Monitoring of SAP User Behavior

Share

Increasing requirements are forcing organizations to implement such solutions that will increase the security level of systems that process personal data. SAP is no exception. Today's article will show you how to increase data security in 3 steps.

Data security is not just about authorizations

To break down the topic - let's start with the basics. Every user in SAP is assigned permissions. These determine whether a user should be granted access to some batches of data or whether such access should be blocked. Based on the assigned roles, we can restrict accesses. This is a fact. Here, however, there is a rather serious problem related to the potential leakage of data outside the system.

1. monitoring the display of personal data

Standard SAP solutions are limited to authorization management. The standard will not provide a clear answer to questions about "who", "what" and "when" displayed on their screen. Today, with an ordinary cell phone, any user is able to take a picture of the screen on which personal data is displayed (or take a print screen), the trace of this activity is practically none. It is therefore important to monitor in detail and log risky user operations with greater accuracy than the functionality provided as standard.

There are more examples of potential abuse. For example, privileged users (albeit administrators) have even unlimited access to data containing sensitive information. The new GDPR requirements say to monitor data access as effectively as possible. Regulatory requirements shouldn't be the only factor in bringing about changes in personal data access processes. Because, after all, the mere leakage of payroll data can cause disruption among employees. Data can also be intercepted by competitors - and this is also a business concern.

Above are the essential elements of logging user behavior with the accuracy of displaying personal data, globally. The resolution of user monitoring should therefore be high enough to accurately provide information related to access (displays) of SAP HR data.

2. saving data to files

By default, SAP allows you to globally enable or disable the ability to download data (e.g. from a report that you have access to). By default, the logs only allow information about when and who downloaded a file with a specific name, to a specific path. The standard lacks any information about the contents of downloaded files.

You can pay attention to the above screen through the prism of information about potential violations:
1 - what data was downloaded? No information
2 - did the file contain critical personal information? No information
3 - are we able to play the downloaded file? No

Fortunately (for SAP data security), there are solutions that the above problems can effectively solve. By providing extended log information about specific activities, with far greater resolution.

With the help of defined keywords, reports or file sizes - administrators are able to receive information about potential abuse of critical portions of downloads. In addition, each download is postponed (for a specific amount of time), so there is a possibility to completely restore the downloaded file

3. use of transactions

Reducing the risks associated with unauthorized access to data is also about making sure that granted authorizations are kept to a minimum. The assumption is this - granted authorizations do not always in 100% match the required ones (often they are much larger than what an employee actually needs to perform his daily activities). It is therefore necessary to analyze the use of transactions in terms of their use.

Statistics are in ST03N and updated monthly. With this:
- unused transactions can be removed from user privileges
- transactions not used in the role (by any user) - can be removed from the role completely

Summary

The above set of three user monitoring elements that you can extend your SAP system with supports risk management processes and directly improves security. Such an operation will allow you to quickly sort out potential opportunities for abuse.

Here it is worth adding one more insanely important thing from the perspective of user monitoring.

During one of our projects, a few weeks after implementing the above features, users were informed that their activities were being monitored. The drop in downloads to the file dropped by about 63%.

And what do your users do in SAP?

Tomasz Jurgielewicz

Head of Security Department at Lukardi. For the past 10 years, he has led a team of SAP Security specialists, providing comprehensive services and tools to secure SAP systems and optimize licenses. Experience in the areas of: - identification of authorization conflicts and authorization reorganization, - identification of SAP vulnerabilities, - integration of SIEM solutions with SAP, - optimization of SAP licenses.