Last year, PC World published an article discussing SAP security. Though SAP has consistently improved its data security, the article highlighted inconsistent security practices used by users of SAP products. For example, one expert cited in the article estimated that 5 to 10 percent of SAP users expose critical services to the Internet that ought not to be publicly accessible. These services are vulnerable to hacking. Another expert felt that those numbers were low and that many of the systems were still vulnerable to well-known exploits.
The discussion then moved to the age of some SAP implementations, suggesting that age could contribute to vulnerabilities. However, if administrators stay on top of SAP security patches, age is not generally considered a risk for supported SAP products.
When it comes to SAP security, SAP naturally has an obligation to develop a secure product and respond to vulnerabilities that could affect its supported products. That said, the companies that have implemented SAP solutions also have a responsibility to apply those patches and responsibly deploy their solutions.
To further complicate SAP security matters, new regulations at all levels have been introduced in an attempt to better protect privacy. According to Dolphin, some regulations require storing credit card data and other sensitive information in an encrypted format. Another SAP security concern arises when information must be masked, such as during a merger, acquisition, or spinoff or when “camouflaging” data for compliance.
Dolphin takes a three-step approach to SAP security: encrypt, mask, and purge. Not only does this approach help to improve SAP security, it also helps to remain compliant.
Encrypting data renders in unusable to unauthorised users such as hackers. Unless you have the key to decrypt the data, it will be unreadable. Dolphin’s Archive Data Cockpit is used to automate data encryption which gives the user the flexibility to manage and encrypt SAP archive records.
Masking data replaces it with structurally similar, but inauthentic data. For example, Social Security numbers may appear as 241-**-**** after being masked. This is essentially as important if the company plans to divest or acquire a new company to prevent stolen data such as employee information.
Purging data removes it permanently from storage. Data should only be purged according to your company’s established information lifecycle management and data retention policies. Purging data will ensure sensitive information will not be exposed but only take this step when it is confirmed that your company do not need the data for future use.
If you want to improve SAP security, consider taking an encrypt, mask, and purge approach. Not only will this improve your security, it will help you to stay compliant. As more companies are doing business over the internet or some sort of network, it’s important to continue to improve your data security system to prevent leaked confidential information.