Have you ever thought about how much data SAP systems exchange with third-party systems or between SAP systems on their own?
How many interfaces are there? How many systems are connected? And especially what and how much data are exchanged? Who can have access to this data? In most cases this is business data so not purely technical.
What types of interfaces exist in SAP?
I find it difficult to be able to make an exhaustive list of all possibilities. Certainly some are more widely used than others, just as some have become obsolete (but still active in various situations) than others for example:
- Downloading a given file for later consultation
- View data via FTP (File Transfer Protocol)
- Use of exposed webservices
- Calls via RFC (RFC security read here) or other SAP proprietary data exchange systems e.g. ALE / IDoc
There is also a specific SAP system that has also changed several names over time:
SAP XI (Exchange Infrastructure), SAP PI (Process Integration) and finally SAP PO (Process Orchestration) dedicated exclusively to managing the exchange of data between SAP and non-SAP systems.
How can we control the data being exchanged?
Unfortunately, it is not so straightforward. For several reasons. Probably in less extensive contexts, it is easier to know all the exchange mechanisms that occur from SAP input or output.
In many cases there is no structured documentation that provides a clear representation of the data flow. This is compounded in contexts where there are many systems (SAP and otherwise) many projects and multiple companies involved (from the same group or vendors).
These aspects mean that very frequently the management of interface security is either underestimated (assuming that they are technical users involved) or less manned.
It should also be considered that the exchange of information between systems, despite being managed by "machines," must/can then also be seen and managed by administrator or process-support users.
For example, imagine the system of IDocs that allows information to be exchanged between SAP systems. They are actually packets of information that contain data, for example of orders, invoices or employee data (also GDPR relevant).
Therefore, a user who is not enabled to that (potentially sensitive) data directly but indirectly through IDoc management could see or even modify, data outside his or her perimeter.
Clearly it is inconceivable to block access to anyone. Someone in the company must be able to use that data. However, it can happen that these aspects are underestimated and therefore there is no real sense of who is empowered to do things (in its more overall set of permissions)
2 Suggestions to check out
What to check out then? Here are two suggestions from which you can start:
- Evaluate the encryption of the content of IDOCs (see WECRYPTDISPLAY transaction).
- Evaluate the activation of encryption in SAP PO, see the following note 1370334 - Securing Payloads in Message Monitoring.
Topics: audit, gdpr, sap data masking, data privacy, sap data obfuscation