Improve Data Protection and Compliance with UI-Level Logging and Masking

PUBLIC
SAP UI Data Security
UI Logging and UI Masking solutions
Tobias Keller, Product Manager
v322 – 2018-01-31
SAP
Innovative
Business
Solutions

Data Protection
01010100101010100
10100101001011000
10010101011011100
10010101000101110
01101010101001010
10100101010010101
01001010101001010
01010010110001001
01010110111001001
01010001011100110

6PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Public
data security threat
legal requirements
(compliance)
internal requirements
(decrease of financial
risk)
personal information
valuable business
information
commercial
motivation:
protection of the
organization
political
motivation:
protection of
individuals
UI Data Security – driving factors
Compliance & financial risk of data security breaches

Public
UI Data Security
Data protection requirements
• increasing number and severity of data
protection regulations worldwide
(EU-GDPR, HIPAA, PIPEDA, PIPA, SOX, DPA…)
• commonly protecting personal information
(employees, customers, suppliers…)
• rising compliance infringement cost
(discovery, fines, litigation; personal fines)
• deteriorating competitive situation (recipes
stolen, employees poached, customer
contacts leaked, supplier prices
publicized…)
• lost trust = lost business
(customers, suppliers, financial markets…)
• efficiency impact
(countermeasures, suspicious employees;
management stability…)
legal requirements –
protection of individual
information
internal requirements –
protection of business
critical data assets

Public
UI Data Security – the threat from inside
A threat vector often underestimated – but substantial and difficult to tackle

Public
UI Data Security: two step approach to protect data from insiders
UI Masking: hiding unnecessary data; UI Logging: enabling analysis of data access
to keep data accessible, but log & analyze
access, to take appropriate measures
The solution provides a detailed, structured data access
log and allows for analysis who exactly received which
data (output), how (input), and in which context (IP…)?
è prevent illegitimate data access and theft
by inducing compliant behavior
è identify & prove irregular data access
to conceal specific data (values in
fields/columns) – unless required for tasks
The solution masks sensitive (configured) values per
default; unmasking requires explicit access rights (on
top of existing role/authorization setup)
è make data elements unavailable for data abuse
(opportunistic and targeted)
• awareness for data security (“human firewall”) à protect employees by decreasing inadvertent breaches
• top-of-class protection measures à trust (employees, customers, and investors)
UI Masking UI Logging
“the speed limiter” “the speed camera”

Public
SAP Backend System
SAP UI (user)
Dynpro Processor
Request
Response
Database LayerBusiness Logic
UI Logging
observed data
traffic
asynchronous call of
log & filtering service
Enterprise Threat DetectionAlert (e.g. email) Log Analyzer
• UI Masking and UI Logging can be used individually or jointly, depending on the required functionality
• add-ons to SAP NetWeaver:
• secure server-based logging/masking,
• modification free,
• minimal performance impact.
UI Data Security
High level solution architecture (example: SAP GUI)
UI Masking
masked data
original data configuration & BAdIs
Apply masking rules

Public
UI technology UI Masking UI Logging
SAP GUI for Windows / HTML / Java ü ü
WebDynpro ABAP ü ü
CRM Web Client UI ü ü
RFC/BAPI and Web Services project based ü
BW Access (BEx Web/Analyser, BW-IP, BICS, MDX) project based ü
UI5/Fiori ü ü
Availability: 10 “channels” (Q1/2018)
• Based on SAP NetWeaver (cf. RCS Availability Matrix or contact product management for detailed requirements)
• Available for ECC, HEC, Suite on HANA, S/4HANA
• Maintenance: integrated into standard maintenance, planned until end 2025
• Enhancements and adaptations can be delivered on request

Public
• Installation of add-ons with SAINT conducted by customer (ERP/basis team)
• Implementation support efforts – based on experience (”typical” scope and requirements)
Service option 1: enablement/jump start
• Set-up workshop for requirements, installation support, baseline configuration, KT and Ramp
Up session.
• Effort: commonly 5 PD per channel, duration ca. 1-2 weeks, preferably onsite.
• Service option 2: implementation
• As above, but also implementation of functional scope, test support, go-live support.
• Effort ca. 20 – 25PD per channel; preferably 1 week onsite; then remote.
• Customer enablement of an in-house resource to handle the main parts of the execution phase of the
implementation, and support subsequent changes in requirement and configuration.
Implementation – exemplary

Public
Wrap-up: High quality, low TCO
• UI Masking: unique functionality for SAP screens/applications
• UI Logging: premium offering from SAP in data access logging
Unique Coverage of the “insider” risk
ècompliance & decrease risk exposure
• Aligned with SAP standard è secure, performant, future proof
• quick implementation, support by product team è low TCO

Public
UI Masking
Refine data access into transactions
Data masking: UI layer on server side
• business and technical transactions
• download, export, print
Highly configurable
• what: on field level (inside transactions)
• how: pattern
• who: role required for unmasked access
• BADIs to introduce additional logic
Aligned with SAP standard
Based on SAP NetWeaver releases 7.00 – 7.50
Maintenance: planned until 31.12.2025
Further enhancements on request

