Customized Masking

Attribute-based data masking protects ERP data and reduces compliance risks

In SAP ERP, there are no masking functions for accurate anonymization in the views by default. The potential leakage of unhindered data disclosure thus represents a huge attack surface. Although add-ons and solutions exist from SAP and third-party vendors, significant challenges still exist. This is where attribute-based data masking comes in.

Particularly in the course of progressive internationalization and especially since Corona and frequent home offices, process-relevant but sensitive data are increasingly in danger of being viewed by external or internal observers whose insight is neither necessary nor desired in terms of the situation or in general. Three examples: If an employee in the HR department works from abroad and maintains master data, only absolutely necessary fields should be visible so that no one external inadvertently gains insight into sensitive data. If a sales person works with master data to create quotations, he must be able to find the right product in the master card, see the right packaging unit, the container, but not know all purchase prices. A packer must of course know which package to take based on the material master number, but he does not need to know en détail what the contents are.

Data masking is not about reducing abusive views (fraud) of personal data, about pure anonymization and pseudonymization of personal and address data, but it is broader. Ultimately, all types of data can be masked. The goal of masking original data is so-called data loss prevention, to solve the problem of data theft, data misuse or other forms of data crime by changing the views of the database itself: Basically, it's about protecting data that is necessarily there but that you don't want everyone to see, about limiting views to situationally relevant information. This still poses some challenges for most SAP and third-party data masking solutions because they operate purely at the permission level. However, static masking policies do not take into account the context of access risk and force a trade-off between data security and accessibility.

Privileged users can access sensitive data fields, even if this is not required or desired in a specific context. Data masking add-ons also require customizations to be replicated in each field of the application, resulting in a non-scalable ad hoc solution. Unlike such off-the-shelf masking solutions, the Pathlock approach centralizes data masking enforcement in SAP into a single rule set to define and mask data across the application. And, without requiring further customization of SAP for implementation, it additionally leverages dynamic policies that incorporate risk context to more precisely protect sensitive data.

Freely configurable attributes

An attribute-based masking function thus means fine-grained control over what information is masked for a particular user in a particular situation. This is particularly important when a multinational company wants to prevent abusive views. Data is then masked, for example, for accesses from countries that do not belong to the company locations, for accesses that originate from remote workstations outside the network, unknown IP addresses or VPNs, or that take place outside the respective business or plausible times. Content that is actually readable and permitted for the role is thus not visible, depending on the characteristics of freely configurable attributes such as the user, the IP address, the time, countries or locations, the type of access - remote work from outside or access within the network - or the network type (such as VPN). If access is made with unusual parameters, data that is unnecessary for the specific case will also not be readable, depending on the attribute.

Different criticality

This cannot be implemented using user authorizations alone and takes into account the different criticality of master data such as: Personnel, location and logistics data as well as supplier information or parts lists, purchase prices and recipes. Attribute-based data masking means improved protection of sensitive company data through fine-grained restriction of views. The policy-based dynamic masking function of the centralized and scalable masking solution thus offers, in addition to authorization protection, customizable control over which sensitive data fields are masked for a specific user in a specific situation. By implementing full or partial masking of a data set, the solution minimizes the risk of a data breach and also meets encryption and anonymization requirements, such as those of regulatory agencies. By filtering out sensitive data without further adjustments to SAP, there is no additional maintenance effort.