Finding the Leak Access Logging for Sensitive Data SAP Product Management Security
Disclaimer This document does not constitute a legally binding proposal, offer, quotation or bid on the part of SAP. SAP assumes that the parties negotiate legally binding contracts relating to the subject of this document in a later phase. Any and all information contained in this document is preliminary and subject to change and shall not at any time be considered as binding. Especially preliminary is the described solution, the scope and the pricing. SAP expressly reserves the right to make subsequent alterations to the content of this document. This document is exclusively based on the information provided to SAP by the customer and SAP s understanding of the customer s requirements. Changing these requirements might also cause a change in system architecture or functionality. The contents of this document represent business secrets of SAP and must be handled in confidence by the customer. In particular, forwarding information to third parties is prohibited. This document and information included in it must be used exclusively for the purposes of evaluating the possibility of future business cooperation between SAP and customer. Any other use requires prior written consent from SAP. If the underlying proposal is not accepted, all documents and all copies of these documents must be returned to SAP immediately on demand or, if no request is made, destroyed within one month after rejection or non-acceptance of our proposal. All brands, trademarks etc. used in this document, including the SAP signature and logo, are the property of SAP and may not be used without its express written consent in advance. 2013 SAP AG or an SAP affiliate company. All rights reserved. 2
Agenda Why Use Read Access Logging? The Way it Works Read Access Logging in Detail Summary 2013 SAP AG or an SAP affiliate company. All rights reserved. 3
Customer Challenges with Data Access Compliance with data privacy regulations Compliance with industry standards (e.g. Basel suite for the banking industry) Monitor the access to classified data or other sensitive data (such as information about company assets or salary data) Monitor user actions on a need-to-know basis only, deleting the logs thereafter SAP provides a solution that allows to log read access to sensitive data: Read Access Logging 2013 SAP AG or an SAP affiliate company. All rights reserved. 4
Use Cases for Read Access Logging (RAL) John is a data security officer in a bank. Recent analysis of stock transactions indicate malicious orders with insider information about bank customers. John was asked to investigate the issue and identify the information leak. Chelsea is a compliance manager at a big retailer. A customer of the retailer has complained that his account details were used to contact him on private issues by an employee of the retailer. Chelsea now has to check who had accessed the customer s personrelated data. 2013 SAP AG or an SAP affiliate company. All rights reserved. 5
Read Access Logging Application The Read Access Logging Application can be accessed via the transaction SRALMANAGER providing access to Read Access Logging Configuration Data logged with Read Access Logging Administrative Log In addition, Read Access Logging is integrated into the archiving framework to allow automated archiving of older log entries. Read Access Logging is integrated in the Transport Framework of the AS ABAP. 2013 SAP AG or an SAP affiliate company. All rights reserved. 6
Read Access Logging with SRALMANAGER Using transaction SRALMANAGER, you start a Web Dynpro-based application shown in a browser window. With SRALMANAGER, you can access both administration and monitoring functions of Read Access Logging. 2013 SAP AG or an SAP affiliate company. All rights reserved. 7
The Way it Works The Read Access Logging framework (RAL) allows customers to trace which data was sent out of the system, by enabling remote communication and user interface infrastructures to log access to sensitive data. When an application/transaction is started, the Read Access Logging configuration is read. It indicates whether the current remote-enabled function module, Web service operation, Dynpro or Web Dynpro UI element is log-relevant. The RAL configuration defines which fields and elements should be logged. Knowing this, the requested field and element values are set for logging. Finally, the log data is written to the database. It can then be viewed via the Log Monitor. 2013 SAP AG or an SAP affiliate company. All rights reserved. 8
The Way it Works UI Channels Read Access Logging Framework Dynpro Web Dynpro API Channels Configurations Log writer Log data in database Web Service Remote Function Call Log conditions Log monitor 2013 SAP AG or an SAP affiliate company. All rights reserved. 9