Public
Please note: the following sequence is to exemplify how UI
Masking config technically works
The actual config creation would be mainly taken over by a
mass configuration utility included in the product.
• Create a new entry in the general masking config transaction for the
field to be masked, here end date.
• Next to table and field name, set the role required for unmasked
access and choose when to write a trace (always, never, only if
unmasked). Further details can be configured (which digits should be
masked in which way, etc. )
• These settings are sufficient to activate masking of data in lists and
ALV grids, as exemplified for transaction SE16n (in case of conversion
exit based masking, also business transactions are covered).
• In edit mode for such table views, the masked values are offered in
display mode only (or are being hidden).
• Data masking also applies to export/ download and print of relevant
data.
• The option to generate conversion exits allows to determine which of
the available technologies to employ for masking.
UI Masking
Case study: data masking in SE16, SE16n, SE11, etc.

Public
• For masking of data fields in Dynpro views (generated programmatically) without
conversion exits, the configuration needs to be enriched with the relevant program
names and UI number.
• A given database field can be utilized by different programs for different Dynpro
transactions, all of which need to be identified for consistent masking results.
• This task is mainly taken up by a mass configuration report.
• With these settings, data in a Dynpro field can be masked in a
modification free approach. In this example, the field content is
being replaced by stars over the whole length of the field.
Protected fields are also offered in display mode, even if the
user switches to edit mode.
UI Masking
Usage Example: Masking in dynpro-UIs

Public
UI Masking: supporting your GDPR project
• restrict data access
è supports “privacy by default” and “privacy by design”
• suppress/change data field values on UI level
è supports data pseudonymization and anonymization
è supports restriction of data processing
è supports compliant cross-border data transfers (display/export)

Public
UI Masking
Success Story: CF Industries, Chemicals (US)
A take on what other customers think:
Check out CF Industries' experience!

Public
4. Aggregate &
detect (ETD, …)
Key functionality: log, notice, analyze
1. Log data
access
2. Automatic
alert
3. in-depth
analysis

Public
UI Logging
The log – the key element of UI Logging
• Logging based on roundtrips (frontendàserveràfrontend)
• filtering options to control log file size
• efficient analysis: log data organized with unique <name> àvalue pairs
• on demand: detailed analysis of log file via Log Analyzer
• real time: configurable alerts/notifications
• automated: integrated with ETD à usable as powerful data source
transaction: PA30
“Maintain HR Data”
Infotype 8
“Basic Pay”

Public
UI Logging: supporting your GDPR project
• provide information baseline of data access:
è supports personal data breach notification “in time and quality”
è supports effective co-operation in case of review
è facilitates identification and investigation of irregular data usage.
• reduces non-task related data access
è decreases the probability and magnitude of a data leak occurring.

Public
• Log exactly which what a user requested and which data he really obtained (on screen, print, export…)
as well as context of data access (user, IP…)
• efficient identification and meaningful analysis of data threats:
• real time: configurable alerts/notifications
• on demand: detailed analysis of log file via Log Analyzer
• automated: integrated with ETD à usable as powerful data source
• “Quick start” – define on transaction level which data to log. Then refine scope (on view or field level)
• Define Users/Roles to be excluded/included for logging
• BAdI to implement complex business logic
• Based on SAP Netweaver, supporting multiple UI technologies (channels)
• Completely in background with minimal impact on system performance, and imperceptible to users
• Log is “reinforced” – access for authorized users only, and log data can be encrypted
• Archiving functionality for the log file
UI Logging
Functional scope & highlights

Public
UI Logging
Success Story: Hannover Medical School (Germany)
A take on what customers think:
Check out Hannover Medical School's experience!

mail product management
uilogging@sap.com
uimasking@sap.com
Contact us
Deepak Gupta
Solution Manager UI Masking
T +91 124 385-7195
E deepak04.gupta@sap.com
http://www.sap.com/innovbizsolutions
SAP Innovative
Business Solutions
Martin Loitz
Solution Manager UI Logging
T +49 6227-7-48810
E martin.loitz@sap.com
SAP Innovative
Business Solutions
Tobias Keller
Product Manager UI Data Security
T +49 6227-7-74995
E tobias.keller@sap.com
SAP Innovative
Business Solutions

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components
of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release
any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,
and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various
risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
© 2018 SAP SE or an SAP affiliate company. All rights reserved.

Improve Data Protection and Compliance with UI-Level Logging and Masking

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Improve Data Protection and Compliance with UI-Level Logging and Masking

Similar to Improve Data Protection and Compliance with UI-Level Logging and Masking (20)

More from Patric Dahse

More from Patric Dahse (20)

Recently uploaded

Recently uploaded (20)

Improve Data Protection and Compliance with UI-Level Logging and Masking