Security Webcast for SAP User Groups

SAP UI Data Protection:

Take “crown jewel” protection to the next level
Tobias Keller, Deepak Gupta, Arun Verma – Product Management, SAP
March, 2022

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 1

Disclaimer

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP.
Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or any other service
or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or any related
document, or to develop or release any functionality mentioned therein.
This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms directions and
functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this
presentation is not a commitment, promise or legal obligation to deliver any material, code or functionality. This presentation is provided without
a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular
purpose, or non-infringement. This presentation is for informational purposes and may not be incorporated into a contract. SAP assumes no
responsibility for errors or omissions in this presentation, except if such damages were caused by SAP’s intentional or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations.
Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates,
and they should not be relied upon in making purchasing decisions.

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

Public
Agenda

Use cases Product demo Roadmap Q&A

Solution overview

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 3

Business Needs
addressed by the SAP UI Data Protection suite

1 Manage access to sensitive data across the organization to…

• safeguard business-critical operations
• prevent data leaks and misuse by internal employees

2 Get insight on data access activities to…

• understand user behaviors and interpret intentions
• decide on the best course of action

3 Keep an audit trail of data access to…

• comply with increasing regulatory and business
requirements
• provide evidence during an investigation

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

Protecting data on the UI layer:
two step approach
UI Data Security: two step approach to protect data from insiders

UI Masking UI Logging

conceal specific data – keep data accessible – and create a

unless required for tasks broad + deep log of data access

➔ induce compliant behavior

➔ make sensitive data
unavailable for data abuse ➔ identify & prove irregular data usage

Lock it… …or log it!

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 6

Scenarios

Regulatory,
legislative & Demergers/spin-offs Manipulation of data
compliance

3rd party business Prevention of

Public figures exploits
partner access

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 7

Scenarios
• Data manipulation
• “need to comply” • Example of salary changes
• GDPR, data privacy • Spin-offs: systems can’t be • Channel transactions to other
• Export restriction/ITAR (also on technically split in time accounts
data) • Prevent inappropriate • To damaged organization by
• Auditability disclosure, data manipulation creating data inconsistency:
bind energy/create cost; create
• Reporting (financial disclosure) audit problems, damage
reputation

• “VIP scenario” – exposed • Prevent exploits

persons • Segregation of duties scenario:
• 3rd party users
• E.g. “CEO” or sb’s actively prevent actions based
• Call centre agents (external) for on context e.g. magnitude
management line
customer care or internal/IT
• “public figures”: public sector • Download of weak password
• Business partners, suppliers hashes
systems with hugely sensitive
updating their master data,
and unique private information, • Attack intelligence on system
pricing, etc.
tax, dependents, criminal setup, patch levels, protective
records… mechanisms
© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 8
UI Data Protection Masking & Logging
High level solution architecture

SAP UI (user) SAP Backend System

data obfuscation authorization layer masking

(role and attribute based
original data masking rules)

Dynpro Processor Business Logic Database Layer

Request

Response

logging

alerting SAP Enterprise log analysis UIs

Threat Detection
(optional)

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 9

Key solution capabilities –
UI Data Protection Masking
Key Capabilities of SAP UI Data Protection Masking
Concealing sensitive data on the UI layer in addition to existing authorizations

Sensitive data concealed at the field and object level

Data may be obfuscated in SAP UI fields partially or fully; or access to an object blocked completely

Field and object-level obfuscation

Access to sensitive data is attribute-based, ensuring that the right users get
the right data at the right time

Attribute-based authorization

Flexibility for users to request sensitive information as required by their tasks

Reveal on-Demand

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 11

Public
Key Features of UI Data Protection Masking for SAP S/4HANA

Configurable data protection in SAP UIs “Data blocking” (GUI, UI5)

- Field level: Masking field value, disabling the field on the UI; - Control navigation and actions; remove lines from
hiding fields on the UI; Clear fields on the UI and tables
- disabling actions (such as navigation and buttons)

“Attribute based” access control Reveal On-Demand

- Rules can be defined in the policy engine - Data initially always masked; a user action triggers
authorization check and unmasking – action and
result are documented.

UI5/Fiori-application-based
UI5/Fiori-based dashboard
configuration
- monitoring UI Data Protection Masking for SAP
S/4HANA - configuration menu is offered as a Fiori-based APP

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 12

UI Data Protection Masking used by Jabil Inc. https://www.jabil.com/

JABIL Turns to UI Masking for Stronger Data Protection JABIL Deploys UI Masking – Article by SAP Insider
Interview of Jabil's Cybersecurity Architect Wilder Senior Editor Fred Donovan
Latino, hosted by SAP Insider Senior Editor Fred
Donovan https://www.sapinsideronline.com/case-
https://www.sapinsideronline.com/videos/video-qa-jabil- studies/jabil-deploys-ui-masking-to-protect-data-
turns-to-ui-masking-for-stronger-data-protection/ while-maintaining-usability/

