Minute Read: 3 minutes

Four steps to spot and stop data theft in your SAP landscape

Gaps exist in SAP GRC framework. There is a real need to beef it up!

Data leakage, for organizations, spells disaster. News reports are replete with such stories globally – often naming large corporations as victims.

Close the doors and leave the ventilator open

IT departments often invest large proportions of their annual budget in multi-tier data security solutions thus effectively shutting the gates and doors to any outside-in attacks. Stringent IT policies take care of a large portions of internal security, beefing up the systems landscape. These, together, take care of the big risks and the sublime Trojans.

But what about your ‘employee of the year’? Has it ever struck you that sometimes, he or she could be the black sheep sneaking away with vital data? Or maybe it may be a innocuous act that may reveal more than what you would want.

Research decisively reveal that 60% of attacks are perpetuated by insiders (people you trust!) and the majority of these have malicious intent.

So how do you spot and stop data theft by malicious insiders in your SAP landscape?

Step #1: Know what data is leaving SAP

Classify documents at creation and log all export activity. Audit logging and classification functionality are essential for the identification of SAP transactions that result in the export of data from your system.

To thwart insiders leaking data, the ability to log these export related transactions, classify or “tag” data for sensitivity, and add RMS/AIP protection at the point of creation is invaluable.

To stop malicious insiders, the ability to audit and classify gives you the ability to see, track, and report on what data is being exported and by whom.

How to protect and stop data theft in SAP landscape

Step #2: Enable checks to alert on suspicious download behavior

You can leverage your SAP system and applications to handle alerts and notifications. Take advantage of this core functionality.

One of the most common methods of this among SAP users is to use the Access Control component of SAP GRC to receive and process alerts. It is important to be able to generate alerts in near real-time to GRC and automatically email stakeholders separately in the event of sensitive export activity.

Step #3: Block exports to prevent malicious leaks

Traditional data loss prevention (DLP) solutions do not have full contextual awareness and cannot make the most accurate automated decisions on what should and should not be allowed to leave the corporate network.

It is necessary to have contextual awareness in an SAP native DLP environment so as to improve security decisions as they are made by analyzing the who, what, where, when, and why of sensitive data in an enterprise.

By being aware of what sensitive data resides within different SAP applications, which application it came from (HR, FI, etc.), which authorizations and permissions relate to it, security administrators can make intelligent security decisions regarding which policies to apply to sensitive data exiting SAP.

Step #4: Use an EDRM to protect exported data perpetually

Digital Rights Management technology (DRM) is most popularly associated with entertainment and educational content such as e-books and other copyrighted digital media. DRM places restrictions on copying and viewing this information. Why shouldn’t you use this technology for your data exports?

EDRM sometimes referred to as Information Rights Management (IRM) is a core-data-centric technology that offers uninterrupted protection to unstructured data.

EDRM protects sensitive information/data everywhere by managing and enforcing access and usage rights to the information throughout its lifecycle, no matter where the information is distributed.


Notwithstanding regulations such as GDPR, CCPA companies need to shift focus to the insider threat. Outsider threats, while still an important consideration in cyber security, account for only 40% of malicious attacks on your system while 60% potentially come from trusted insiders.

The need for an audit and classification process coupled with checks and balances to notify stakeholders in the event of a sensitive export; a context aware DLP solution, and the application of encrypted protection using a DRM to perpetually protect data based on assigned permissions are greater than ever before.

For more information about HALOCORE®, you can read about HALOCORE here.

Related Reading

[1] Protecting corporate information in the SAP data security space

[2] Dark Web augments insider threat for organizations

[3] Number of data breaches has gone up, but data security is still not top priority

[4] Compromised data is compromised security


[1] SAP Security on Premise and in the Cloud with HALOCORE

Comments are closed.