Data Security and Data Privacy
Natuvion Webcast (8) – SAP RAL - Read Access Logging
Natuvion GmbH – 09.2017
AGENDA
Natuvion
Webcast Series Data Security and Data Privacy
SAP RAL Read Access Logging
SAP RAL Configuration and Application
SAP RAL Introduction and Costs
Contact
BERLIN 30.11.2016 – Patric Dahse NATUVION 2
Since 2014, NATUVION supports customers with our experience and expertise in
digitalization
3
Founded in 2014 as an owner-managed consulting company
specializing in utilities, transformation and security
Office locations: Walldorf, Berlin, München, Vienna(AT),
Philadelphia(US)
Company size: > 55 Employees
Expertise of consultants: > 75 % SAP certified & Ø 12 years Utilities and
SAP
SAP Gold Partner
SAP Recognized Expertise in Utilities
SAP Landscape Transformation
Long-term partner of the largest energy suppliers in Germany
Services / Skills
▪ Strategic IT-Management
▪ IT Consulting for Utilities Industry
▪ SAP Transformation & Data Services
▪ SAP Security & Data Privacy / Protection
▪ Business Intelligence / Analytics
Natuvion Group
In-depth experience in
implementation of GDPR
requirements
Strategic partnership with SAP Data
Protection and Privacy
Development Teams – ILM / IRF /
Consent
Close & long-term partnership with
IT / data protection law experts
Complete understanding of the
processes and requirements from a
business, IT and data privacy
perspective
Own certified solutions specifically
for consistent data erasure,
information and anonymization
Designated data protection and
privacy expertise (solutions)
Designated Transformation
expertise
Success Factors
Conception & introduction of
anonymization (IS-U / CRM)
Group-wide roll-out of a system
anonymization (CRM / IS-U /
ERP / HCM)
Selective data deletion (IS-U /
CRM / ERP / BW)
Deletion concept of GDPR (SAP
System landscape)
IT and process concept
conformity of affected persons
rights according to GDPR
(Information and Transparency)
System and data
decommissioning with SAP ILM
Concept and implementation
information (SAP IRF)
Relevant References
Natuvion – Your specialist for the implementation and requirements of the GDPR
Data Security und Data Privacy in SAP - Datenanonymisierung
AGENDA
Natuvion
Webcast Series Data Security and Data Privacy
SAP RAL Read Access Logging
SAP RAL Configuration and Application
SAP RAL Introduction and Costs
Contact
BERLIN 30.11.2016 – Patric Dahse NATUVION 4
Natuvion Webcasts
Overview of the webcast series Data Privacy and Data Privacy
5
The webcast series "Data Privacy and Protection in SAP" offers an outstanding overview of the actions and
implementation possibilities in accordance to the EU-GDPR.
8
30 Min.
Access Monitoring of Sensitive Data
Access monitoring of personal data powerd by SAP
Read Access Logging
Data Security und Data Privacy in SAP - Read Access Logging
1
1 hr.
EU-GDPR Onboarding
Legal overview and basic structuring of the fields of
action (1 hour)
2
45 min.
Deletion of Existing Historical Data
Consistent deletion of mass data in SAP system
landscapes (30 minutes)
3
45 min.
Simple Blocking and Deletion
Overview and experiences with the introduction of
SAP Information Lifecycle Management (30 minutes)
4
45 min.
Anonymization / Pseudonymization
Background, challenges and implementation of a
GDPR compliant anonymization
5
30 min.
Data Reporting / Transparency
GDPR compliant data transfer from conception to
implementation - SAP IRF
6
45 min.
Consent / Approval
GDPR compliant approval concept and introduction –
SAP CONSENT
7
45 Min.
Privacy Impact Assessment
How can PIAs be implemented and continue to exist?
Natuvion Webcasts
Overview of the webcast series Data Privacy and Data Privacy
6
The webcast series "Data Privacy and Protection in SAP" offers an outstanding overview of the actions and
implementation possibilities in accordance to the EU-GDPR.