Features Read Access Logging (RAL) allows you to track data access: Who had access to the data Which data was accessed When was the data accessed How was the data accessed (transaction or user interface) Amount of detail to be logged is customizable based on User interfaces used to access the data Operations executed on remote APIs Users using the remote APIs / user interfaces Entities and their content 2013 SAP AG or an SAP affiliate company. All rights reserved. 10
Supported Channels Read Access Logging supports the following channels: Web Dynpro You can log context-bound UI elements of Web Dynpro-based user interfaces. Dynpro You can log Dynpro UI elements and ALV grid-based user interfaces. Remote Function Calls (RFC) You can log server and client side of RFC-based communication. Web service calls You can log consumer and provider side of Web services-based communication. 2013 SAP AG or an SAP affiliate company. All rights reserved. 11
Entities Used During Configuration Log purpose Each RAL configuration requires a logging purpose. It groups the log events you want to record by use case and reason for recording. Log domain Log domains define the semantic meaning of the data elements that will be captured during the log recording. This helps auditors understand the data recorded in the log results. Log context Log context is the key field that other visible fields are related to within the logging session. Log group A log group is a collection of fields that are displayed in the same log entry (based on the logging purpose). Log condition Conditions are the rules you can define to decide when the fields in the log group are logged. 2013 SAP AG or an SAP affiliate company. All rights reserved. 12
Transport Integration Read Access Logging entities can be transported to other systems and clients Logging purposes Log domains Configurations User interface recordings User exclusion list Parameter for activation 2013 SAP AG or an SAP affiliate company. All rights reserved. 13
Authorization Template Roles to Work with Read Access Logging Template roles Description Assigned authorization objects SAP_BC_RAL_ADMIN_BIZ SAP_BC_RAL_ADMIN_TEC SAP_BC_RAL_ANALYZER SAP_BC_RAL_SUPPORTER A template role for business administrators doing the configuration and monitoring For technical administrators responsible for archiving, maintaining the user exclusion list, en- and disabling client and monitoring administrative log A template role for Read Access Logging analyzer A template role for Read Access Logging support engineer S_RAL_BLKL S_RAL_CLIS- En S_SRAL_CFG S_RAL_LDOM S_RAL_PURP S_RAL_REC S_RAL_ELOG S_RAL_LOG User exclusion list Disabling client Configuration Log domains Logging purposes Recording Administrative log Log Data (S_ARCHIVE) Archiving S_RAL_BLKL User exclusion list S_RAL_CLIS En-/Disabling client S_RAL_ELOG Administrative log S_RAL_LOG Log Data See authorization objects assigned to SAP_BC_RAL_ADMIN_BIZ with display activity specification 2013 SAP AG or an SAP affiliate company. All rights reserved. 14
Availability I NW 7.40 SP0 First shipment of framework and Web service channel NW 7.40 SP2 Shipment connection to archiving / ILM, RFC channel, Web Dynpro channel NW 7.40 SP3 Automatic transport of configurations NW 7.40 SP4 Shipment of Web Dynpro query logging, Dynpro + ALV grid channel NW 7.31 SP9 Same as NW 7.40 SP4 2013 SAP AG or an SAP affiliate company. All rights reserved. 15
Availability II NW 7.30 SP11 Available as of 28.02.2014 NW 7.11 SP13 Available as of 07.02.2014 NW 7.02 SP15 Available as of 07.02.2014 NW 7.01 SP15 Available as of 31.01.2014 For legacy releases, you can use the UI logging solution from SAP Custom Development services 2013 SAP AG or an SAP affiliate company. All rights reserved. 16
Key Take-Aways! Read Access Logging supports you in staying compliant with data privacy regulations Logging access to sensitive data is made easy with the Read Access Logging solution Read Access Logging is deeply integrated into SAP Netweaver 2013 SAP AG or an SAP affiliate company. All rights reserved. 17
Further Information Read Access Logging on SAP Community Network http://scn.sap.com/docs/doc-53843 SAP Insider Article about Read Access Logging http://scn.sap.com/docs/doc-44006 Documentation on SAP Help Portal http://help.sap.com/saphelp_nw74/helpdata/en/54/69bbeab2e94c93b9031584 711d989d/content.htm?frameset=/en/54/69BBEAB2E94C93B9031584711D98 9D/frameset.htm 2013 SAP AG or an SAP affiliate company. All rights reserved. 18
2014 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iseries, pseries, xseries, zseries, eserver, z/vm, z/os, i5/os, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle and Java are registered trademarks of Oracle and/or its affiliates. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, ianywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. 2014 SAP AG. All rights reserved. 43