In the course of outsourcing projects, SAP reporting systems are secured in time according to VS-NfD criteria and thus achieve maximum security.
100 percent perfection with maximum security level: This was what was required in the project on which the SAP consulting company Xient worked together with Siemens AG.
The initial situation: Siemens GS IT, which provides IT services to all business units and external customers, wanted to outsource a central reporting system (SAP BW) in the area of support to an external service provider. In the process, sensitive data was in circulation that should not be accessible to everyone and was subject to a confidentiality level.
To solve this problem, Xient helped Siemens AG prepare for outsourcing by identifying these specially classified data and VS-NfD-information ("classified information - for official use only") completely against unauthorized access.
"Reliability and perfection were essential for the collaboration," says Mamun Natour, IT manager at Siemens. "Because there was a maximum security risk, it would have been unacceptable if any data, even on the smallest scale, had been viewable."
An authorization concept for maximum security
Xient has been involved in the project as ideal partner because the team brought the necessary expertise and the right skills in data analytics and BI, as well as security and data protection issues, to this complex case. In addition, Xient formed an important interface as an intermediary between the customer's specialist departments and the IT department.
The approach to solving the problem involved creating an authorization concept. The customer's original order to Xient was to use an algorithm to find literals in the entire BW system. To do this, certain data and terms in the system were anonymized. The requirement was that the anonymization could not be reversed and could not be decrypted. The concept was in place - but it was determined that it was too dangerous and risky for data integrity in a BI system with millions of new data every day. A plan B was needed, which was ultimately successful: a hybrid solution of data analytics algorithms supported by the authorization concept. Xient identified a concrete and complete list of all VS-NfD-relevant source systems, starting from the data sources and based on their data goals.
As a result, Xient took measures to completely restrict access to the confidential information. This required a new and customized authorization concept, which Xient implemented.
The goal was to tailor the authorization roles in such a way that they could be administered for the daily work of the support team. And this without this group of people being able to view the VS-NfD-relevant data.
Description of the Data Analytics search algorithm
Xient programmed all analysis tools per ABAP (report), which could be executed in the target system at any time. The Xient search algorithm is able to find all data targets again and again, where relevant data can be scattered. The tool surprised even the customer. This is because it unexpectedly revealed areas that were otherwise unknown and that were automatically authorized or blocked.
With regard to the source systems, two logical systems were connected to the reporting system. From these, the extraction of transaction data with VS-NfD-relevant information took place.
"The project was a success. Through the collaboration, we have steadily developed in the task," says Yavuz Yildiz, Managing Director of Xient. "We subsequently applied the knowledge we gained from this project directly to another project at Siemens AG."
Xient managed to successfully protect the sensitive data of the corresponding SAP BW system. This allowed the customer's external service providers to go about their work without being able to access the encrypted information.
A penetration test conducted by a specialized company following the project confirmed the successful result. The attempt to gain access to the sensitive data and information by any means failed. As a result, Siemens could be sure that unauthorized access to the data was indeed impossible.
"Because we are generally increasing outsourcing efforts and bringing in external service providers to reduce costs while maintaining data security, we worked with Xient to develop a process that will be applicable again in similar situations and will speed up the entire process of creating authorization concepts," explains the IT manager at Siemens. "Overall, the collaboration with Xient was very good, collaborative and always very constructive."