2 Tips in data security management: SAP interfaces

Posted by Klea Duro on Apr 5, 2024 8:15:00 AM

Have you ever thought about how much data SAP systems exchange with third-party systems or between SAP systems on their own?

 

sap data leak

 

How many interfaces are there? How many systems are connected? And especially what and how much data are exchanged? Who can have access to this data? In most cases this is business data so not purely technical.

What types of interfaces exist in SAP?

I find it difficult to be able to make an exhaustive list of all possibilities. Certainly some are more widely used than others, just as some have become obsolete (but still active in various situations) than others for example:

 

  • Downloading a given file for later consultation
  • View data via FTP (File Transfer Protocol)
  • Use of exposed webservices
  • Calls via RFC (RFC security read here) or other SAP proprietary data exchange systems e.g. ALE / IDoc

 

There is also a specific SAP system that has also changed several names over time:

SAP XI (Exchange Infrastructure), SAP PI (Process Integration) and finally SAP PO (Process Orchestration) dedicated exclusively to managing the exchange of data between SAP and non-SAP systems.

 

How can we control the data being exchanged?

Unfortunately, it is not so straightforward. For several reasons. Probably in less extensive contexts, it is easier to know all the exchange mechanisms that occur from SAP input or output.

 

In many cases there is no structured documentation that provides a clear representation of the data flow. This is compounded in contexts where there are many systems (SAP and otherwise) many projects and multiple companies involved (from the same group or vendors).

 

These aspects mean that very frequently the management of interface security is either underestimated (assuming that they are technical users involved) or less manned.

 

It should also be considered that the exchange of information between systems, despite being managed by "machines," must/can then also be seen and managed by administrator or process-support users.

 

For example, imagine the system of IDocs that allows information to be exchanged between SAP systems. They are actually packets of information that contain data, for example of orders, invoices or employee data (also GDPR relevant).

 

Therefore, a user who is not enabled to that (potentially sensitive) data directly but indirectly through IDoc management could see or even modify, data outside his or her perimeter.

 

Clearly it is inconceivable to block access to anyone. Someone in the company must be able to use that data. However, it can happen that these aspects are underestimated and therefore there is no real sense of who is empowered to do things (in its more overall set of permissions)

 

2 Suggestions to check out

 

What to check out then? Here are two suggestions from which you can start:

 

 

Iscriviti al blog se ancora non lo hai fatto!

 

Topics: auditgdprsap data maskingdata privacysap data obfuscation

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all

SAP Security Blog AGLEA RSS Feed

Aglea s.r.l. - Subject to the management and coordination of Horsa S.p.A. - P. IVA: IT 03868780960 - 2024 | Privacy Policy - Cookie Policy