UI Data Protection – Applying the “Need to Know” Principle in SAP S/4HANA Defense & Security
Defense organizations must protect their information from both external and internal security threats. To protect from external threats, Cyber Security best practices are applied on network, servers, and workstations. This includes end-to-end encryption, in-country protected facilities, biometric login, two factor authentications, endpoint security and more.
After building a Cyber Security “Wall” around the data, the next step is protecting the data from internal data breaches, either intentional or unintentional. This is commonly done by only allowing security cleared personnel to access the network and the various systems such as ERP, Reporting, and documents. On top of that, a compensative “Need to Know” security framework must apply to all systems within the landscape, allowing personnel to access information matching their clearance and required to conduct their duties.
The “Need to know” principle can be illustrated using the above example. The commanding officers of Unit B and Unit C are cleared to “Top Secret” level and can access the network, ERP and Reporting systems. The security classification Unit B is Secret, however although the Commanding Officer of Unit C has a higher security classification, s/he should not be able to access or report on sensitive information related to this unit as it is not required to conduct their duty.
UI Data Protection Masking
In the following sections we will review how UI Data Protection can be applied within the SAP S/4HANA Defence & Security Industry Solution to provide Defense organizations with the ability to better protect their ERP data from insider threats. UI Data Protection combines masking and blocking functionality to mask or hide information on the screen and a logging solution to monitor and report on sensitive data access. The focus of this blog will be on UI Data Protection Masking and show how SAP is embracing the Zero Trust principle by concentrating on users and data assets.
Defining the “Need to Know” rules
A clear set of security rules needs to be defined to control the data access; this is the first step in the process of applying the data masking security set of tools. Keep in mind that the “Need to know” principle applies to all domains used by the organization, as placing information on the higher security domain without applying the “Need to know” data access rules compromises data security. In terms of the rules setup, there are two fundamental set of questions that needs to be answered:
Who needs to know?
The guiding principle here is that a person should only be able to access information matching their clearance and required to conduct their duties. In the below example the Quartermaster (QM) of the 114th Battalion needs to perform regular stocktaking on their storage location (SLOC) number A00H. In addition, in case of a shortfall the QM needs to order items from their supplier, the 1st Logistics Battalion. However, the QM should not have visibility to the stock levels of sensitive items held at their suppliers such as the logistic Battalion or the regional depot. The QM should place a materiel demand to the supplier who is responsible to fulfil it either internally or from a vendor.
What do they need to know?
The next step is to define the sensitive data objects and how they should be treated in the system. The below diagram illustrates this concept, if a user is not authorized, the full information on products with Material Group 01 will be masked from all the screens and reports. For products with Material Group 02 only the quantity will be masked. In this example a code name is also used in conjunction as an additional measure.
Possible scenarios within SAP S/4HANA Defense & Security
This section will review three possible scenarios based on the set of rules defined above. The scenarios are covering several different SAP S/4HANA UI technologies such as SAP GUI, SAP Fiori applications and Web Dynpro screens. It is recommended to have a holistic end-to-end data protection strategy that covers the 3600 views of the relevant ERP object. Several different aspects of Explosives Management are provided as an example, this includes the stock overviews which indicate quantity and location. Purchase requestions are indicating movement of materials and future procurement. Items issued as functional equipment loans to individuals provides an indication on the purpose of the equipment. There are of course other aspects such as accessing the technical specification documents or the maintenance status of the equipment.
The Quartermaster of the 114th Battalion is running the SAP S/4HANA Defense & Security stock overview report to get the stock holdings of their unit (SLOC A00H) and immediate supplier (SLOC 000Q). As the Quartermaster needs to know the stock level of the “Bumblebee” and “F1 Fragmentation Grenade” to conduct their duty, the materials are visible in their unit’s SLOC. However, there is no visibility of the sensitive materials stock levels within the supplier’s storage (SLOC 000Q).
The following SAP Fiori application for purchase requestion management illustrate UI Data Protection Masking blocking functionality. An authorized user can view all of the purchase document items including sensitive materials. The system can block a specific line if an un-authorized user is trying to access the purchasing document. A custom message is displayed to indicate that some line items were blocked from the screen.
Functional Equipment holdings of a person
The personnel equipment holdings are also sensitive by nature, knowing if the “Bumblebee” is held by a sniper or a diver gives away a certain aspect of its capability. In the below screenshot of the Web Dynpro “Return of Functional Equipment” application a sensitive material was masked from the personnel equipment holding records of Paul Katzenberg.
UI Data Protection can assist Defence organizations in applying the “Need to Know” principle within their SAP S/4HANA. The solution adds another layer to the existing SAP S/4HANA Defense & Security authorizations concepts, allowing organizations to apply precise information access controls. Using this solution also enables to simplify the functional system design and data maintenance burden, such as in the case of creating additional Plants only to support information security requirements. It is recommended to have a thorough security strategy that includes both the 3600 security aspects of objects within the SAP S/4HANA system, while applying the same rules across all other Cloud and On-premise systems in the landscape such as in the Reporting and HR systems. This will ensure that if users are not authorized to view sensitive equipment in SAP S/4HANA, they should not be able to see this sensitive equipment in reports for example.
As organizations and strategies move to the cloud and embrace benefits like innovation, scaling, and cost savings many Defense organizations are hesitant to do so based on the lack of compliance to standards such as FEDRAMP. UI Data Protection is a security measure that should alleviate some of these hesitations where data confidentiality and integrity is concerned. It provides a means of establishing multiple layers of security without sacrificing timely and reliable access to the information.
- This blog post is based on a system demonstration of applying the “Need to Know” principle in SAP S/4HANA Defense & Security Industry Solution. A full recording can be found in the following link: https://sapvideoa35699dc5.hana.ondemand.com/?entry_id=1_sq9aar2s.
- For additional details and the technical setup of UI Data Protection please review the blog posts on UI data protection masking for SAP S/4HANA | SAP | SAP Blogs