Human Resources (HR) data is one of the most sensitive forms of information any organization maintains. Learn about security technologies for your SAP environment that can protect your data wherever it may go.
HR Security in SAP: Securing Data Beyond HCM Authorizations
1. Securing SAP HR Data Beyond
HCM Authorizations
A presentation by
2. HR documents contain confidential
information including:
• Social Security Numbers
• Drivers License Numbers
• Date of Birth
• Bank details
• Payroll
3. HR documents contain confidential
information including:
• Social Security Numbers
• Drivers License Numbers
• Date of Birth
• Bank details
• Payroll
This information needs to be highly protected
4. HR Data is Constantly on the Move
4
HR Data is exported from SAP
– Reporting
– Data crunching
– Analysis
Cloud & Mobility
– Explosion of cloud services
and providers
– BYOD: are you losing track of
your data?
5. Not only that but…
• Companies are required to abide by compliance
regulations, such as:
– HIPAA
– SOX
– Safe Harbor
6. What is SAP HR
• Human Resources Management Software
– On premise and cloud solutions
– Recruit, hire, fire talent
– Local laws and regulation compliance
– Standardize payroll
– Manage attendance, schedules, and vacation time
– Support core business operations
7. The Landscape
• SAP’s HCM Module
– Data is stored on-premise
– Accessible by everyone with access to the server
• Success Factors
– Data is stored in the cloud
– Data can be shared and manipulated by anyone –
no tracking
• Hybrid
– Data is stored both on-premise and in the cloud
– Data moves between the two with no protection
7
8. The Landscape
• SAP’s HCM Module
– Data is stored on-premise
– Accessible by everyone with access to the server
• Success Factors
– Data is stored in the cloud
– Data can be shared and manipulated by anyone –
no tracking
• Hybrid
– Data is stored both on-premise and in the cloud
– Data moves between the two with no protection
8
9. The Landscape
• SAP’s HCM Module
– Data is stored on-premise
– Accessible by everyone with access to the server
• Success Factors
– Data is stored in the cloud
– Data can be shared and manipulated by anyone –
no tracking
• Hybrid
– Data is stored both on-premise and in the cloud
– Data moves between the two with no protection
9
10. SAP HR Security
• 3 main security features
– Infotypes
– Structural Authorizations
– Personnel Number Restrictions
11. Infotypes
• Units containing master data in SAP HR
• Used in recording employee data, payroll data, and
administrative data
• Creates fields and groups them together and enables
time-dependent storage
• Infotype restrictions are extremely important since
master data is the core of HR data and needs to be
restricted.
12. Structural Authorizations
• The data a user can access can be restricted by using
either
– Enterprise Structure: Groups/Departments, Codes,
Individual user files
– Organizational Structure: Common areas, overall use of
the system
• Structural authorizations allow restrictions to be
configured on the organizational structure.
13. Personnel Number Restrictions
• Users can be restricted using the authorization object
P_PERNR to only accessing infotypes regarding their
own personal data
– For example: checking your own hours or schedule
– Known as ESS (Employee Self Service)
• Personnel Number Restrictions can allow HR admin to
access employee data while preventing them from
viewing their own
– For example: Remove the capability to change own hours
worked
14. Data needs to be protected inside &
outside of company walls
SafeNet. (2014, April 17). First Quarter Recap 2014. Retrieved May 19, 2014, from Breach Level Index:
www.breachlevelindex.com
15. Look Familiar?
Much of this
information is
commonly found
amongst HR
data
2010
Javelin
Strategy
and
Research
16. How it is used
More often then
not, the information
is used in millions
of identity fraud
incidents
17. How did they get the data?
Unprotected
data and
unsecure data
movement
leaves PII
(Personally
Identifiable
Information)
vulnerable
22. Extend Protection Beyond
Boundaries of SAP
Employees
File Server
Employees can also upload sensitive data to
cloud platforms for collaboration, without
regards to security.
28. Protecting SAP NetWeaver
Protect data inside of SAP
– Roles & Authorizations
• Check HCM Authorizations in new and existing roles
• Review PLOG in existing roles
• Restrict OTYPE
• Check P_ABAP in existing roles
Extend protection to data leaving SAP
– Authorizations need to be extended to wherever the data
goes
28
31. Traditional Security Solutions
• Network
– Data Loss Prevention (DLP)
– Firewalls
– Virtual Private Network (VPN)
• Storage
– Full Disk Encryption (FDE)
– Database Encryption
• File
– Pretty Good Privacy (PGP)
– Information Rights
Management (IRM)
Network
Storage
File
Latest
technologies
apply
protecCon
at
the
file/data
level,
which
results
in
persistent
security
no
maLer
where
the
file
travels
to
32. Rights Management (RMS) are offerings from Microsoft
that help keep an organizations information
Microsoft is the leader in the file/
data centric protection
33. SECURE
Rights Management (RMS) are offerings from Microsoft
that help keep an organizations information
Microsoft is the leader in the file/
data centric protection
37. HR and Other Documents are
Protected
• At a single location
On
premise
38. HR and Other Documents are
Protected
• Inside and outside the
organization
• At a single location
Partner
On
premise
Shared
39. HR and Other Documents are
Protected
• Inside and outside the
organization
• At a single location
u And when moving amongst various locations
Partner
On
premise
Shared
CollaboraCon
40. Fine-grained control
• Content owners can define who can
– Open the document
– Edit the contents
– Print the document
– Forward to anyone, internal or external
– Take other actions with the information
42. Halocore for SAP NetWeaver
• Innovative: Enforces RMS protection on all data leaving SAP
• Secure: Determines what users are authorized to access sensitive data
• Customizable: Offers fine-tuned control over who can do what with
information (view, edit, print, forward, etc.)
• Flexible: Works for any file type
• Powerful: Protection persists beyond SAP, including mobile platforms
45. FOR MORE INFORMATION
Click the link below to learn how Halocore for SAP NetWeaver can
protect your confidential HR information, no matter where it goes.
46. Not Sure Where to Start?
• Download FREE audit tool for SAP to monitor HR and
other sensitive data movement
• Monitor the activities surrounding your information
– Track, record and classify data movement
– Identify who accesses it
– From where they access it (IP address & terminal)
– Where they send it to
– Extract data for analysis