topic Encryption and Decryption critical fields using 3rd party tools in Application Development and Automation Discussions

Encryption and Decryption critical fields using 3rd party tools

former_member183953 — Wed, 24 Sep 2014 18:18:45 GMT

We are looking at a use case scenario to encrypt certain personnel data (for e.g. Social Security Number or Bank Account No) using AES algorithm. We would like to encrypt and decrypt the personnel data so that unauthorized user won't be able to see the critical data. I know SAP has limitations and it is not straight forward mechanism.

Are there any third party vendors/tools or partners who can provide solution to encrypt/decrypt critical fields. I found one such service provider called "Dolphin" who is SAP Partner too. similarly are there any more such service providers. Please provide the information.

Thanks

Vik

Re: Encryption and Decryption critical fields using 3rd party tools

Former Member — Wed, 24 Sep 2014 19:30:31 GMT

The best strategy to follow is not to have the data at all, and rather use tokenization services to access the data from a service. Your system only contains a token for the data and at runtime the system retrieves the data via an encrypted webservice call to the service provider.

If you use the SAP built in encryption, then it only supports selected fields (payment cards and credit card data) to encrypt the data in the DB / data browsers. But if user has access to the application or function which decrypts, then they can access the data in plain text. So you have more requirements to protect your application and basis authorizations and client copies.

I am not aware of anything for the US Social Security Number encrytion (either as supported service or encrypted field), however if you take a look on wikipedia you will see that the whole mechanism is about as secure as your birthday in the internet...

Cheers,

Julius

Re: Encryption and Decryption critical fields using 3rd party tools

Former Member — Fri, 10 Apr 2015 16:05:50 GMT

Similar to the answer which Julius has given, an option you may consider is using an external Tokenization solution. In this approach, assuming the data in question is entered and stored in an SAP system, the sensitive data you wish to protect is sent to an external server or service provider where it is encrypted and a random "token" is assigned to it. The token is returned to be stored in the SAP database in the same field where the data would have originally been stored.

By using tokenization, you can still access the data by sending the token to the external tokenization server/service and retrieving the original data. However, because the original data does NOT reside in the SAP DB, should there be a data breach or a DBA downloads some SAP tables, only the token will be compromised. In order to retrieve the original data the token must be sent to the server/service. Thus, theft of the token provides little to no value to the thief.

Paymetric offers this tokenization service in SAP. It is possible to tokenize nearly any type of data in SAP that you wish, although credit card numbers tend to be the most commonly tokenized data. That said, there seems to be a surge in the desire to tokenize other sensitive data (PII) in the recent months.

Eric