2 Tips in data security management: SAP interfaces

Posted by Klea Duro on Apr 5, 2024 12:00:00 AM

Have you ever thought about how much data SAP systems exchange with third-party systems or between SAP systems on their own?

 

sap data leak

 

How many interfaces are there? How many systems are connected? And especially what and how much data are exchanged? Who can have access to this data? In most cases this is business data so not purely technical.

What types of interfaces exist in SAP?

I find it difficult to be able to make an exhaustive list of all possibilities. Certainly some are more widely used than others, just as some have become obsolete (but still active in various situations) than others for example:

 

  • Downloading a given file for later consultation
  • View data via FTP (File Transfer Protocol)
  • Use of exposed webservices
  • Calls via RFC (RFC security read here) or other SAP proprietary data exchange systems e.g. ALE / IDoc

 

There is also a specific SAP system that has also changed several names over time:

SAP XI (Exchange Infrastructure), SAP PI (Process Integration) and finally SAP PO (Process Orchestration) dedicated exclusively to managing the exchange of data between SAP and non-SAP systems.

 

How can we control the data being exchanged?

Unfortunately, it is not so straightforward. For several reasons. Probably in less extensive contexts, it is easier to know all the exchange mechanisms that occur from SAP input or output.

 

In many cases there is no structured documentation that provides a clear representation of the data flow. This is compounded in contexts where there are many systems (SAP and otherwise) many projects and multiple companies involved (from the same group or vendors).

 

These aspects mean that very frequently the management of interface security is either underestimated (assuming that they are technical users involved) or less manned.

 

It should also be considered that the exchange of information between systems, despite being managed by "machines," must/can then also be seen and managed by administrator or process-support users.

 

For example, imagine the system of IDocs that allows information to be exchanged between SAP systems. They are actually packets of information that contain data, for example of orders, invoices or employee data (also GDPR relevant).

 

Therefore, a user who is not enabled to that (potentially sensitive) data directly but indirectly through IDoc management could see or even modify, data outside his or her perimeter.

 

Clearly it is inconceivable to block access to anyone. Someone in the company must be able to use that data. However, it can happen that these aspects are underestimated and therefore there is no real sense of who is empowered to do things (in its more overall set of permissions)

 

2 Suggestions to check out

 

What to check out then? Here are two suggestions from which you can start:

 

 

 

Topics: auditgdprsap data maskingdata privacysap data obfuscation

Subscribe Here!

Blog Aglea, cosa puoi trovare?

Ogni mercoledì pubblichiamo articoli, interviste e documenti relativi alla security SAP.

Cosa puoi trovare:

  • Suggerimenti su come mettere in sicurezza i sistemi SAP
  • Come fare a … (How To)
  • Checklist
  • Gli errori comuni che spesso vengono fatti in ambito Security SAP
  • Interviste con esperti del settore
  • Chi è AGLEA quale è la nostra vision security SAP

Recent Posts

Post By Topic

See all