What is the first step towards data-centric security?

In the chaotic world of data security, what is the first, and most important, step organizations should take towards data-centric security?

The haunting continues…

Facebook is back in the limelight and for the same reason – for the social media company’s handling of user data. You will recall that its data was mishandled by a now-defunct British consulting company called Cambridge Analytica. The US Federal Trade Commission has sanctioned $5 billion settlement due to this issue.

The biggest question that this affair brings to the fore is: Is your data safe with partners you ‘trust’?


Have you read our earlier blog on this? You may do so by clicking here.


Well, that isn’t all. Another behemoth brand, British Airways, was recently in the news too – for wrong reasons. The national carrier faces a whopping 183.4 million pounds ($ 230) fine over data theft. Ostensibly, the airline lost records of 500,000 customers as its website was hacked and “customer details such as login, payment card and travel booking details as well as names and addresses were harvested” as per a Reuters report. [1]

The Marriott Starwood Hotel is another case in point. The hotel has been fined almost £100m for breaking privacy laws. A major cyberattack opened up its treasure trove of customer data (over 339 million customers) that included credit card details, passport numbers, and other personal data. [2]

The repercussions of these data theft incidents are yet to be felt in full. While the organizations have now taken cognizance and are beginning to face regulatory action, the impact of the data leak on the individual customers is yet to be felt.


Have you read the story of the lost thumb drive that had details of all British VIP air travel?


It all starts due to a complete lack of visibility

Let us extrapolate this to the world of SAP.

Business processes, today, rely heavily on SAP applications that handle product lifecycle, finance, customer relationship, human resource and many other processes. These applications store and transact vast amounts of business-critical information. SAP clients have long realized that their business revolves around information. However, most SAP users are unaware of a hidden danger – data leaks due to uncontrolled user downloads and data flows in the background. Thus, with digital transformation, solutions that monitor and block such leaks from SAP applications become a must.

A blind spot in SAP puts your IP at risk

On a regular basis, users export sensitive data from SAP applications to generate reports, spreadsheets, PDFs, and other documents. The information is then downloaded and stored on devices, such as USB thumb drives and local hard disks, or, increasingly, on mobile devices and in cloud storage solutions, such as Dropbox and Microsoft OneDrive. Such data often end up in places beyond your control, such as on the file share of an untrustworthy partner or the inbox of a competitor. Even on trusted employee devices, with the increase in sophistication of malware and Trojans, the risk of data loss has never been higher.

Is GRC enough?

One of the main goals of a GRC implementation across an enterprise is risk minimization and fraud prevention. However, there are large gaps in a GRC framework that can leave a company’s most sensitive data at risk of loss or theft. SAP Access Control provides an alerting mechanism, which notifies the appropriate personnel when a user performs critical or conflicting actions. Unfortunately, SAP Access Control’s delivered real-time agents don’t provide any functionality for monitoring such action as extracting potentially sensitive information from SAP.

Another gap exists in Emergency Access Management (commonly known as Firefighter). Emergency Access Management is a unique feature that allows temporary, all-encompassing system access for a short period of time in a mission-critical situation. Any data downloaded or extracted from SAP during

the above Emergency Access Management session would not get recorded and therefore won’t be visible as part of the Controller review process. That could lead to potentially sensitive data leaking from SAP without any record or notice.

Damocles’ sword of compliance

Compliance with regulations, such as GDPR, NIAP, APEC CBPR, BASEL, SOX, FISMA, HIPAA and others, is increasingly becoming mandatory, kind of like Damocles’ sword.

While the IT security industry has been attempting to meet these requirements for many years through solutions, such as Data Loss Prevention (DLP), application firewalls or file storage encryption, there are still cracks in the armor. The problem with these approaches is that they are many steps away from the point where data leaves the secure perimeter of the application and its access control mechanisms.

First steps, first

Most companies run their businesses very effectively on SAP but have very little knowledge and control over how documents are extracted from SAP systems and how the applications are being shared or who is accessing them. This leaves companies at a high risk of data loss due to malicious or accidental actions. The result becomes obvious and all too painful to see as in the recent cases cited above.

By providing the ability to view the who, what, where, and when of any given transaction, managers can identify insider threats amongst employees or contractors. The data retrieved in the audit log will clearly tell if, for example, employees in the sales department have unforeseen access to sensitive HR or financial information. This pure visibility into business activities allows an enterprise to isolate their internal threats and close the gaps in SAP security for optimal data integrity.

HALOCORE MONITOR – Keeping a dedicated eye on data flows

HALOCORE’s MONITOR records and classifies all activity surrounding your business-critical data as it is exported from SAP. HALOCORE’s enhanced logging and auditing features give you critical visibility into sensitive data distribution, allowing internal and external audit teams to identify risky areas, users, or transactions. Unlike other auditing solutions, HALOCORE not only records activity but also adds intelligent classification. All extraction activity is aggregated in a fully customizable audit log, which visualizes data downloads based on user, file type, file size, transaction, application, path, terminal, IP address, and classification label. MONITOR is a powerful tool that can help you prevent sensitive data loss and lower compliance costs.

To know how SECUDE can protect your vital information, be it financial, IP, operations, customer or even about your employees, visit our HALOCORE page.

Reference

[1] British Airways faces record 183.4 million pounds fine over data theft

[2] Marriott Starwood data breach: hotel giant fined almost £100m for breaking privacy laws

Related Reading

[1] Protecting IP of a Manufacturing Company – A Case Study

[2] Five SAP data protection scenarios where HALOCORE must be considered

[3] How to ascertain suspected data leak from the IT landscape?

[4] The Simple Printer: Innocuous Office Tool or Source of Silent Data Leak?