SAP UI Data Security SAP

UI Logging and UI Masking solutions Innovative

Business
Tobias Keller, Product Manager Solutions
PUBLIC

2018-08-01
 01010100101010100
10100101001011000
10010101011011100
Data Protection & 10010101000101110
01101010101001010
10100101010010101
01001010101001010
01010010110001001
the Insider 01010110111001001
01010001011100110
UI Data Security – driving factors
Compliance & financial risk of data security breaches

data security threat

valuable business
personal information
information

political commercial
motivation: motivation:
protection of protection of the
individuals organization

internal requirements
legal requirements
(decrease of financial
(compliance)
risk)
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 3
Public
UI Data Security
Data protection requirements

legal requirements – internal requirements –

protection of individual protection of business
information critical data assets

• deteriorating competitive situation (recipes

• increasing number and severity of data stolen, employees poached, customer
protection regulations worldwide (EU-GDPR, contacts leaked, supplier prices
HIPAA, PIPEDA, PIPA, SOX, DPA…) publicized…)
• commonly protecting personal information • lost trust = lost business
(employees, customers, suppliers…) (customers, suppliers, financial markets…)
• rising compliance infringement cost • efficiency impact
(discovery, fines, litigation; personal fines) (countermeasures, suspicious employees;
management stability…)

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

Public
UI Data Security – the threat from inside
A threat vector often underestimated – but substantial and difficult to tackle

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 5

Public
Two step approach
UI Data Security: two step approach to protect data from insiders

UI Masking UI Logging

to conceal specific data (values in to keep data accessible, but log & analyze
fields/columns) – unless required for tasks access, to identify adequate path of action
The solution provides a detailed, structured data access
The solution masks sensitive (configured) values per
log and allows for analysis who exactly received which
default; unmasking requires explicit access rights (on
data (output), how (input), and in which context (IP…)?
top of existing role/authorization setup)

 make data elements unavailable for data abuse  prevent illegitimate data access and theft
(opportunistic and targeted) by inducing compliant behavior
 identify & prove irregular data access

“the speed limiter” “the speed camera”

• awareness for data security (“human firewall”)  protect employees by decreasing inadvertent breaches
• top-of-class protection measures  trust (employees, customers, and investors)
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 7
Public
High level solution architecture (example: SAP GUI)
• UI Masking and UI Logging can be used individually or jointly, depending on the required functionality
• add-ons to SAP NetWeaver – modification free installation, secure server-based functionality with minimal
performance impact

SAP UI (user) SAP Backend System

masked data apply masking rules UI Masking

original data configuration & BAdIs

Dynpro Processor Business Logic Database Layer

Request

Response

UI Logging
observed data asynchronous call of
traffic log & filtering service

Alert (e.g. email) SAP Enterprise Threat Detection Log Analyzer

(additional offering)

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 8

Public
Coverage: 10 “channels” (Q1/2018)

UI technology UI Masking UI Logging

SAP GUI for Windows / HTML / Java ✓ ✓

WebDynpro ABAP ✓ ✓
CRM Web Client UI ✓ ✓
RFC/BAPI and Web Services project based ✓
BW Access (BEx Web/Analyser, BW-IP, BICS, MDX) project based ✓
UI5/Fiori ✓ ✓

• Based on SAP NetWeaver (cf. RCS Availability Matrix or contact product management for detailed requirements)
• Available for ECC, HEC, Suite on HANA, S/4HANA, “SAP S/4HANA Cloud, private option”
• Maintenance: integrated into standard maintenance, planned until end 2025
• Enhancements and adaptations can be delivered on request

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 9

Public
Implementation – exemplary

• Implementation effort, based on experience for a typical scope and requirements:

• Per material code 20-25 days for configuration, plus similar for test efforts.
• Effort drivers: mainly relevant in UI Masking –bigger scopes and more heavy usage of BAdIs (to add
specific business logic) are expected to increase efforts/project runtime.

