I don’t think that any organisation is in the dark when it comes to protecting access to personal data - even less so considering the recent £183m fine given to British Airways which really does cement the seriousness being taken by the Information Commissioners Office when it comes to personal data security breaches.

The Information Commissioner Elizabeth Denham said: “People’s personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. When you are entrusted with data you must look after it.”

Much emphasis therefore, and quite rightly so, is put on protecting personal data from outside risks, such as external hacking (BA’s data was breached via hacked code in a 3rd party script known as Modernizr). However, you are at just as much risk, if not more so, from inappropriate and often unknown internal access that your employees have to personal data.

Much of that data will reside in your SAP core systems and SAP HR systems so in this article we are going to look at the 5 crucial things that you should do to keep this data safe.


① Protect your data inside SAP with real-time access monitoring

It is amazing how many SAP systems we see where there are numerous people not just able to directly access personal data, but are also able to export it or download it directly out of SAP tables and/or via reports. It is not uncommon to hear of support people being called to provide ad hoc data exports so that managers can process the data in Excel. Suffice to say, as soon as your data has been downloaded or exported out of SAP then you have lost ALL control over it.

As soon as your data has been downloaded or exported out of SAP then you have lost ALL control over it

Therefore our absolute number one action on this list is that you should place real-time access monitors on the personal data you're custodians of to ensure that it is staying within SAP except for bona fide verified processes and interfaces. With ProfileTailor Dynamics we can do this by specifying which tables contain personal data and then getting the system to tell us every time that data is being accessed. We can tune any false-positive alerts by creating a white list of processes and users, and also by monitoring only for specific keystrokes. We would recommend that any access other than in the white list is made available only via a properly governed Emergency Access procedure (see 4). Not only does this give you full auditing of when ad hoc personal data access is granted but it also provides protection to employees ensuring that their high risk accounts are not under undue risk or threat of being compromised.

② Implement a regular internal authorisation access review process.

Access Review is the process of not only capturing real-time access to personal data (as discussed on 1) but of also capturing those employees and processes that could access that data. Real time access monitoring can be achieved very quickly but Access Reviews, on the other hand, can be complicated and time consuming. They often require a lot of manual digging into SAP roles, then creating numerous reports to send out to business process / data owners, and then trying to manage and co-ordinate voluminous eMails around the organisation. Unfortunately though it is a crucial exercise and in fact one that must be undertaken at least every 12 months if your business comes under Sarbanes Oxley (SOX) compliance regulations.

Automating this process is one of the most popular requests that we get from our customers - and fortunately it is something that we can typically implement within a couple of weeks.

③ Automate your starter/mover/leaver processes to shut down access automatically.

When we look at SAP access we see a relatively common theme which is that employees carry around their access and authorisations as they move around the organisation. This causes segregation of duties issues and wildly high levels of sensitive access. Sometimes, this is because proper processes are not in place, and sometimes it’s because no-one really knows what access each employee actually needs so they over compensate and give them too much.

Automatically detecting when an employee moves roles or leaves the business and then taking action on it is therefore crucial. As an example, an automated leaver process is an incredibly quick win and can often be implemented within a week, ensuring that anyone leaving your organisation will immediately get all access revoked from, not just SAP, but ALL systems including 3rd party cloud systems.

④ Remove all SAP_ALL access and replace it with strict Emergency Access (Firefighter) processes.

SAP_ALL access is still rife! This is such a well documented topic that it needs no further comment here. For us, Emergency Access processes are really quick and easy to implement and there should be no reasons whatsoever for any accounts, whether employee or system accounts, to have SAP_ALL.

⑤ Implement the Principle of Least Privilege.

The Principle of Least Privilege is the notion that each employees’ access is restricted down to only that which is required to carry out their day-to-day job. Achieving this however is often a longer term goal as it requires a proper project to design and implement such a security model. A model based upon Job Roles is a great place to aim for and we discuss it at more length in a separate article here if you want to know more about how to go about it. (Go to article)


Grey Monarch


To find out more...

Most of our customers have implemented all of the above processes using ProfileTailor™ Dynamics either on premise or in the cloud. With an installation time (including training) of less than a week, we’ve managed to provide some incredibly detailed insight and protection within very short timeframes.

We can also provide your organisation with a fixed-price Risk Assessment Consultancy Package where we will check for over 500 potential data and security risks including all of the risks indentified in this article. With our particular expertise in SAP then this is way beyond the checks that a typical external audit would examine within your SAP systems.

If you would like find out more about how we can help in this area then please do contact us.

You can also share this page via the following buttons: