Beyond Compliance: Securing SAP S/4HANA Projects with Best-Practice Data Anonymisation
With the 2027 deadline approaching SAP S/4HANA transformations are moving out of the planning phase to implementation phase. Along with this, SAP customers and system integration partners are sharing concerns around managing PII data during the process.
PII data.
Typically, as SAP S/4HANA DEV and QA Systems are stood up, production data is migrated into these systems.
Sensitive data in DEV and QA systems present several serious issues for those concerned with PII data access.
DEV and QA Systems rarely carry the same level of security as production systems. It is estimated that non-production environments encompass about 80% of an enterprise’s potential entry points for attackers.
Developers, testers, and others who normally wouldn’t be authorized to have access to this kind of data will have access. This could be internal employees, third-party employees, or offshore contractors.
Why this matters.
Access risk is often cited as the weakest link in the SAP security chain. Bad actors often gain access through stolen credentials. If the stolen credentials provide access to DEV or QA Systems, then the PII data is at risk.
However, it’s not just an access issue, it’s also a compliance issue.
In most industries, PII data access is regulated. The fact that unauthorized individuals, or teams of individuals, may have access to PII data puts the company into non-compliance.
In some industries, companies are not allowed to have offshore entities or individuals accessing any sensitive data, not just PII data. This is certainly true for those in Australia responsible for critical infrastructure, e.g. Utilities
Data anonymisation - a straightforward fix
Anonymizing SAP non-production data immediately resolves these issues.
Once anonymised, it doesn’t matter who sees the data, who accesses the data, or where the data is accessed.
All PII data regulations are complied with, and the real data is safe.
Best practice anonymisation
SAP data anonymisation comes in various forms and is achieved using several different methods.
There are several best practices to consider when selecting a method.
Firstly, the method must preserve the integrity of the data - each field value is masked the same way every time.
The method must also generate realistic, but fictitious, test data – data useful for testing but zero value to thieves and hackers and prying eyes.
Thirdly, the method must ensure the algorithms are designed such that once data has been masked, the process is irreversible.
Implementation and cost
Generally, depending on the solution, the costs of data anonymisation tools are reasonable. Although several available solutions seem expensive, relative to the risk being mitigated could still be considered reasonable.
Time to productive use will depend on the complexity of data structures, customisations, and degree of anonymisation. Normally, around 5 days FTE should be adequate.
Libelle DataMasking
Leg Up Software recommends Libelle DataMasking (LDM) from Libelle AG
There are several reasons why.
LDM meets the best practice recommendations, it is a straightforward solution that is well supported by the vendor, and it is comparatively simple to install and configure.
Additionally, ongoing management of the solution is low, and annual costs are significantly lower than one might expect.
About Leg Up Software
Leg Up Software is an expert in SAP IT operational and infrastructure software automation solutions.
We know the SAP operations and infrastructure automation solutions landscape and have already done the legwork identifying the best available solutions.
We have excellent relationships with many software vendors, including Libelle AG mentioned here, and can negotiate an evaluation process that best suits your circumstances and budget.
Why not set up a time to start the conversation by putting something on our calendar?
