ttribute-based Data Masking: How to effectivelyimprove the protectionof your sensitive data [Webinar]

WEBINAR
Attribute-based Data Masking:
How to effectively
improve the protection
of your sensitive data.

© Pathlock Inc. All rights reserved.
Axel Daldorf
Presales SAST SOLUTIONS – Part of Pathlock
+49 40 88137-109
mail@sast-solutions.de
sast-solutions.com
Your host today:

3
"SAST SOLUTIONS has specialized its portfolio in
holistic solutions for securing SAP ERP and
SAP S/4HANA systems.
As part of the Pathlock Group, we are also the global
market leader for the automation of access
orchestration and cyber security of all business
of all business applications."
Ralf Kempf & Bodo Kahl
SAST SOLUTIONS

4
4
15
LOCATIONS
500
just
under
EMPLOYEES
w o r l d w i d e
1.200
SATISFACTION
C U STO M E RS
around
We are part of the Pathlock Group:

5
5
Pathlock Group portfolio:
The "one fits all" solution for securing your business applications
REAL-TIME CONNECTION
ERP
SECURITY INTELLIGENCE
ALL APPLICATIONS
Connect to Applications
ALL USER
Govern User Access
ALL ACTIVITY
Monitor Business Transactions
ALL THREAT VECTORS
Internal/External Revision
Cloud
Legacy
Enterprise Systems
ALL APPLICATIONS
Connect to Applications
"CAN DO" ANALYSIS
Access Analysis
User Access Review
Access Management
Emergency Access
"DID DO" ANALYSIS
Business Processes
Risk Score
Mitigation
Access & Compliance Security
PROTECT & QUANTIFY RISK
Vulnerability Management
Threat Detection
App Security Testing
Compliance Testing

6
6
Full protection for your business applications
360 degree protection for cloud and on-premise
User Access Certifications
and Review
Privileged and Temporary
Access Management
Compliant Provisioning
Role design and Re-design
Separation of Duties
and Risk Analysis
Dynamic Authorization
SSO and MFA Enforcement
Data Masking
Transaction Monitoring
Control Enforcement
and Transaction Blocking
Cybersecurity Management
Detection and Response
Logging and SIEM Integration
Code scanning
Vulnerability Management
Continuous Control Monitoring
Process Controls
Access Governance

7
© 2022 Pathlock Inc. All rights reserved. 7
Data Masking

8
© 2022 Pathlock Inc. All rights reserved. 8
DATA MASKING
Pathlock Security Platform for
SAP
Unified control machine
- Contextual security policies
- Pre-built policy templates
- Versatile configuration
Real-time analytics
• Penetration protection
• Data loss prevention
• Compliance monitoring
Logging of user activities
• Detailed logging of user activities
• Complete audit trail of user access
• Compliance-enabled protocols
Fine-grained data security
• Contextual DLP policies
• Dynamic data masking and redaction
• Query and search masking
Contextual access control
• Contextual access control
• Field-level multifactor authentication
• Privileged access management
PATHLOCK
SAFETY PLATFORM

9
© 2022 Pathlock Inc. All rights reserved.
DATA MASKING
Pathlock Security Platform for SAP
Extending ERP with granular and context-aware
security
Dynamic, contextual security - ITAR, GDPR
Business Process Controls
Preventive SOD controls
Real-time visibility of user behavior

10
Adding preventive controls to
exception scenarios
Detect & report
Violations in real time
Stop actual SoD violations, but
continue to
allow non-injurious activity.
Enables continuous monitoring of
controls and alerting of control holders.
A second layer of defense against
unintentional
Insert overprovisioning.
DATA MASKING
Strengthening SoD with attribute-based controls and real-time
visibility
Adding second layer of
defense

11
DATA MASKING
NIST Cybersecurity Framework
Improvement of the critical infrastructure
IDENTIFY
• Asset Management
• Business Environment
• Governance
• Risk Assessment
• Risk Management
Strategy
RE-CREATE
• Recovery Planning
• Improvements
• Communication
PROTECT
• Access Control
• Awareness and Training
• Data Security
• Information Protection
Processes & Procedures
• Maintenance
• Protective Technologies
DISCOVER
• Anomalies & Events
• Security Continuous
Monitoring
• Detection Processes
REACT
• Response Planning
• Communications
• Analysis
• Mitigation
• Improvements

12
Extends native SAP RBAC by applying context-based
rules for data permissions.
• DATA MASKING
ABAC for Dynamic Data Masking
Rules can be based on any criteria, such as nationality,
whitelisted access points, time, data characteristics,
user group membership, age or geographic location of
data, or calculated factors, etc.
Data is controlled with little or no code, enforced
quickly and at scale, and without performance
degradation.
Fields can be fully or partially masked, blacked out, or
click-protected, limiting data exposure without
impacting productivity.

