Security Data Masking

Medibank – It just kept getting worse

By
1 Minute Read

Medibank is in all sorts of trouble. Every week there are new revelations about the data stolen from their systems. Recent revelations showed that data stolen now includes detailed and sensitive personal medical information.

It's a difficult time for those running Medibank IT.

Medibank is a significant user of SAP ERP, which got me wondering how SAP systems and data can be protected from similar data breaches.

Data is held in many places and in many applications, even when SAP is the primary ERP system. So, to be clear, the Medibank issue might not have anything to do with SAP, but it does beg the question. 

Where is sensitive data held within SAP systems, and how can it be protected?

Security management

Sensitive data is held in all kinds of places. E.g., DEV systems, QA systems, Pre-PRD systems, Disaster and Recovery backup systems, project systems, data warehouse systems, and reporting systems.

Several elements must be in place if we consider the security of data held within SAP systems. These include protecting data where possible, closing potential entry points, and ensuring entry can be detected and closed off quickly.

Data protection

Where it's possible, e.g., in non-productive systems, data masking is an excellent option. The data is only in these systems to enable accurate testing and development. Masking the data ensures it's helpful in testing and development teams but useless for anything – or anyone - else.

Entry point protection

Entry point protection includes managing SAP security updates, user authorisations, and code vulnerabilities. Keeping up to date with security patches, ensuring user access to system areas is limited to their roles, and closing off ABAP code vulnerabilities can all help.

Threat detection

A tremendous amount of monitoring noise is often associated with endless penetration attempts. Monitoring systems with sophisticated filters and alerting are required to ensure focus is applied to the most critical threats and attacks.

Solutions

Unfortunately, there is no one silver bullet software to managing these in an all-in-one solution; a combination of solutions is required. Here are several SAP-specific solutions for consideration.

Libelle DataMasking

For non-PRD data protection, and there are many areas where this protection is needed, we recommend Libelle DataMasking.

Onapsis

For code vulnerability management, you could look at vendors like Onapsis. 

setQ

For user authorisation management, we recommend setQ from VOQUZ Labs

SecurityBridge

For threat and attack detection we suggest you look at SecurityBridge.

Want to learn more?

To learn more about any of the solutions mentioned, contact us and we will get right back to you.
Rick Porter

Rick Porter

With over two decades of working within the SAP ecosystem, Rick has met and worked with SAP IT professionals from broad backgrounds and experiences. Rick knows the stresses and strains experienced by those managing SAP systems and enjoys bringing these insights and reflections into conversations.

Author

Recommended For You