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 13

Key solution capabilities –
UI Data Protection Logging
Key Capabilities of SAP UI Data Protection Logging
Enabling UI level data access logging with real-time alerting and analysis tools

Audit trail of logs of user actions and data accessed in SAP UIs with sensitive content

Evidence for investigative purposes

Facility for data protection responsible roles to investigate events

Critical field identifiers for fast access and retrieval of relevant logs

Fast and user-friendly analysis

Alerts for critical data accesses

Complement to logs captured by SAP Enterprise Threat Detection for correlation

Near real-time alerts

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 15

Key Features of UI Data Protection Logging for SAP S/4HANA

Versatile logging depths

Configurable logging scope in SAP UIs - Complete logging (with filter options for data reduction)
- Determine scope on application level (GUI transaction, - “Basic logging” for minimized data volumes
Fiori app…)
- Conditional logging determining whether, and how
deep, access is logged.

Data tagging for key and context

Multiple DPO responsibilities
- Group key and critical context fields with identifiers
- multiple data protection officers with different
responsibilities only get access to only the logs for - allowing fast and user-friendly analysis of logged data
which they’re responsible.

Alerting
- Near-real time notifications when certain data is
DPO cockpit and log analyser
accessed, through SAP notification framework - Fiori based, streamlined analysis UI for business users
- Near real-time through integration with - Detailed log analysis tools for technical users
SAP Enterprise Threat Detection

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 16

UIDP Masking demo
[life system demo]
UIDP Logging “slide” demo
Data Protection Officer
Analysis App
DPO Cockpit: Analysis of detailed access log (SAP GUI)

For a given selection, technical

details can be displayed in a GUI
transaction.
Per roundtrip (list on left side),
the detail log information can be
reviewed.
Besides Tags (highlighted), the
log file includes header meta
information identifying the
context of the log (i.e. concerning
the user), the explicit input, as
well as the specific output.

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 19

DPO Cockpit: Analysis of UI Logs

Exploratory analysis of
access to data types:
comprehensive overview of
data usage through field
IDs (tags)
More granular display with
additional filter criteria.

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 20

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 20
DPO Cockpit: Analysis of User actions and their sequence

Sequential overview of a user’s

actions in aggregated view,
indicating e.g. which critical/key
fields were displayed, and of
sensitive actions.

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 21

Further Information
 Version: 2022-03-16
SAP has no obligation to pursue any course of business outlined in this document or any

UIDP Masking and Logging | Roadmap Highlights related presentation, or to develop or release any functionality mentioned therein. This
document, or any related presentation, and SAP’s strategy and possible future
developments, products, and platforms, directions, and functionality are all subject to
Key innovations change and may be changed by SAP at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver
any material, code, or functionality.

Recent achievements
Recent/current activities and plans Planned activities (2023) Future Direction
Future 2022
direction / 2023
(2024+)

Recently completed (2021)

▪ Reveal on Demand integration with ▪ BTP based UIDP solution with advanced ▪ Protection for Data Warehouse Cloud
UI Data Protection Masking and Logging

workflows data protection and analytical tools and BW4H

▪ Continuous improvements (PDF ▪ Extend data blocking via ABAC policies to ▪ data access prevention and
masking) – Web Dynpro ABAP transparency
– CRM Web Client UI – coverage for native BTP apps
▪ Availability with S/4H and ECC Private
Cloud Edition (RISE) – coverage for non-BTP cloud
▪ Expand UI data protection coverage (e.g.
applications
Ongoing activities (2022) SAC)
– advanced analysis tools
▪ Streamlined handling of mass log data ▪ Additional features of UIDP core – alerts,
change logs, dashboards, data ▪ Advanced data protection drawing on
▪ Block access to GUI transactions and Multi Factor Authentication
classification, etc.
Fiori apps, based on ABAC policies
▪ Data element (column based) encryption ▪ Machine Learning augmented data
▪ Embedded analytics in SAP S/4H classification
▪ Data exploit prevention (authorization
▪ Support for additional languages in the ▪ ABAC for Industry 4.0 (IoT)
changes, config changes, brute force
application (French, Japanese, Spanish)
attacks, from SOD conflicts, etc.) ▪ Dynamic consent

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 23

Public
Thank you.

Tobias Keller Further Information

Product Manager UI Data Security
[email protected] SAP UI Data Protection Community Topic page:
https://community.sap.com/topics/ui-data-protection
Deepak Gupta → Public presentation
Product Manager UI Data Security
[email protected] → UIML selected features – demo brief (7min)
Arun Verma → UIML selected features & config options – demo long (ca. 28 min)
Product Owner UI Data Protection Masking
[email protected] → UI Masking overview & FAQ blog (product team)

© 2022 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 24

Public
Follow us

www.sap.com/contactsap

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/copyright for additional trademark information and notices.