8
30 Min.
Access Monitoring of Sensitive Data
Access monitoring of personal data powerd by SAP
Read Access Logging
Data Security und Data Privacy in SAP - Read Access Logging
1
1 hr.
EU-GDPR Onboarding
Legal overview and basic structuring of the fields of
action (1 hour)
2
45 min.
Deletion of Existing Historical Data
Consistent deletion of mass data in SAP system
landscapes (30 minutes)
3
45 min.
Simple Blocking and Deletion
Overview and experiences with the introduction of
SAP Information Lifecycle Management (30 minutes)
4
45 min.
Anonymization / Pseudonymization
Background, challenges and implementation of a
GDPR compliant anonymization
5
30 min.
Data Reporting / Transparency
GDPR compliant data transfer from conception to
implementation - SAP IRF
6
45 min.
Consent / Approval
GDPR compliant approval concept and introduction –
SAP CONSENT
7
45 Min.
Privacy Impact Assessment
How can PIAs be implemented and continue to exist?
AGENDA
Natuvion
Webcast Series Data Security and Data Privacy
SAP RAL Read Access Logging
SAP RAL Configuration and Application
SAP RAL Introduction and Costs
Contact
BERLIN 30.11.2016 – Patric Dahse NATUVION 7
Read Access Logging
What is SAP Read Access Logging
8
The Read Access Logging Framework (RAL) allows you to monitor and log access to sensitive data / fields
within SAP system landscapes. Monitoring can be performed on different levels and input channels.
Access to the user interfaces as well as services and function / program calls can be monitored. The
monitoring is to be configured at the field level.
The result of the monitoring can be viewed either in the function view (monitoring)
or in further applications (Threat Detection /
own alarm mechanisms and evaluations).
Data Security und Data Privacy in SAP - Read Access Logging
Read Access Logging
Industry use cases
9
In a clinic, treatment information of a public figure is stolen
and offered to the public to purchase (eg: Formula 1 Star).
The Data Protection Office is asked to investigate this case.
Use Case: Health Care Industry
Within a bank, there is suspicion of internal trading. The Data
Protection Officer is commissioned with investigating
the suspicion.
A customer of a power supply company complained to a data
protection officer about the customer service. The data of
the customer was used by a different power supplier for
direct addressing / solicitation.
Use Case: Banking Industry
Use Case: Utilities Industry
Compliance with data protection regulations
Compliance with industry standards (eg. Basel for the
banking sector)
Access control to classified or other sensitive data (such as
information on company assets or salary data).
Data Security und Data Privacy in SAP - Read Access Logging
Read Access Logging
Overview SAP Read Access Logging
10
Why RAL
Who had access to data determined
data (e.g., a bank account)
Who had access to personal data (eg.:
business partner)
Which employee had access to special
personal data (eg.: religion)
Who is looking for specific persons (eg:
VIPs)
Are there patterns of regular and / or
similar search queries / accesses (eg.:
repeatedly calling the same bank
account)
What can RAL do?
Monitoring of RFC based
communication (sRFC, aRFC, tRFC,
qRFC, bgFRC)
Monitoring of Web Dynpro-based user
interfaces
Monitoring of screen UI elements and
ALV Grid based user interfaces
Monitoring of web service based
communication
Content filtering based on conditions /
users / channels...
Grouping (Purpose Assignment)
Results
Overview of the accesses to the
monitored data fields per data channel
and per access
Information about the user
Information about the access path
(screen / transaction / program /
functions ...)
Technical information about the user
(terminal, IP, time)
Information about the contents of the
displayed fields
Possibility of limited storage /
archiving / deletion
?