• SAP service options:

Service option 1: enablement/jump start
• Set-up workshop for requirements, installation support, baseline configuration, KT and Ramp
Up session. Effort: commonly 5 PD per channel, duration ca. 1-2 weeks, preferably onsite.
Service option 2: implementation
• As above, but also implementation of functional scope, test support, go-live support.
Effort ca. 20 – 25PD per channel; preferably 1 week onsite; then remote.
• Goal: Enablement of a customer resource to handle future changes in requirements and
configuration.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 10

Public
Key points to take away
High impact, low TCO

Specific coverage of the “insider” risk

compliance up, risk exposure down

• Innovative & unique functionality for SAP screens/applications

• “right size” of coverage

• Secure, performant, future proof

• quick implementation
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 11
Public
UI Masking
Key functionality: field masking in SAP screens
Generic data masking in
supported UI
technologies –
enabling anonymization
(de-personification) in
business transactions,
technical transactions,
download/print, etc.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 13

Public
UI Masking
In a nutshell

What is UI Masking?
• Sensitive data are masked on the server side and editing is blocked in SAP user interfaces; resulting in consistent
protection also in table display, value help, export, download, print etc.
• provides unmasked data to specifically authorized users/roles only – on top of existing authorization system (PFCG)
• Small-scale, auditable, archivable “access trace” in case of access to protected data fields
How does it work?
• Extensive configuration options on field level:
• Which fields are masked in which way – including mass configuration report for a quick start.
• Which users/roles are shown clear data
• Which accesses are traced
• Complex business logic (e.g. attribute based masking, based on SAP-internal attributes) can be implemented via BAdI
• Highly performant – minimal system requirements

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 14

Public
UI Masking
Configuration: two simple steps…
1. Define fields to be masked, and rules
• Define which field are masked.
• Configure on field level how a field is displayed. Define
on digit base whether and how data are masked.
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
2. Register authorized users per field
• In transaction PFCG, assign users to the UI Masking
authorization a role.
• Users assigned to these roles will be able to see
unmasked values for the applicable fields
• BAdIs available to introduce customized business logic
determining who has access
15
Public
UI Masking
…resulting in masked data

3. Result: data masking

Data is masked in GUI transaction display for

un-authorized users.

This also affects high-level “admin” system

users (in dynamic transactions, e.g. SE11,
SE12, SE16, SE16n) – unless they are explicitly
authorized for a field

UI Masking also protects data during

download, export, and print

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 16

Public
UI Masking
Case study: data masking in SE16, SE16n, SE11, etc.

Please note: the following sequence is to exemplify how UI

Masking config technically works
The actual config creation would be mainly taken over by a
mass configuration utility included in the product.
• Create a new entry in the general masking config transaction for the
field to be masked, here end date.
• Next to table and field name, set the role required for unmasked
access and choose when to write a trace (always, never, only if
unmasked). Further details can be configured (which digits should be
masked in which way, etc. )
• These settings are sufficient to activate masking of data in lists and
ALV grids, as exemplified for transaction SE16n (in case of conversion
exit based masking, also business transactions are covered).
• In edit mode for such table views, the masked values are offered in
display mode only (or are being hidden).
• Data masking also applies to export/ download and print of relevant
data.
• The option to generate conversion exits allows to determine which of
the available technologies to employ for masking.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 17

Public
UI Masking
Usage Example: Masking in dynpro-UIs

• For masking of data fields in Dynpro views (generated programmatically) without

conversion exits, the configuration needs to be enriched with the relevant program
names and UI number.
• A given database field can be utilized by different programs for different Dynpro
transactions, all of which need to be identified for consistent masking results.
• This task is mainly taken up by a mass configuration report.
• With these settings, data in a Dynpro field can be masked in a
modification free approach. In this example, the field content is
being replaced by stars over the whole length of the field.
Protected fields are also offered in display mode, even if the
user switches to edit mode.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 18

Public
UI Masking
Access trace

• UI Masking trace functionality gives an overview

which data (on technical level) were requested per
user, and what information was actually displayed.

• UIM trace functionality is a purely technical trace,

holding no context information – which
differentiates it strongly from the UI Logging log file
(which is far more detailed, contains context and
meta data of the access – making UI Logging an
excellent basis for meaningful analysis what data
were accessed by whom, and how).

