By Fred Donovan, Senior Editor, SAPinsider
The proliferation of data privacy regulations and laws, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), has prompted organizations to beef up their data privacy and protection.
Fines for violations can be stiff. The EU can assess penalties of up to 20 million euros or 4% of annual global revenue, whichever is greater. California can levy a maximum fine of $7,500 per violation, with no cap on the total amount of fines.
In addition, data breaches are on the rise. According to the Identity Theft Resource Center, U.S. data breaches were up 38% in the second quarter of 2021 compared to the first quarter. And the average cost of a data breach increased from $3.86 million in 2020 to $4.24 million in 2021, the highest average cost in 17 years.
As a result, organizations are paying close attention to their data protection and privacy environment. One way to protect data is encryption. This secures the data but makes it difficult to use in a typical IT environment.
An alternative to encryption is data masking or user interface (UI) masking, which conceals data in specific fields, such as Social Security numbers. SAP offers UI masking for SAP ERP solutions, including SAP S/4HANA. The SAP solution allows for configurable masking of values in sensitive fields in SAP UI screens.
One company taking full advantage of the UI masking feature is Jabil, a St. Petersburg, Fla.-based global manufacturing services company. It operates 100 plants in 30 countries and has 260,000 employees worldwide. The company undertook an update of its SAP GRC and security environment, including implementing UI masking to protect sensitive data.
“We’ve implemented SAP UI masking to hide sensitive data, such as human resources and tax information, to comply with the different regulation laws like GDPR,” says Wilder Latino, SAP Cybersecurity Solutions Architect, Jabil.
“We also have read access logs implemented to allow us to record and monitor what data is being viewed by specific users. We can see the types of data that are being viewed and what type of data is being blocked,” he adds.
Keeping Stakeholders in the Loop
Latino recommends that the organization keep stakeholders in the loop and communicate with them constantly when undertaking a significant program update.
“Stakeholders know what they want, but sometimes they can’t properly communicate what they’re looking for. The first time we talked with the business, they wanted to encrypt the data in SAP. We had to educate ourselves about encryption. We discovered that we couldn’t encrypt the data within SAP because then it won’t be accessible,” he relates.
“So, we introduced the stakeholders and the business to UI masking, which SAP had recommended before. We were able to give them a breakdown of the functionality and capabilities of UI masking and how we can protect the database and provide specific access that the users need,” he adds.
Jabil also completed a global rollout of redesigned business roles to ensure no segregation of duties (SoD) violations as part of the data security update. In addition, the company implemented continuous controls monitoring to detect anomalies in user behavior, such as an unauthorized individual viewing or downloading sensitive data.
“We continue to mitigate security risks by training our users and implementing the correct tools, like UI masking, the GRC tools, unified connectivity cockpit, and enterprise monitoring. We also leverage user behavior analytics. That way, we can analyze anomalies that can indicate a threat. Now we focus only on the true threats instead of getting overwhelmed by information,” Latino says.
What Does This Mean for SAPinsiders
- Stakeholders and business units should be included in any major GRC and security project. Jabil ensured that its stakeholders were involved in the process, which helped educate them about the limits of data encryption and the benefits of UI masking.
- Train users on security risks and best practices. Updating your data security program is not just about putting in new tools and technologies. It also includes training employees on how to use the tools effectively and on security best practices to reduce human error.
- Use the right tools to improve security. While data encryption seems like the best approach to secure data, it makes using that data difficult, if not impossible. A better solution is UI masking to protect sensitive data while freeing up the data for analytics and other business uses.
- Headquarters: St. Petersburg, Florida
- Industry: Manufacturing services
- Employees: 260,000
- Annual revenue: 27.3 billion US dollars
- Company details: Jabil provides electronics design, production, and product management services to companies in various industries and end markets. The company’s manufacturing and supply chain management services and solutions include innovation, design, planning, fabrication and assembly, delivery, and managing the flow of resources and products. It operates 100 plants in 30 countries.
- SAP Solutions: SAP ERP Central Component, SAP S/4HANA, SAP Access Control, SAP Process Control
Watch a short video to hear how Jabil successfully implemented UI masking.