SAP Data Loss Prevention, what to do?

What does Data Loss Prevention mean?

It means to "put in place" all the possible actions to prevent non-authorized data leaks.

Data leak and data loss have multiple meanings. But what can you do in SAP?

Fuga di dati e perdita di dati hanno significati molteplici. Ma come è possibile fare in SAP?

How to prevent and control data export in SAP?

Sadly, there isn't a unique tool or configuration to activate in SAP environments.

Instead, there are different solutions that can be used. Some paid and some readily available.

There are different areas to manage and control:

• The data communication, under different aspects. Server to Server or Client to Server
• The data backup or possible deposited files in the transit
• The end point or client protection
• The applicative export of data from SAP
• The data export at a database level

There are just a couple of examples to work on.

SAP Security Audit Log

It's a functionality available in SAP ECC or SAP S/4HANA or on all ABAP based systems, that lets you trace a series of events, including the data export from SAP (in the latest releases)

Learn more on how the SAP Security Audit Log works and how to configure it

SAP Field Masking

In this case, thanks to this SAP paid add-on it's possible to activate two main functionalities:

• Data Masking or Data Obfuscation meaning, on an applicative level, therefore not at a data modification level in the database, the data are made non readable, for example with the use of asterisks ***
• Data Logging in this case it's possible to identify critical transactions to control in terms of accessed data and who accessed them

You can do the above for different channels (technologies) meaning:

• SAP GUI
• WebDynpro
• RFC/BAPI Web Service
• SAP UI5 FIORI

Learn more about SAP Field Masking and how the UI Logging works

SAP HANA Database

Data at the database level must also be audited too, by using the SAP HANA, some aspects related to data security could be more explicit compared to other database, it's in fact possible to:

• All the connections should be configured in a secure way (therefore using encryption)
• You should encrypt the data inside the database and backup
• You should activate log specific audits to check what is happening in the system

Learn more on what you can immediately do to activate 4 SAP HANA security functionalities

SAP RFC, communication protection and encryption

The connections towards SAP systems must be configured using encryption mechanisms to prevent possible data interceptions.

On different attack surfaces:

• Client -> Server ex. SAP GUI and SAP Application Server
• Server -> Server ex. between Application Server

The services exposed by SAP should be at least introduced, in this case the standard functionality called UCON (Unified Connectivity) could be helpful.

Data export protection

There are different ways to export data from SAP. Here you can find the main ways to export data from SAP.

One of the aspects that may be further controlled is making sure that specific documents (ex. PLM but also others, financial and balance data) will be protected even after the export from SAP.

They should for instance answer the following questions:

• Is it possible to get notifications, for example in SIEM for every time data is exported from SAP
• Is it possible to make sure that the data exported in a non-authorized manner from SAP can't be used or encrypted?

What above said can be done by using a paid solution called SAP DAM (Dynamic Authorization Management) and SAP EDRM by Nextlabs

How to check if everything is configured correctly in SAP?

Once more it's not enough to just modify or do remediation projects or actions. You must activate a constant control procedure.

In this case two functionalities can be helpful inside SAP Solution Manager called:

• SAP Solution Manager Configurator Validation
• SAP Solution Manager System Recommendations

Furthermore, it's possible to use other paid softwares like the SAP Enterprise Threat Detection.