Human Resources (HR) data is one of the most sensitive forms of information any organization maintains. Learn about security technologies for your SAP environment that can protect your data wherever it may go.

1. Securing SAP HR Data Beyond
HCM Authorizations
A presentation by

2. HR documents contain confidential
information including:
• Social Security Numbers
• Drivers License Numbers
• Date of Birth
• Bank details
• Payroll

3. HR documents contain confidential
information including:
• Social Security Numbers
• Drivers License Numbers
• Date of Birth
• Bank details
• Payroll
This information needs to be highly protected

4. HR Data is Constantly on the Move
4
HR Data is exported from SAP
– Reporting
– Data crunching
– Analysis
Cloud & Mobility
– Explosion of cloud services
and providers
– BYOD: are you losing track of
your data?

5. Not only that but…
• Companies are required to abide by compliance
regulations, such as:
– HIPAA
– SOX
– Safe Harbor

6. What is SAP HR
• Human Resources Management Software
– On premise and cloud solutions
– Recruit, hire, fire talent
– Local laws and regulation compliance
– Standardize payroll
– Manage attendance, schedules, and vacation time
– Support core business operations

7. The Landscape
• SAP’s HCM Module
– Data is stored on-premise
– Accessible by everyone with access to the server
• Success Factors
– Data is stored in the cloud
– Data can be shared and manipulated by anyone –
no tracking
• Hybrid
– Data is stored both on-premise and in the cloud
– Data moves between the two with no protection
7

8. The Landscape
• SAP’s HCM Module
– Data is stored on-premise
– Accessible by everyone with access to the server
• Success Factors
– Data is stored in the cloud
– Data can be shared and manipulated by anyone –
no tracking
• Hybrid
– Data is stored both on-premise and in the cloud
– Data moves between the two with no protection
8

9. The Landscape
• SAP’s HCM Module
– Data is stored on-premise
– Accessible by everyone with access to the server
• Success Factors
– Data is stored in the cloud
– Data can be shared and manipulated by anyone –
no tracking
• Hybrid
– Data is stored both on-premise and in the cloud
– Data moves between the two with no protection
9

10. SAP HR Security
• 3 main security features
– Infotypes
– Structural Authorizations
– Personnel Number Restrictions

11. Infotypes
• Units containing master data in SAP HR
• Used in recording employee data, payroll data, and
administrative data
• Creates fields and groups them together and enables
time-dependent storage
• Infotype restrictions are extremely important since
master data is the core of HR data and needs to be
restricted.

12. Structural Authorizations
• The data a user can access can be restricted by using
either
– Enterprise Structure: Groups/Departments, Codes,
Individual user files
– Organizational Structure: Common areas, overall use of
the system
• Structural authorizations allow restrictions to be
configured on the organizational structure.

13. Personnel Number Restrictions
• Users can be restricted using the authorization object
P_PERNR to only accessing infotypes regarding their
own personal data
– For example: checking your own hours or schedule
– Known as ESS (Employee Self Service)
• Personnel Number Restrictions can allow HR admin to
access employee data while preventing them from
viewing their own
– For example: Remove the capability to change own hours
worked

14. Data needs to be protected inside &
outside of company walls
SafeNet. (2014, April 17). First Quarter Recap 2014. Retrieved May 19, 2014, from Breach Level Index:
www.breachlevelindex.com

15. Look Familiar?
Much of this
information is
commonly found
amongst HR
data
2010
Javelin
Strategy
and
Research

16. How it is used
More often then
not, the information
is used in millions
of identity fraud
incidents

17. How did they get the data?
Unprotected
data and
unsecure data
movement
leaves PII
(Personally
Identifiable
Information)
vulnerable

18. Extend Protection Beyond
Boundaries of SAP
Data is protected when it is stored in SAP

19. Extend Protection Beyond
Boundaries of SAP
Once the data leaves SAP, it no longer has the protection

20. Extend Protection Beyond
Boundaries of SAP
Employees
Employees use the
information in everyday
job-related activities

21. Extend Protection Beyond
Boundaries of SAP
Employees
File Server
They store the
information in various
locations

22. Extend Protection Beyond
Boundaries of SAP
Employees
File Server
Employees can also upload sensitive data to
cloud platforms for collaboration, without
regards to security.