Data Security und Data Privacy in SAP - Read Access Logging
AGENDA
Natuvion
Webcast Series Data Security and Data Privacy
SAP RAL Read Access Logging
SAP RAL Configuration and Application
SAP RAL Introduction and Costs
Contact
BERLIN 30.11.2016 – Patric Dahse NATUVION 11
System Demo
Read Access Logging - Configuration and Application
12
Selection
Transformation
User View
Administrationssicht
REC
Dynpro / Web-Dynpro
Services, Functions, Programs
REC
REC
Administration View
Data Security und Data Privacy in SAP - Read Access Logging
AGENDA
Natuvion
Webcast Series Data Security and Data Privacy
SAP RAL Read Access Logging
SAP RAL Configuration and Application
SAP RAL Introduction and Costs
Contact
BERLIN 30.11.2016 – Patric Dahse NATUVION 13
Introduction - Read Access Logging
The implementation of the solution can be simply done within just a short time.
14
Conception Configuration Individualization Roll-Out Support
▪ Presentation of the
functionalities of SAP RAL to
the department (IT)
▪ Collection of relevant process,
transactions, programs and
user groups
▪ Definition of data protection
measures according to GDPR
▪ Automated DDIC relationship
analysis (search of target
fields / data)
▪ Activation SAP RAL
▪ In add.: Delivery of
template(s)
▪ Customizing and technical
testing of SAP RAL on the
basis of the concept
specifications
▪ View additional functions
▪ Protocol storage and
evaluation
▪ Integration into other
applications (Threat
Detection)
▪ Refinement of logging (filter /
conditions)
▪ Customizing distribution /
master client
▪ Permissions
▪ Final function test
▪ Training / Documentation
▪ Handover to business
▪ Maintenance
▪ Result archiving
▪ Development / Roll-Out
Project Run Time: 10 – 24 Weeks 12 - 24 Months
Scope Test Environment Tailoring your solution Start Regular Business Support
Typical Phases During Implementation
Data Security und Data Privacy in SAP - Read Access Logging
SAP Read Access Logging
Tasks and efforts during implementation
RAL offers consistent and comprehensive access control
01 02 03 04 05
(**) Operations & Monitoring
(II) Realization
Work Package
(I) Conception / Preparation
(IV) Roll-Out P-System
(III) Roll-Out Q-System
Work Package Effort Bus. Effort IT
(I) Conception/ Preparation 1/2/3 15 MD 15 MD
(II) Realization RAL4 20 MD 35 MD
(III) Roll-Out Q-System 10 MD 10 MD
(IV) Roll-Out P-System 15 MD 10 MD
Total Effort 60 MD 70 MD
Indicative project planning and effort assessment1
1 Experiences from reference projects
2 System in scope SAP ERP / CRM (pbD)
3 Add. external auditing (optional)
4 Also add. licence costs15
Task Levels
Level Activities
1
• Conception and analysis based on the present system
landscape
• Creation of a phase plan as well as concreting of
realization costs
• Coordination and consideration of data protection
requirements
2
• Realization of the conceived monitoring channels,
processes, authorizations and conditions
• Function test and performance test (including test
automation)
3
• Roll-out and test of the configuration as well as the
developments / extensions on the productive system
chain (quality system)
4
• Roll-out and operation of the configuration as well as
the developments / extensions on the productive
system chain (production)
Data Security und Data Privacy in SAP - Read Access Logging
Services provided by Natuvion in the context of access control with SAP RAL
16
Conception
(Scope & Analysis)
Proof Of
Concept
(2 Processes - 10 MD)
Full
Realization
(incl. Maintenance)
Quality
Assurance
(Audit, Training, QS)
Data Security und Data Privacy in SAP - Read Access Logging
AGENDA
Natuvion
Webcast Series Data Security and Data Privacy
SAP RAL Read Access Logging
SAP RAL Configuration and Application
SAP RAL Introduction and Costs
Contact
BERLIN 30.11.2016 – Patric Dahse NATUVION 17
Natuvion GmbH
Altrottstraße 31 | 69190 Walldorf
Fon +49 6227 73-1400
Fax +49 6227 73-1410
www.natuvion.com
We look forward to answering any of your questions!
