DeepSec 2013 Talk: Static Data Leak Prevention In SAP – The Next Generation Of Data Loss Prevention
Once you use information technology you will have to worry about leaks. Applications can leak data when attached to the network (any network!). That’s no breaking news, but it might be bad news for you and your data. Fortunately there are good news, too. There is a talk by Andreas Wiegenstein about ways of data leak/loss prevention (DLP) and a new methodology which might help your organisation:
In the age of digital industrial espionage, protecting intellectual property has become a key topic in every company. In the past, companies addressed data leaks by implementing so called content-aware Data Loss/Data Leak Prevention (DLP) software. Such software analyzes data moving through an IT landscape and reports unauthorized transfer of critical data, i.e. transfers beyond the company’s network borders. The key purpose of this methodology is to prevent incidents where critical data (in the possession of employees) is actually leaving the company without permission. While such DLP solutions are valuable security tools, they have limits. They only work, if they can reliably identify critical data (even in obfuscated form). If they fail, the data is gone.
This talk points out weaknesses in existing DLP methodologies which are primarily related to unreliable identification of critical business data.
It also introduces a fundamentally new and complementary DLP methodology: Static Data Leak Prevention (S-DLP). This methodology is an extension of conventional Static Code Analysis and analyzes source code for practices that result in data leaks once the source code is compiled and executed. A key advantage is that critical business data can be precisely identified with this approach. That way risks can be avoided before an application goes live, which is a highly effective approach: If critical data is protected against disclosure to unauthorized employees in the first place, it’s less likely that this data can be leaked outside the company’s network borders. Of course this talk also discusses weaknesses and limits of S-DLP.
An exemplary proof-of-concept implementation for ABAP is discussed along with lessons learned. Finally, some data leaks discovered in SAP environments are presented that were discovered with S-DLP analysis: Disclosure of banking data in an SAP standard module and disclosure of HR data in a custom solution created by a major SAP consulting company.
The talk is recommended for anyone dealing with data and networks. When it comes to preventing data leaks, you are well advised to examine how DLP works in general and which approaches are out there. If there are many ways your data can go, then there are even more ways to prevent it.