Big Data + Small Gaps = Big Trouble

No security gap is too small to be ignored at your organization’s peril!

The Big World of Data

Data is the new oil. This may sound cliché, but there is no denying the fact that since the middle of the 20th century, the application of data to power businesses has been consistently growing across all industries – finance, healthcare, manufacturing, energy and resources, automobiles and aviation, logistics, entertainment, sports, and so on. Consequently, business concepts focused on data were developed, too. Today, we talk of Big Data and associated terms such as the Internet of Things, Machine-to-Machine Communication, Artificial Intelligence, and Machine Learning. These once awe-inspiring terminologies have now become common jargons in our everyday conversations.

What helps in the metamorphosis of so much unstructured data is the systematic analysis of inputs by analysts and data scientists, using the right technology that leads to refined data appropriate for further processing or completely actionable intelligence. This ultimately takes the form of a product IP, corporate financial numbers, or even your clients’ or employees’ personal details.

SAP and Data

Today, SAP is the leading Enterprise Resource Planning platform provider in the world. This growth is reflective of the fact that businesses need to exchange critical information for various purposes. Collaboration is the name of the game. However, such exchanges also provide gaps for data to leak through. Our research proves that such “invisible” gaps do exist, and data does leak from the environment. [1] While it is difficult to pinpoint the exact number of data breaches, their impact in financial terms clearly highlights the gravity of each breach.


Information is secure within SAP. But data is definitely at risk at endpoints and while in transit. Data does leak!


As per its 2017 cybersecurity report, ERP Scan states the following: “An average cost of a security breach in SAP is estimated at $5m USD with fraud considered as the costliest risk. A third of organizations assess the damage of fraudulent actions at more than $10m USD.”

Consider the immense complexity of production planning in a manufacturing company. Such a process requires dynamic information, such as new product specifications and complete details of processes from the plan to the finished product. This is essential for the manufacturing company. Such processes are based on a “system of systems” – a galaxy of multiple stakeholders.

With companies becoming increasingly intertwined with their partners globally, the exchange of confidential product data cannot be avoided. Poorly protected online storage is often used.

For example, this could lead to data leaks giving competitors knowledge of current product specifications that are still in the R&D stage, thus eroding the company’s competitive edge. To overcome these issues, it is crucial that companies identify download activities specifically related to R&D to assess what needs to be carefully regulated and limit what information can be pulled from the PP module based on transaction codes used. It also becomes necessary to work with a classification schema that tags highly confidential R&D information for a downstream management tool to secure.

The Issue with DLP

Data Loss Prevention (DLP) technologies exist to monitor communication channels (e.g., ports, protocols, or storage locations) and prevent certain data from leaving the perimeter (data leaks) based on pre-defined rules and/or learned user behavior. As such, DLP is an important tool in an enterprise’s data-protection toolkit. It has the advantage of providing generic protection without the need for deep integration with third-party applications. However, this advantage has a downside at the same time.


Have you read the story of the National Health Service confirming that systemic data leaks are an often overlooked security issue?


DLP is far away from where data is created (applications), and it often lacks the context and understanding of the user’s intention in order to make a reliable decision. For example, a typical DLP solution lacks the understanding of whether or not a certain file should be quarantined or allowed. This weakness usually results in a decrease in productivity for the end users who are unable to access the information they need to perform their job duties.

Streams of Data are exported from your SAP system every day. Is yours protected?

The response naturally brings to the forefront of SAP’s GRC framework. Two of the main goals of GRC implementation across an enterprise are risk minimization and fraud prevention. However, gaps in a GRC framework can leave a company’s most sensitive data at risk of loss or theft. SAP Access Control provides an alerting mechanism, which notifies the appropriate personnel when a user performs critical or conflicting actions. Our solution adds to SAP Access Control functionality by monitoring actions such as extracting potentially sensitive information from SAP.

We also help prevent data from leaking during an Emergency Access Management (commonly known as Firefighter) session. Emergency Access Management is a unique feature that allows temporary, all-encompassing system access for a short period of time in a mission-critical situation. Any data downloaded or extracted from SAP during an Emergency Access Management session would not get recorded and therefore wouldn’t be visible as part of the Controller review process. Our solution helps ensure that potentially sensitive data doesn’t leak from SAP without any record or alert of the action taking place.

The Big Three

So, what should data security officers do to protect invaluable data? The answer to this lies in first understanding and acknowledging, in no uncertain terms, that data does leak from the system regardless of what DLP solution or firewall is in place. It is time for data security officers to consider a paradigm shift in the way they visualize data security. More specifically, they need to consider a solution that offers the capabilities to:

(1) Monitor all data flow and user-based or protocol-based machine-to-machine communication based

on classification and rights with the ability to notify authorities in real time.

(2) Block data that must not leave the SAP system.

(3) Protect data that must be shared with stakeholders outside the system such that it is accessible only to those for whom it is meant.

HALOCORE is a one-of-a-kind technology that protects intellectual property and other sensitive information extracted from SAP systems. By integrating directly with SAP, HALOCORE protects extracted documents containing sensitive information with intelligent classification, strong encryption, and fine-grained access policies. This innovative approach allows enterprises to maintain a high level of control and security over sensitive documents extracted from SAP throughout their lifetime, even if these have been shared via email, downloaded to a recipient’s PC, moved to a mobile device, or uploaded to the cloud.

To know how SECUDE can protect your vital information, be it financial, IP, operations, customer or even about your employees, visit our HALOCORE page.

Reference

[1] Based on first-hand interaction with CISO’s and other security practitioners, SECUDE’s experts know that while data is secure within SAP, data in motion is open to risk. Contact us to understand how to identify these gaps and what needs to be done to block or protect your data.

[2] ERP Cybersecurity Survey 2017

Related Reading

[1] Why CEOs Should Worry About Data Leaks

[2] How to ascertain suspected data leak from the IT landscape?

[3] Security risk as a USB stick – This is how SAP customers protect themselves against data loss and malware

[4] Data breach by National Health Service reconfirms that systemic data leaks is an often overlooked security issue