Patric Dahse
Managing Director
Tel: +49 151 171 357 02
E-Mail: patric.dahse@natuvion.com
18 Data Security und Data Privacy in SAP - Read Access Logging

Webcast Security No. 8 - Read Access Logging (RAL)

  • 1.
    Data Security andData Privacy Natuvion Webcast (8) – SAP RAL - Read Access Logging Natuvion GmbH – 09.2017
  • 2.
    AGENDA Natuvion Webcast Series DataSecurity and Data Privacy SAP RAL Read Access Logging SAP RAL Configuration and Application SAP RAL Introduction and Costs Contact BERLIN 30.11.2016 – Patric Dahse NATUVION 2
  • 3.
    Since 2014, NATUVIONsupports customers with our experience and expertise in digitalization 3 Founded in 2014 as an owner-managed consulting company specializing in utilities, transformation and security Office locations: Walldorf, Berlin, München, Vienna(AT), Philadelphia(US) Company size: > 55 Employees Expertise of consultants: > 75 % SAP certified & Ø 12 years Utilities and SAP SAP Gold Partner SAP Recognized Expertise in Utilities SAP Landscape Transformation Long-term partner of the largest energy suppliers in Germany Services / Skills ▪ Strategic IT-Management ▪ IT Consulting for Utilities Industry ▪ SAP Transformation & Data Services ▪ SAP Security & Data Privacy / Protection ▪ Business Intelligence / Analytics Natuvion Group In-depth experience in implementation of GDPR requirements Strategic partnership with SAP Data Protection and Privacy Development Teams – ILM / IRF / Consent Close & long-term partnership with IT / data protection law experts Complete understanding of the processes and requirements from a business, IT and data privacy perspective Own certified solutions specifically for consistent data erasure, information and anonymization Designated data protection and privacy expertise (solutions) Designated Transformation expertise Success Factors Conception & introduction of anonymization (IS-U / CRM) Group-wide roll-out of a system anonymization (CRM / IS-U / ERP / HCM) Selective data deletion (IS-U / CRM / ERP / BW) Deletion concept of GDPR (SAP System landscape) IT and process concept conformity of affected persons rights according to GDPR (Information and Transparency) System and data decommissioning with SAP ILM Concept and implementation information (SAP IRF) Relevant References Natuvion – Your specialist for the implementation and requirements of the GDPR Data Security und Data Privacy in SAP - Datenanonymisierung
  • 4.
    AGENDA Natuvion Webcast Series DataSecurity and Data Privacy SAP RAL Read Access Logging SAP RAL Configuration and Application SAP RAL Introduction and Costs Contact BERLIN 30.11.2016 – Patric Dahse NATUVION 4
  • 5.
    Natuvion Webcasts Overview ofthe webcast series Data Privacy and Data Privacy 5 The webcast series "Data Privacy and Protection in SAP" offers an outstanding overview of the actions and implementation possibilities in accordance to the EU-GDPR. 8 30 Min. Access Monitoring of Sensitive Data Access monitoring of personal data powerd by SAP Read Access Logging Data Security und Data Privacy in SAP - Read Access Logging 1 1 hr. EU-GDPR Onboarding Legal overview and basic structuring of the fields of action (1 hour) 2 45 min. Deletion of Existing Historical Data Consistent deletion of mass data in SAP system landscapes (30 minutes) 3 45 min. Simple Blocking and Deletion Overview and experiences with the introduction of SAP Information Lifecycle Management (30 minutes) 4 45 min. Anonymization / Pseudonymization Background, challenges and implementation of a GDPR compliant anonymization 5 30 min. Data Reporting / Transparency GDPR compliant data transfer from conception to implementation - SAP IRF 6 45 min. Consent / Approval GDPR compliant approval concept and introduction – SAP CONSENT 7 45 Min. Privacy Impact Assessment How can PIAs be implemented and continue to exist?
  • 6.
