Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Information on Data loss protection

Go to solution
former_member205110
Active Participant

‎04-27-2013 6:27 AM

0 Kudos

Hello Everyone

we are planning to implement DLP (Data Loss Protection) or Extrusion Prevention in our IT setup.We are in discussion with couple of vendors and one of them is Websense.

So far we could not find much details on SAP integration with DLP and we would really appreciate if anyone can provide details on DLP technology and its integration with SAP. Which vendor sap recommends and is it safe to integrate it with SAP ECC.

We have ERP 6 EHP 5 on oracle 11g/ windows 2008 enterprise edition.

Our vendor has confirmed that there are 2 following ways websense can work with SAP ECC:

1.If the Websense is allowed to access the Database directly:

Websense will access the Database using ODBC connection in order to index the columns that the costumer need to protect.

Else,

2.If the Websense is not allowed to access the Database directly:

We should export the columns that we need to protect in the SAP application in .CSV format in order to index and use it in the policies.

We would like to confirm if this is possible. Any information on this subject would be highly appreciated.

Thanks.

Cheers,

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎04-27-2013 8:29 AM

0 Kudos

Anything requesting a DB connection is high on my list of suspects and will also need to be a hardened infrastructure component. For example, if you locate the extrusion detector in the DMZ, then the consequence is that you must leave the DB ports open in the firewall to the application servers and if someone targets the extrusion detector, then they take the DBs with them as well...

Second thing is that the presence of such a detector tells me that the communication leg which it is located inbetween is unencrypted (or the detector is going to decrypt and encrypt again - which is fairly unlikely to be an acceptable bottleneck).

I am not aware of any Websense : SAP specific things to consider (such as DB column vs. application table field types??), but generally these types of tools will bring their own problems with them as well which you need to consider against potential security gains.

Cheers,

Julius

9 REPLIES 9

Go to solution
Former Member

‎04-27-2013 8:29 AM

0 Kudos

Anything requesting a DB connection is high on my list of suspects and will also need to be a hardened infrastructure component. For example, if you locate the extrusion detector in the DMZ, then the consequence is that you must leave the DB ports open in the firewall to the application servers and if someone targets the extrusion detector, then they take the DBs with them as well...

Second thing is that the presence of such a detector tells me that the communication leg which it is located inbetween is unencrypted (or the detector is going to decrypt and encrypt again - which is fairly unlikely to be an acceptable bottleneck).

I am not aware of any Websense : SAP specific things to consider (such as DB column vs. application table field types??), but generally these types of tools will bring their own problems with them as well which you need to consider against potential security gains.

Cheers,

Julius

Go to solution
former_member205110
Active Participant
In response to Former Member

‎04-27-2013 8:47 AM

0 Kudos

Hello Julius

Many thanks for your reply.

One More thing are there any sapnotes on the same subject (extrusion detection or data loss protection). It would ease us to make a decision.

I had reported this query to SAP but they came back saying it as a consulting issue and asked me to post it on SCN.

Thanks Again for your time and valuable reply.

Cheers

Go to solution
Former Member
In response to Former Member

‎04-28-2013 8:54 AM

0 Kudos

I doubt you will find anything which SAP has or needs to know about in this case, because ODBC will bypass the application and go directly to the DB. If you allow that then it actually has nothing to do with SAP and the vendor should also supply release dependent content to define what is relevant for exclusion detection. Does websense leave all the rest up to you?

If all they supply is a framework and an ODBC connector, then will probably be better off monitoring the access on the DB itself and restricting access in the applications to prevent it in the first place.

Within SAP you will find some solutions for monitoring data access (particularly in HR and tools like CCMS), but I am not aware of a component for data protection and detection or APIs to external application for it or anything like that.

Cheers,

Julius

Go to solution
Former Member
In response to Former Member

‎04-29-2013 7:12 AM

0 Kudos

Hi Imram,

from your question, it's not clear to me what you want to achieve. DLP is a very wide area where companies sell products from backup/restore to access monitoring solutions. From what I read, it seams, that you are looking for changes made to the database contents by someone. Not who did access some data, right? Can you please describe the use case for WebSense in a bit more detail?

Regards,

Patrick

Go to solution
former_member205110
Active Participant
In response to Former Member

‎04-30-2013 7:58 AM

0 Kudos

Hello Patrick

Many thanks for your reply.

The idea to implement Websense DLP End Protection Suite is to know how many of our ECC users have downloaded any Sales or FI reports (in CSV or XLS format).

There is another solution from Symantec which does support SAP but we have not yet contacted them.

I have tried searching info on websense but so far I didnt find any single reference w.r.t SAP.

Although,Websense has confirmed that there has been a similar implementation here in Saudi Arabia where the client is using the second option provided by websense ie:

"exporting the columns that need protection in .CSV format in order to index and use it in the policies".

We have a meeting with websense next week. Lets see what comes out of it.

But, I am quite convinced by Julius's reply and if we ever decide to move forward we might as well opt for the 2nd option.

Cheers,

Go to solution
Former Member
In response to Former Member

‎04-30-2013 8:08 AM

0 Kudos

Hi Imram,

from what you tell me, it sounds you like to monitor user activities with regards to sensitive data.

There is a custom development solution from SAP which may fit as well (or even better), as it allows to log the download action directly.

I can send you the name of a person to get more info on this solution if you are interested.

Also SAP has a solution called read access logging as part of 7.40 SP2 and later releases where you can log user interactions with regards to WebDynpro UIs. Don't know if this would also meet your requirements.

Regards,

Patrick

Go to solution
former_member205110
Active Participant
In response to Former Member

‎04-30-2013 8:59 AM

0 Kudos

HI Patrick

What is that custom development solution?

I would appreciate if you could provide me its details.

Thanks Again.

Regards,

Go to solution
Former Member
In response to Former Member

‎04-30-2013 9:59 AM

0 Kudos

Just curious to know what happens if someone does not use the SAPgui frontend services to download data, but rather the BEX analyzer or (as Patrick implied) a webdynpro, RFC_READ_TABLE or a webservice.. or the photograph it with an iPhone..  🙂

Cheers,

Julius

Go to solution
former_member205110
Active Participant
In response to Former Member

‎04-30-2013 2:06 PM

0 Kudos

Hi

Many Thanks to Julius & Patrick.

I am closing this thread.

Regards,