Data-centric security: Protecting the lifeblood of your business

“Organizations victimized by breaches have not fully appreciated the value of data as the lifeblood of business”, says a recent Accenture Security report.

Commonalities of a data breach

In its paper titled ‘Achieving Data-Centric Security’, Accenture states that all data breaches have three common elements wherever they may have occurred, whatever industry, whenever. These elements are that data breaches cost heavily, victimized organizations’ leaders do not fully appreciate that data is the lifeblood of their business and, thirdly, there are multiple points of failure – and each point is critical.

While this may sound familiar and weighty enough to elicit serious consideration by those accountable for data security, research reveals that it is not. Day-to-day operational requirements and user experience tend to take priority in the calendar of a CIO. Why is this so?

What is not known is ignored

IT and SAP administrators or operations manager typically ignore the security issues caused by uncontrolled downloads (even leakages), as they most probably do not know how to solve it. Typically, they do not highlight a security issue for which they do not have a solution for as a known security problem has to be solved or the risk mitigated. This is one of the most fundamental reasons for administrators not to show a need for data security solutions. (This is especially strange even with the plethora of data leak and data theft stories published almost in regular frequency around the world.)

Popular but not true

The popular belief and claim of administrators is that SAP data security is completely covered by the SAP authorization concept. Incidentally, this is also SAP’s claim – although it is not essentially true. What’s more is that it is not considered an SAP problem to solve security issues of exported SAP data, as it’s outside SAP.

Why isn’t there knowledge in the market?

Evangelizing the issue of exported SAP data security is not taken up by SAP nor typical consulting organizations till recently. It is well known that consultants go by the ‘current agenda’ of their customers and only provide corresponding services. Thus, there is “no need to protect SAP data exports as no customer requests it and SAP doesn’t see this as a problem”.

A gradual shift

Today, SECUDE is seeing a gradual change in the consulting business and a growing resonance with companies on the issues of data security. Consulting behemoths, such as Accenture, are now talking about data centric security as a new security strategy to protect IP. (Read the stories given in the Reference section.)

Point to ponder

It is seriously time that SAP and IT administrators, CIOs, CISOs, and even business leaders give a deep and wholesome look at data-centric security.

As per a Government Business Council survey, data encryption, abstracted data-level security controls and data object access management are now becoming the top three approaches agencies leverage to secure data. In an enterprise software, such as SAP, access management is assumed to guarantee adequate security. However, research reveals that it may not be so.

If your organization’s data resides in SAP, you need to think beyond data security solutions that come as part of the ‘package’. It’s time you give thought a dedicated data protection solution for SAP. For more information, click here.

Reference

[1]  What if there was a security breach… and nobody cared?

[2] Achieving Data-Centric Security

[3] Government Business Council, Flash Poll, September 2016 as given in Accenture paper ‘What if there was a security breach… and nobody cared’.

Related Reading

[1] SAP and Oracle applications are increasingly being targeted by hackers

[2]  Complying with HIPAA – The HALOCORE way

[3] Bridging Technology Landscapes for Enhanced Data Security: A Microsoft Case Study