23. Extend Protection Beyond
Boundaries of SAP
Partner
Employees
File Server
The data can be shared with partners

24. Extend Protection Beyond
Boundaries of SAP
Competitor
Partner
Employees
File Server
And also forwarded to competitors

25. Extend Protection Beyond
Boundaries of SAP
Competitor
Partner
Employees
File Server
ALL
HAPPENING
WITHOUT
PROTECTION

26. HR Data Needs Protection

27. EVERY
WHERE
IT
GOES!

28. Protecting SAP NetWeaver
Protect data inside of SAP
– Roles & Authorizations
• Check HCM Authorizations in new and existing roles
• Review PLOG in existing roles
• Restrict OTYPE
• Check P_ABAP in existing roles
Extend protection to data leaving SAP
– Authorizations need to be extended to wherever the data
goes
28

29. Traditional Security Solutions
Network
• Network
– Data Loss Prevention (DLP)
– Firewalls
– Virtual Private Network (VPN)

30. Traditional Security Solutions
Network
Storage
• Network
– Data Loss Prevention (DLP)
– Firewalls
– Virtual Private Network (VPN)
• Storage
– Full Disk Encryption (FDE)
– Database Encryption

31. Traditional Security Solutions
• Network
– Data Loss Prevention (DLP)
– Firewalls
– Virtual Private Network (VPN)
• Storage
– Full Disk Encryption (FDE)
– Database Encryption
• File
– Pretty Good Privacy (PGP)
– Information Rights
Management (IRM)
Network
Storage
File
Latest
technologies
apply
protecCon
at
the
file/data
level,
which
results
in
persistent
security
no
maLer
where
the
file
travels
to

32. Rights Management (RMS) are offerings from Microsoft
that help keep an organizations information
Microsoft is the leader in the file/
data centric protection

33. SECURE
Rights Management (RMS) are offerings from Microsoft
that help keep an organizations information
Microsoft is the leader in the file/
data centric protection

34. Data-centric protection
Protection is applied directly to the data and documents

35. Data-centric protection
Protection is applied directly to the data and documents
Wherever the data is moved

36. Data-centric protection
Protection is applied directly to the data and documents
Wherever the data is moved
THE PROTECTION STAYS WITH IT

37. HR and Other Documents are
Protected
• At a single location
On
premise

38. HR and Other Documents are
Protected
• Inside and outside the
organization
• At a single location
Partner
On
premise
Shared

39. HR and Other Documents are
Protected
• Inside and outside the
organization
• At a single location
u And when moving amongst various locations
Partner
On
premise
Shared
CollaboraCon

40. Fine-grained control
• Content owners can define who can
– Open the document
– Edit the contents
– Print the document
– Forward to anyone, internal or external
– Take other actions with the information

41. Can RMS data-centric protection be
extended to SAP HR data?

42. Halocore for SAP NetWeaver
• Innovative: Enforces RMS protection on all data leaving SAP
• Secure: Determines what users are authorized to access sensitive data
• Customizable: Offers fine-tuned control over who can do what with
information (view, edit, print, forward, etc.)
• Flexible: Works for any file type
• Powerful: Protection persists beyond SAP, including mobile platforms

43. Auditing Capabilities –
Customizing your view

44. Auditing Capabilities –
The Log File

45. FOR MORE INFORMATION
Click the link below to learn how Halocore for SAP NetWeaver can
protect your confidential HR information, no matter where it goes.

46. Not Sure Where to Start?
• Download FREE audit tool for SAP to monitor HR and
other sensitive data movement
• Monitor the activities surrounding your information
– Track, record and classify data movement
– Identify who accesses it
– From where they access it (IP address & terminal)
– Where they send it to
– Extract data for analysis

47. DOWNLOAD FREE
AUDIT TOOL NOW
Click HERE

48. PRESENTATION BY
Tweet us @secude
Contact us info@secude.com