SAP Data Scrambling

Posted by Klea Duro on Jun 9, 2023 8:15:00 AM

Why is it necessary to protect data in non-production environments?

SAP_DATA_SCRAMBLING

 

We discussed this on 14/05/2020 at our webinar together with EPI-USE.

 

The terminology

What does Masking mean? SAP in this case refers to the masking of data in production environments. Data are not modified at the database level but only anonymized when presented to the user. See SAP product Field Masking, I can decide whether users see data in plain text or not

 

  • Masking for right to be forgotten? I perform irreversible data masking in the production environment (SAP ILM).

 

What does Scrambling mean? SAP refers to the modification of data directly in the database and thus in non-production environments. See SAP product TDMS Test Data Migration Server.

 

Why do SAP test systems also need to be protected?

For a variety of reasons, the main ones being:

  • Access is provided, sometimes with greater privileges, to internal and external users
  • Even an internal user could then have access to data that in production they normally do not have
  • The copying of systems from production to QAS/TEST or DEV
  • Sensitive data being moved to less manned systems
  • Managing connections between systems
  • The test system as a result of copying from production is equivalent to the production system in terms of data
  • Test systems can be in cloud environments

 

 

But what data needs to be protected?

There are different information to be protected in SAP, especially in non-production environments.

 

There are often two requirements, completely opposite to each other:

  • I need to make data invisible, but I don't know what and where
  • When in doubt we do scrambling on everything

 

Some examples of relevant data:

 

  • Customer master data. Imagine if it were accessible to one of your competitors: they could start carrying out targeted actions to take away customers!
  • If discounts made to your customers were accessible to your competitors, it would be additional information to erode market share for your company
  • In the case of personnel management information systems, if salaries were accessible and visible to competitors, it could drive strategic resources away from the company
  • The bill of materials for a certain product. What would happen if it were in the hands of competitors?

 

Data scrambling what to consider?

Using scripts or deleting sensitive data in test or quality environments may not be the best strategy. Since those environments can and should be used to do testing.

If you don't have the data to test on, what is the point?

In the case of software selection to do data scrambling in SAP what are the main parameters to consider:

 

  • Ability to make selective copies
  • Why always copy all data?
  • Last X years
  • Only data from company Z or Y
  • Ensure consistency and distribution of data. E.g., maintain the same proportions of data. If in the productive HR system I have 50% men and 50% women, the testing system should also have the same distribution (even though I have changed names, for example)
  • Library already pre-defined (e.g., GDPR management, SoX etcc)

 

 

More examples and proposed solutions? Watch the webinar we did on 14/05/2020 together with EPI-USE.

 

Watch it again here! (Italian language)

 

Iscriviti ora al canale YouTube AGLEA!

Topics: scramblingsap masking

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all

SAP Security Blog AGLEA RSS Feed

Aglea s.r.l. - Subject to the management and coordination of Horsa S.p.A. - P. IVA: IT 03868780960 - 2024 | Privacy Policy - Cookie Policy