Energy Transfer UI Masking and Data Protection Tool

Energy Transfer UIMasking and DataProtection Tool

1

CONTENTS

1.

Why Masking and Data Protection

2.

Classical scenarios for UI Masking and Data Protection

3.

Challenges in Compliance

4.

What is Energy Transfer UI Masking and Data Protection Tool

5.

How to implement UI Masking and Data Protection

6. Conclusion

2

1. Why masking personal information is so important?

• Growing concern among organizations to protect the data of their employees, customers, and suppliers.

• Regulations like GDPR, SOX, HIPPA etc. make it a legal requirement to protect the sensitive data.

• Enhancing better approach to serve customers by being Trustworthy

• No compromise for unique personal information

• Data residing in SAP applications becomes critical that must be protected inside as well as outside SAP.

3

2. Classical Scenarios for UI Masking

PII data (Personally Identifiable Information)

• Social Security numbers (SSN)

• Mailing or email address

• Phone numbers

Technology has expanded the scope of PII considerably. It can include

Dependent

Home Address

PII DATA

Date of Birth

• IP address

• login IDs

• social media posts

• digital images

Marriage Status

Geological Location

Bank Information

Geolocation, biometric and behavioral data can also be classified as PII.

4

3. Challenges in compliance

Organizational Challenges

• Designate someone (e.g., Data Protection Officer or Chief Compliance Officer) to take responsibility for data protection and compliance.

• Policy for handling and processing sensitive and/or personal data.

• Identify and document the legal basis for each type of data processing activity and finally develop/implement training programs for sensitive and/or personal data.

Operational Challenges

• Define and implement processes for handling sensitive data requests and/or define processes for detecting and reporting breaches.

• Minimize data privacy and security risks without disrupting business processes.

Information Architectures and Systems Challenges

• Understand and document where data is stored and processed

• Protect data inside and outside of applications.

• Automate classification. Monitor and alert on breaches end to end from a single point of control.

• Automate the audit compliance workflow.

5

What data is at stake?

Source According to 21 st EY Global Information Security Survey, 2018

Top 10 Most Valuable Information to Cyber Criminals:

1. Customer Information (17%) 2. Financial Information (12%) 3. Strategic Plans (12%) 4. Board Member Information (11%) 5. Customer Passwords (11%) 6. R&D Information (9%) 7. M&A Information (8%) 8. Intellectual Property (6%) 9. Non patented IP (5%) 10. Supplier Information (5%)

Root Causes:

Source: Ponemon Institute, Cost of a Data Breach, 2018

1. Malicious or criminal attack (48%) Malicious attacks can be caused by hackers or criminal insiders (employees, contractors or other third parties) 2. Human error (27%) 3. System glitch (25%)

Top 3 Vulnerabilities:

1. Careless or unaware employee (39%) 2. Outdated information security controls or architecture (24%) 3. Unauthorized access (11%)

6

4. What is Energy Transfer UI Masking and Data Protection?

UI Masking and Data Protection is a tool that sits between the database and GUI to protect the sensitive data. The tool works at the presentation layer which can be used for making a field display only, mask using a pattern or completely hide the field itself without impacting the application layer that runs the business processes. The add-ons are installed on the server. All changes and configurations are transported from Dev to Quality to Production.

7

Masking can be configured in two ways:

1. Role based masking - Only users with field level authorization can view data. If a user is not authorized to view the field value, the data can be protected by masking, clearing, hiding, or disabling the field. 2. Attribute based masking - The ABAC policy cockpit is the product feature that enables you to create policies to determine how you want to protect sensitive data within the system. Authorization checks also take the context of a field or data element into consideration. Masks the data based on the context. Uses a policy which is mapped to a logical attribute to mask sensitive data.

Examples of fields and tables in SAP that holds sensitive data

8

Phase

SAP UI Masking solution is applicable for the fields present in tables, transaction codes, Fiori apps, Webdynpro and WebGUI

UI Masking and Data Protection Process Flow

1. Global Switch

2. Maintain Meta Data Configuration

3. Data Protection Configuration

4. Supported UI Fields

Enable UI Data Protection Masking

Maintain Attributes and Ranges for Policy

Maintain Logical

Attributes

Assign Policy for access control

Maintain Field Level Security and Masking Configuration

SAP GUI Tables Fields, Data Element

Webdynpro ABAP

Web Client UI

Maintain Technical Address

SAP Fiori Apps

9

5. How to implement UI Masking and Data Protection

• Developing an early understanding and interpretation of the regulatory requirements is key to help speed and firm up business requirements and design completion.

• Identify the technical names for the fields present in the tables, transaction codes, Fiori apps, Webdynpro and WebGUI.

• Basic masking on 20~30 pages/tiles, project could finish in 1 month and Advanced masking project duration depends on the complexity of the masking.

• For each of tile/page/field/attribute: Identify the Fiori path/Tcode, URL

• Finalize the masking requirement like if the field must have Full mask/Hide/Edit Disable/etc.

10

For example, SAP table LFA1 (Vendor Master data) - field STCD1 in transaction code BP is used to store SSN, if this field is populated then it must be masked. In this case, role-based masking will be the solution that way only authorized users can view the sensitive information Using the same example, if the data in the field STCD1 is further categorized by type US1 (SSN) and US2 (General Data) then Attribute based masking will be the solution and it will mask only if the category is of type US1.

Below is the example of context-based scenario where US1 type is marked as sensitive data type hence data is masked

Below is the example of context-based scenario where US2 type is not considered as sensitive data type hence data is not masked

11

6. Conclusion

• Increased data security without increasing the number of roles and better control who can view sensitive information populated in SAP transaction codes, Fiori apps and tables.

• Enhanced the security of SAP applications while preserving and strengthening control over sensitive data enterprise wide. Sensitive data restricted consistently across multiple SAP landscapes, production, and non-production systems

• Increase data protection against theft and abuse where access must be granted to only authorized users

• Dynamic determination of data access based on context at runtime

• Better comply with legal requirements by tracking who accessed sensitive data like PII, Pricing, customer, and vendor information

12