    Natuvion Webcasts Overview ofthe webcast series Data Privacy and Data Privacy 6 The webcast series "Data Privacy and Protection in SAP" offers an outstanding overview of the actions and implementation possibilities in accordance to the EU-GDPR. 8 30 Min. Access Monitoring of Sensitive Data Access monitoring of personal data powerd by SAP Read Access Logging Data Security und Data Privacy in SAP - Read Access Logging 1 1 hr. EU-GDPR Onboarding Legal overview and basic structuring of the fields of action (1 hour) 2 45 min. Deletion of Existing Historical Data Consistent deletion of mass data in SAP system landscapes (30 minutes) 3 45 min. Simple Blocking and Deletion Overview and experiences with the introduction of SAP Information Lifecycle Management (30 minutes) 4 45 min. Anonymization / Pseudonymization Background, challenges and implementation of a GDPR compliant anonymization 5 30 min. Data Reporting / Transparency GDPR compliant data transfer from conception to implementation - SAP IRF 6 45 min. Consent / Approval GDPR compliant approval concept and introduction – SAP CONSENT 7 45 Min. Privacy Impact Assessment How can PIAs be implemented and continue to exist?
  • 7.
    AGENDA Natuvion Webcast Series DataSecurity and Data Privacy SAP RAL Read Access Logging SAP RAL Configuration and Application SAP RAL Introduction and Costs Contact BERLIN 30.11.2016 – Patric Dahse NATUVION 7
  • 8.
    Read Access Logging Whatis SAP Read Access Logging 8 The Read Access Logging Framework (RAL) allows you to monitor and log access to sensitive data / fields within SAP system landscapes. Monitoring can be performed on different levels and input channels. Access to the user interfaces as well as services and function / program calls can be monitored. The monitoring is to be configured at the field level. The result of the monitoring can be viewed either in the function view (monitoring) or in further applications (Threat Detection / own alarm mechanisms and evaluations). Data Security und Data Privacy in SAP - Read Access Logging
  • 9.
    Read Access Logging Industryuse cases 9 In a clinic, treatment information of a public figure is stolen and offered to the public to purchase (eg: Formula 1 Star). The Data Protection Office is asked to investigate this case. Use Case: Health Care Industry Within a bank, there is suspicion of internal trading. The Data Protection Officer is commissioned with investigating the suspicion. A customer of a power supply company complained to a data protection officer about the customer service. The data of the customer was used by a different power supplier for direct addressing / solicitation. Use Case: Banking Industry Use Case: Utilities Industry Compliance with data protection regulations Compliance with industry standards (eg. Basel for the banking sector) Access control to classified or other sensitive data (such as information on company assets or salary data). Data Security und Data Privacy in SAP - Read Access Logging
  • 10.
    Read Access Logging OverviewSAP Read Access Logging 10 Why RAL Who had access to data determined data (e.g., a bank account) Who had access to personal data (eg.: business partner) Which employee had access to special personal data (eg.: religion) Who is looking for specific persons (eg: VIPs) Are there patterns of regular and / or similar search queries / accesses (eg.: repeatedly calling the same bank account) What can RAL do? Monitoring of RFC based communication (sRFC, aRFC, tRFC, qRFC, bgFRC) Monitoring of Web Dynpro-based user interfaces Monitoring of screen UI elements and ALV Grid based user interfaces Monitoring of web service based communication Content filtering based on conditions / users / channels... Grouping (Purpose Assignment) Results Overview of the accesses to the monitored data fields per data channel and per access Information about the user Information about the access path (screen / transaction / program / functions ...) Technical information about the user (terminal, IP, time) Information about the contents of the displayed fields Possibility of limited storage / archiving / deletion ? Data Security und Data Privacy in SAP - Read Access Logging
  • 11.
    AGENDA Natuvion Webcast Series DataSecurity and Data Privacy SAP RAL Read Access Logging SAP RAL Configuration and Application SAP RAL Introduction and Costs Contact BERLIN 30.11.2016 – Patric Dahse NATUVION 11
  • 12.