13
DATA MASKING
Dynamic contextual security
Control of access to the transaction, at the
transaction level (VA03)
USER 1
USER 2
196.20.0.0
196.20.0.1
With any attribute, example: IP address ERP

14
DATA MASKING
Dynamic contextual security
USER 1
USER 1
100001/1100/US01
100001/1101/US01
Control of access to the transaction, at the
transaction level (ME11)
Use of Org elements
(protected purchase Org 1101)
ERP

15
DATA MASKING
Dynamic contextual security -
Masking PERSONAL
PA20 is allowed, user1 can see sensitive data
(SSN number)
USER 1
USER 2
Control of access to sensitive data by context
attributes (example: IP range)
PA20 is allowed, sensitive data is masked for
user2
ERP

16
DATA MASKING
Dynamic contextual security -
MASKING PRICE
$2000.00
$0.00
USER 1
USER 2
Dynamic protection of pricing or order data
based on IP range
VA03, Tcode is allowed, can see price data
VA03, Tcode is allowed, price is displayed as
zero
ERP

17
DATA MASKING
Dynamic data download
Control (DATA BROWSERS)
USER 1
USER 1
SE16
SE11
Protection of data downloads based on
context (table name or columns in tables)
SE11, Tcode is allowed, Data Download is
denied
SE16, Tcode is allowed, can download based
on specific column values
ERP

18
DATA MASKING
SOD Prevention
USER 1
USER 1
ME21N
MIGO
Protection against SOD violations on the
basis of GRC regulations
ME21N, Tcode is allowed, user may create an
order
MIGO, Tcode is denied, user cannot post
goods receipt for same order
ERP

19
DATA MASKING
Fiori masking - product master data
Maintenance product master:
MD_C_PRODUCT_MAINTAIN_SRV
Product descriptions are defined as sensitive
information and are masked.

20
DATA MASKING
Fiori masking - supplier master data
Vendor Master Maintenance:
MD_SUPPLIER_MASTER_SRV
Address data is considered sensitive information
and is masked.

21
DATA MASKING
Fiori Masking - Purchasing Info Set
Maintenance purchasing info records:
MM_PUR_INFO_RECORDS_MANAGE_SRV
Material and supplier information are defined as
sensitive information and are masked.

22
ACCESS GOVERNANCE
RBAC and ABAC in detail
ABAC starts at the moment when the user
begins to access data and transactions.
.
.
.
+
User Rollers
Access
allow
Limited
Access
Access
refuse
ABAC
RBAC
Role-based
Approach
Attribute based
approach

23
ACCESS GOVERNANCE
By using ABAC, organizations
can reduce their accepted risk
by defining granular business
policies and access controls to
strengthen security at the data
and transaction level.
You can dynamically enforce
data masking or restriction
policies for any field in SAP
when you apply real-time
contextual policies that balance
security with user-friendliness.
ABAC allows you to apply
preventive controls in SoD
exception scenarios.
This way, you can prevent SoD
violations while having the
flexibility to assign conflicting
roles (if necessary) and role-
based policies to mitigate over-
provisioning.
Advantages of Pathlock's ABAC
Use of dynamic data
masking
Reduction of the attack
surface
Preventing violations
of SoD policies

24
Transactions are driven based on business rules and
master data, so they can be enforced quickly and at scale
without the need for SAP change management.
ABAC for Transaction Control
Policy-driven preventive controls based on business rules
are low/no code.
Integration with Access Governance to automatically
mitigate SoD exception scenarios and lock down RBAC
permissions when existing permissions are inappropriate.

Do you have any questions?
We answer. For sure.
© Copyright akquinet enterprise solutions GmbH. All rights reserved. This publication is protected by copyright.
All rights, in particular the right of reproduction, distribution, and translation, are reserved. No part of this document may be reproduced in any form (photocopy, microfilm or other process) or processed, copied, or distributed using electronic
systems without the prior written agreement of akquinet enterprise solutions GmbH. Some of the names mentioned in this publication are registered trademarks of the respective provider and as such are subject to legal provisions.
The information in this publication has been compiled with the greatest care. However, no guarantee can be given for its applicability, correctness, and completeness. akquinet enterprise solutions GmbH shall assume no liability for losses arising
from use of the information.

Thank You
AXEL DALDORF
Presales SAST SOLUTIONS –
Part of Pathlock
+49 40 88137-109
mail@sast-solutions.de

ttribute-based Data Masking: How to effectivelyimprove the protectionof your sensitive data [Webinar]

Recommended

Recommended

More Related Content

Similar to ttribute-based Data Masking: How to effectivelyimprove the protectionof your sensitive data [Webinar]

Similar to ttribute-based Data Masking: How to effectivelyimprove the protectionof your sensitive data [Webinar] (20)

More from akquinet enterprise solutions GmbH

More from akquinet enterprise solutions GmbH (20)

Recently uploaded

Recently uploaded (20)

ttribute-based Data Masking: How to effectivelyimprove the protectionof your sensitive data [Webinar]