The Hidden Gem Using UI Masking to Achieve Compliance
There is a growing concern among the organizations to protect the data of their employees, customers, and suppliers. Regulations like GDPR, SOX, HIPPA etc. make it a legal requirement to protect the sensitive data hence the data residing in SAP applications becomes critical that must be protected inside as well as outside SAP.
Compliance presents many challenges and requires impacted organizations to make changes in several areas including:
Designate someone (e.g., Data Protection Officer or Chief Compliance Officer) to take responsibility for data protection and compliance. Policy for handling and processing sensitive and/or personal data. Identify and document the legal basis for each type of data processing activity and finally develop/implement training programs for sensitive and/or personal data
Define and implement processes for handling sensitive data requests and/or define processes for detecting and reporting breaches. Also, minimize data privacy and security risks without disrupting business processes.
Information Architectures and Systems Changes
Understand and document where data is stored and processed including with/by third parties. Protect data inside and outside of applications. Automate classification. Monitor and alert on breaches end to end from a single point of control. Automate the audit compliance workflow
Classical Scenarios for UI Masking
PII data (Personally Identifiable Information) – Social Security numbers (SSN), mailing or email address, and phone numbers have most commonly been considered PII, but technology has expanded the scope of PII considerably. It can include an IP address, login IDs, social media posts, or digital images. Geolocation, biometric, and behavioral data can also be classified as PII.
What else PII data of mine is exposed?
- Home address?
- Date of Birth?
- Bank information?
- Biometric data?
- Marriage status?
- My kid’s info?
What is SAP UI Masking?
SAP UI Masking is a tool that sits between the database and GUI to protect the sensitive data. The tool works at the presentation layer which can be used for making a field display only, mask using a pattern or completely hide the field itself without impacting the application layer that runs the business processes. The add ons are installed on the server. All changes and configurations are transported from Dev to Quality to Production.
Masking can be configured in two ways:
- Role based masking – Only users with field level authorization can view data. If a user is not authorized to view the field value, the data can be protected by masking, clearing, hiding, or disabling the field.
- Attribute based masking – The ABAC policy cockpit is the product feature that enables you to create policies to determine how you want to protect sensitive data within the system. Authorization checks also take the context of a field or data element into consideration. Masks the data based on the context. Uses a policy which is mapped to a logical attribute to mask sensitive data.
SAP UI Masking solution is applicable for the fields present in tables, transaction codes, Fiori apps, Webdynpro and WebGUI
How to implement SAP UI Masking?
Developing an early understanding and interpretation of the regulatory requirements is key to help speed and firm up business requirements and design completion
Identify the technical names for the fields present in the tables, transaction codes, Fiori apps, Webdynpro and WebGUI
Basic masking on 20~30 pages/tiles, project could finish in 1 month and Advanced masking project duration depends on the complexity of the masking.
For each of tile/page/field/attribute: Identify the Fiori path/Tcode, URL
Finalize the masking requirement like if the field must have Full mask/Hide/Edit Disable/etc.
For example, SAP table LFA1 (Vendor Master data) – field STCD1 in transaction code BP is used to store SSN, if this field is populated then it must be masked. In this case, role-based masking will be the solution that way only authorized users can view the sensitive information
Using the same example, if the data in the field STCD1 is further categorized by type US1 (SSN) and US2 (General Data) then Attribute based masking will be the solution and it will mask only if the category is of type US1.
What is not UI Masking?
- UI Masking is not a networking hardware firewall.
- It is not an anti-virus solution or isolated software (it is an add on)
- It is not an encryption solution rather it is a data hiding/masking solution.
- It is not a solution for data anonymization purposes.
Lastly UI Masking is not a new technology, but it is a new add on top of SAP ECC/S4HANA etc.
- Increased data security without increasing the number of roles and better control who can view sensitive information populated in SAP transaction codes, Fiori apps and tables.
- Enhanced the security of SAP applications while preserving and strengthening control over sensitive data enterprise wide. Sensitive data restricted consistently across multiple SAP landscapes, production, and non-production systems
- Increase data protection against theft and abuse where access must be granted to only authorized users
- Dynamic determination of data access based on context at runtime
- Better comply with legal requirements by tracking who accessed sensitive data like PII, Pricing, customer, and vendor information
SAP Community Read field masking for SAP GUI and follow blog posts https://blogs.sap.com/tags/67838200100800005192