ERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCEBY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES

How to implement GDPR in SAP?

1. GDPR security requirements2. How to discover personal data?3. How to evaluate security controls?4. How to track personal data activities?5. How to detect data breaches?

2

ROADMAP

GDPR Security Requirements

To facilitate digital economy

4

For citizens:

• easier access to their data• a new right to data

portability• right to be forgotten• right to know when their

personal data has been hacked

For business:

• a single set of EU-wide rules• EU rules for non-EU companies• one-stop-shop• a data protection officer• innovation-friendly rules• privacy-friendly techniques • impact assessments

GDPR’S GOAL

• Personal dataany information relating to an identified or identifiable natural person (‘data subject’);

• Data subjectan identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

• Data controllerthe natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

• Data processora natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

General Data Protection Regulation, Article 4

5

DEFINITIONS

GDPR SECURITY PROVISIONSOverview

• Data Subject Rights

• Privacy Principles (Privacy By Design and Privacy By Default)

• Data Protection Officer Duties

• Data Protection Impact Assessment

• Cybersecurity Requirements

• Data Breach Notification

6

GDPR CYBERSECURITY REQUIREMENTSArticle 32

• (a) the pseudonymisation and encryption of personal data;

• (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

• (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

• (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

7

Controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk

GDPR IMPLEMENTATION PLAN

8

• Find personal data• Find users with access to personal data• Evaluate security controls• Assess risks to data subjects

• Restrict access to personal data• Implement and describe security controls

to demonstrate compliance

• Regularly assess security measures• Monitor personal data access• Detect SAP security attacks

ERPSCAN SOLUTIONS

9

1. Discover personal data in SAP systems:• SAP GDPR Data & Security Audit (service)

2. Evaluate compliance and security:• ERPScan Security Monitoring Suite (product):

- Vulnerability Management, ABAP Code Scan, Segregation of Duties• SAP Security Audit (service)

3. Track personal data access and data breaches:• ERPScan Smart Cybersecurity Platform (product)

How to discover personal data?

10

BP VA11 VA21

VA41

VA31

VA01

SAP SD ORDER TO CASH

11

• Standard global master tables:• Customers: KNA1, KNBK, KNVK• Vendors: LFA1, LFBK• Addresses: ADRC, ADR2, ADR3, ARD6• Business partners: BP000, BP030• Users: USR03• Credit cards: VCNUM

• HR master records:• 0002 Personal Data• 0004 Challenge• 0006 Addresses• 0009 Bank Details• 0021 Family• 0028 Internal Medical Services• 0094 Residence Status

12

Typical locations of personal data1. FIND DATA

1. FIND DATA

• Search in domains/elements:• RSCRDOMA: Where-Used List of Domains in Tables• RPDINF01: Audit Information Systems – Technical Overview of Infotypes

• Follow links

• Search in table description:• tables and descriptions: DD02L, text table DD02T• fields: DD03L• data elements: DD04L, text table DD04T• domain are in DD01L, text table DD01T

13

How to find personal data in SAP?

2. FIND USERS

• Business transactions and reports• SAP tables:

• table browsing and maintenance transactions: SE16, SE16N, SE17, SM30, SM31, etc.• proxy-transactions like SPRO (which call the aforementioned ones internally)• SAP Query (SQVI, SQ01, …)

• RFC functions• Databases (HANA, Oracle)• SAP services:

• Gateway• Message Server• SOAP Interface

14

Overview of communication channels

Access controls

Other security controls

2. FIND USERS BY S_TABU_* AUTHORIZATIONS

15

2. FIND USERS OF TRANSACTION

16

• Standard data related transactions:• Customers: FD02• Vendors: FK02, M-01• Addresses: VCUST• Business partners: BP• Users: SU01, SU10, SUGR, PA30• Credit cards: PRCCD

• Find more:1. Search for programs using data-related tables (SE80\Repository Information System\ABAP

Dictionary\Database Tables)2. Find transactions related to the program (SE80, or table TSTC)3. Find users having S_TCODE authorizations to run the transactions

How to evaluate security controls?

17

1.3 EVALUATE SECURITY CONTROLS

18

Authentication• Password policy• Privileged users• SSO checks

Monitoring• Log settings: security audit log, system

log, gateway, HTTP, SQL logs …• CCMS settings

Access control• Assignment of authorization groups

to tables and ABAP programs• RFC authorization checks• Unblocked critical transactions

(SM59, SCC5, SM32,…)

Encryption• SSL options• SNC options

Insecure configuration• Gateway, RFC, ICF, MMC, GUI, Web

Dispatcher, …

List of connected systems• RFC, DBCON, HANA, XI …

How to record personal data access?

19

ENABLE LOGGING• Network Level:

• SAProuter• ICM and WebDispatcher• Message Server• HTTP logs

• SAP system level:• System Log• Security Audit Log• Authorization Traces

• Object level:• Transport System Changes• Table Changes• Document Changes

• Interface level:• Read Access Logging• UI Masking• UI Logging

20

SECURITY AUDIT LOG

Recommended audit profiles

21

How to enable logging:1. Create audit profiles (SM19)2. Configure parameters:

rsau/enabled = 1rsau/max_diskspace/local = 2000M

3. Activate profiles

What can be recorded?• RFC Logon• RFC Function Call• Report Start• Transaction Start• Dialog Logon• User Master Record Change• System

Name Events Audit Classes Client User Name/GroupEverything critical Only Critical * * *

Special users All * * SAP#* / SUPER

All actions All * * *

How to detect data breaches?

22

HOW SAP DATA BREACH LOOKS LIKE?

23

• Scan for vulnerable services, default SAP pages

• Brute force against default users

• Attempts to exploit SAP vulnerabilities

• Maintenance actions (SE16, SU02) from non-administrative users

• Spike of downloads (RFC_READ_TABLE, report downloads, etc.)

• User anomalies: new IP address, never seen TCODE and non-working (or lunch-time) execution

ERPSCAN SOLUTIONS

24

1. Discover personal data in SAP systems:• SAP GDPR Data & Security Audit (service)

2. Evaluate compliance and security:• ERPScan Security Monitoring Suite (product):

- Vulnerability Management, ABAP Code Scan, Segregation of Duties• SAP Security Audit (service)

3. Track personal data access and data breaches:• ERPScan Smart Cybersecurity Platform (product)

THANK YOU

Michael RakutkoHead of Professional Servicesm.rakutko@erpscan.com

Read out blogerpscan.com/category/press-center/blog/

Join our webinarserpscan.com/category/press-center/events/

USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255

EU:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892

EU:Štětkova 1638/18, Prague 4 - Nusle,

140 00, Czech RepublicSubscribe to our newsletterseepurl.com/bef7h1

erpscan.cominbox@erpscan.com

25