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 19

Public
UI Masking: Benefits for GDPR requirements

Benefits: Data De-personification & Data Minimization

• Decrease the risk of leaking sensitive data
• Hide information “not required for the job” (principle of data minimization)
• Hide (sensitive) personal information
• Consistent protection, also for download and printouts
• De-personize information – allowing to further processing (test scenarios, data export)

• Potential alternative to data “blocking” (based on customer feedback)

• Cost effective alternative to “Information Lifecycle Management” based data blocking (ILM is the SAP
strategic solution enabling customer to comply with GDPR data blocking requirements)
• Keeps reports/aggregates accurate

 Support requirements relating to “privacy by default” and “privacy by design”

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 20

Public
UI Masking
Success Story: CF Industries, Chemicals (US)

A take on what other customers think:

Check out CF Industries' experience!

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 21

Public
UI Logging
Key functionality: log, notice, analyze

1. Log data 3. in-depth 4. Aggregate &

access analysis detect (ETD, …)

2. Automatic
alert

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 23

Public
UI Logging: Functional Highlights

Benefits: Data Anonymization & Data Minimization

• Data access transparency
• Logging based on roundtrips (frontendserverfrontend)
• Protocol of user input and actions
• Detailed and comprehensive protocol of data a user actually received
• Data base accesses are implicitly logged (search / read / store / update)
• Meaningful usage of the log –real time alerts, on-demand investigation, automated analysis with
ETD

• Lightweight, uncomplicated, secure solution

• Rapid and efficient implementation, no changes to system functionality
• Optimal performance of logging in the background  minimal impact on system resources
• Strong filtering and archiving functions  optimized log file size, omit potentially sensitive data values
• Encryption and recursive logging of log file access  further protection of sensitive data

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 24

Public
 UI Logging
The log – the key element of UI Logging

• Logging based on roundtrips (frontendserverfrontend)

• filtering options to control log file size
• efficient analysis: log data organized with unique <name> value pairs
• on demand: detailed analysis of log file via Log Analyzer
• real time: configurable alerts/notifications
• automated: integrated with ETD  usable as powerful data source

transaction: PA30
“Maintain HR Data”

Infotype 8
“Basic Pay”

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 25

Public
UI Logging
Log record analysis with UI Logging “LogAnalyzer”

Set of filters for retrieving relevant log entries

More specific “questions”  more specific (and meaningful) answers!

generic section (UIL meta information); can be used

e.g. for a chronological list of all actions of a given
user, IP, or machine; or for listing all accesses to a
specific field/value, in a given period/system etc.

additional filter criteria for installed UIL channels

on the UI channel level, the most details can be

maintained for strongest indications (“list of all
accesses to the CEO’s salary information”)

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 26

Public
UI Logging
Alerting scenario: configurable mail notification for critical data access

data access temporary log file

email alert

alerting definition message definition

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 27

Public
UI Logging
Integration with Enterprise Threat Detection: transfer of log to ETD

temporary log file external repository

Configuration (technology/UI channel specific)

No Transfer to ETD

Temp. Log relevant for Alerting

Ext. Repository relevant for Alerting

Temp. Log

Ext. Repository

Transfer Log to ETD (call standard TA SECM_LOG_2_ESP)

ETD System

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 28

Public
UI Logging: Benefits for GDPR

Benefits: Data Access Transparency and Reduction of Data Access

• Compliance mandate: where you need to keep (personal) data accessible, you need to log access
to be able to comply with notification duties in case of a breach – and quickly (“72 hours”)
• Ability to decide on and provide a breach notification in time (72h) and in quality (concerned data objects,
and afflicted persons)
• Ability to identify (and stop) the person(s) responsible for a data leak
• effective co-operation with authorities in case of review
• Key element to successful logging: not only creating, but being able to leverage a log to identify
unauthorized, non-compliant or malicious activity
• automated controls to be warned in case of dubious data access
• manual controls to review the logs periodically and in-depth
• Builds a psychological barrier against non-task related data access
• decreases the probability and magnitude of data leaks
• soft factor “data minimization”
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 29
Public
UI Logging
Success Story: Hannover Medical School (Germany)

A take on what customers think:

Check out Hannover Medical School's experience!

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 30

Public
Contact us
Tobias Keller
Product Manager UI Data Security mail product management
uilogging@sap.com
uimasking@sap.com
SAP Innovative
Business Solutions

T +49 6227-7-74995
E tobias.keller@sap.com

http://www.sap.com/innovbizsolutions
© 2018 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components
of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this docume nt or any related presentation, or to develop or release
any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,
and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various
risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trade marks of SAP SE (or an SAP affiliate company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companie s.
See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.