L, text table DD01T
13
How to find personal data in SAP?
2. FIND USERS
• Business transactions and reports• SAP tables:
• table browsing and maintenance transactions: SE16, SE16N, SE17, SM30, SM31, etc.• proxy-transactions like SPRO (which call the aforementioned ones internally)• SAP Query (SQVI, SQ01, …)
• RFC functions• Databases (HANA, Oracle)• SAP services:
• Gateway• Message Server• SOAP Interface
14
Overview of communication channels
Access controls
Other security controls
2. FIND USERS BY S_TABU_* AUTHORIZATIONS
15
2. FIND USERS OF TRANSACTION
16
• Standard data related transactions:• Customers: FD02• Vendors: FK02, M-01• Addresses: VCUST• Business partners: BP• Users: SU01, SU10, SUGR, PA30• Credit cards: PRCCD
• Find more:1. Search for programs using data-related tables (SE80\Repository Information System\ABAP
Dictionary\Database Tables)2. Find transactions related to the program (SE80, or table TSTC)3. Find users having S_TCODE authorizations to run the transactions
How to evaluate security controls?
17
1.3 EVALUATE SECURITY CONTROLS
18
Authentication• Password policy• Privileged users• SSO checks
Monitoring• Log settings: security audit log, system
log, gateway, HTTP, SQL logs …• CCMS settings
Access control• Assignment of authorization groups
to tables and ABAP programs• RFC authorization checks• Unblocked critical transactions
(SM59, SCC5, SM32,…)
Encryption• SSL options• SNC options
Insecure configuration• Gateway, RFC, ICF, MMC, GUI, Web
Dispatcher, …
List of connected systems• RFC, DBCON, HANA, XI …
How to record personal data access?
19
ENABLE LOGGING• Network Level:
• SAProuter• ICM and WebDispatcher• Message Server• HTTP logs
• SAP system level:• System Log• Security Audit Log• Authorization Traces
• Object level:• Transport System Changes• Table Changes• Document Changes
• Interface level:• Read Access Logging• UI Masking• UI Logging
20
SECURITY AUDIT LOG
Recommended audit profiles
21
How to enable logging:1. Create audit profiles (SM19)2. Configure parameters:
rsau/enabled = 1rsau/max_diskspace/local = 2000M
3. Activate profiles
What can be recorded?• RFC Logon• RFC Function Call• Report Start• Transaction Start• Dialog Logon• User Master Record Change• System
Name Events Audit Classes Client User Name/GroupEverything critical Only Critical * * *
Special users All * * SAP#* / SUPER
All actions All * * *
How to detect data breaches?
22
HOW SAP DATA BREACH LOOKS LIKE?
23
• Scan for vulnerable services, default SAP pages
• Brute force against default users
• Attempts to exploit SAP vulnerabilities
• Maintenance actions (SE16, SU02) from non-administrative users
• Spike of downloads (RFC_READ_TABLE, report downloads, etc.)
• User anomalies: new IP address, never seen TCODE and non-working (or lunch-time) execution
ERPSCAN SOLUTIONS
24
1. Discover personal data in SAP systems:• SAP GDPR Data & Security Audit (service)
2. Evaluate compliance and security:• ERPScan Security Monitoring Suite (product):
- Vulnerability Management, ABAP Code Scan, Segregation of Duties• SAP Security Audit (service)
3. Track personal data access and data breaches:• ERPScan Smart Cybersecurity Platform (product)
THANK YOU
Michael RakutkoHead of Professional [email protected]
Read out blogerpscan.com/category/press-center/blog/
Join our webinarserpscan.com/category/press-center/events/
USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255
EU:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892
EU:Štětkova 1638/18, Prague 4 - Nusle,
140 00, Czech RepublicSubscribe to our newsletterseepurl.com/bef7h1
25