    System Demo Read AccessLogging - Configuration and Application 12 Selection Transformation User View Administrationssicht REC Dynpro / Web-Dynpro Services, Functions, Programs REC REC Administration View Data Security und Data Privacy in SAP - Read Access Logging
  • 13.
    AGENDA Natuvion Webcast Series DataSecurity and Data Privacy SAP RAL Read Access Logging SAP RAL Configuration and Application SAP RAL Introduction and Costs Contact BERLIN 30.11.2016 – Patric Dahse NATUVION 13
  • 14.
    Introduction - ReadAccess Logging The implementation of the solution can be simply done within just a short time. 14 Conception Configuration Individualization Roll-Out Support ▪ Presentation of the functionalities of SAP RAL to the department (IT) ▪ Collection of relevant process, transactions, programs and user groups ▪ Definition of data protection measures according to GDPR ▪ Automated DDIC relationship analysis (search of target fields / data) ▪ Activation SAP RAL ▪ In add.: Delivery of template(s) ▪ Customizing and technical testing of SAP RAL on the basis of the concept specifications ▪ View additional functions ▪ Protocol storage and evaluation ▪ Integration into other applications (Threat Detection) ▪ Refinement of logging (filter / conditions) ▪ Customizing distribution / master client ▪ Permissions ▪ Final function test ▪ Training / Documentation ▪ Handover to business ▪ Maintenance ▪ Result archiving ▪ Development / Roll-Out Project Run Time: 10 – 24 Weeks 12 - 24 Months Scope Test Environment Tailoring your solution Start Regular Business Support Typical Phases During Implementation Data Security und Data Privacy in SAP - Read Access Logging
  • 15.
    SAP Read AccessLogging Tasks and efforts during implementation RAL offers consistent and comprehensive access control 01 02 03 04 05 (**) Operations & Monitoring (II) Realization Work Package (I) Conception / Preparation (IV) Roll-Out P-System (III) Roll-Out Q-System Work Package Effort Bus. Effort IT (I) Conception/ Preparation 1/2/3 15 MD 15 MD (II) Realization RAL4 20 MD 35 MD (III) Roll-Out Q-System 10 MD 10 MD (IV) Roll-Out P-System 15 MD 10 MD Total Effort 60 MD 70 MD Indicative project planning and effort assessment1 1 Experiences from reference projects 2 System in scope SAP ERP / CRM (pbD) 3 Add. external auditing (optional) 4 Also add. licence costs15 Task Levels Level Activities 1 • Conception and analysis based on the present system landscape • Creation of a phase plan as well as concreting of realization costs • Coordination and consideration of data protection requirements 2 • Realization of the conceived monitoring channels, processes, authorizations and conditions • Function test and performance test (including test automation) 3 • Roll-out and test of the configuration as well as the developments / extensions on the productive system chain (quality system) 4 • Roll-out and operation of the configuration as well as the developments / extensions on the productive system chain (production) Data Security und Data Privacy in SAP - Read Access Logging
  • 16.
    Services provided byNatuvion in the context of access control with SAP RAL 16 Conception (Scope & Analysis) Proof Of Concept (2 Processes - 10 MD) Full Realization (incl. Maintenance) Quality Assurance (Audit, Training, QS) Data Security und Data Privacy in SAP - Read Access Logging
  • 17.
    AGENDA Natuvion Webcast Series DataSecurity and Data Privacy SAP RAL Read Access Logging SAP RAL Configuration and Application SAP RAL Introduction and Costs Contact BERLIN 30.11.2016 – Patric Dahse NATUVION 17
  • 18.
    Natuvion GmbH Altrottstraße 31| 69190 Walldorf Fon +49 6227 73-1400 Fax +49 6227 73-1410 www.natuvion.com We look forward to answering any of your questions! Patric Dahse Managing Director Tel: +49 151 171 357 02 E-Mail: patric.dahse@natuvion.com 18 Data Security und Data Privacy in SAP - Read Access Logging