Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Encryption and Decryption critical fields using 3rd party tools

former_member183953
Participant

‎2014 Sep 24 7:18 PM

0 Likes
809

We are looking at a use case scenario to encrypt certain personnel data (for e.g. Social Security Number or Bank Account No) using AES algorithm. We would like to encrypt and decrypt the personnel data so that unauthorized user won't be able to see the critical data. I know SAP has limitations and it is not straight forward mechanism.

Are there any third party vendors/tools or partners who can provide solution to encrypt/decrypt critical fields. I found one such service provider called "Dolphin" who is SAP Partner too. similarly are there any more such service providers. Please provide the information.

Thanks

Vik

2 REPLIES 2
Read only

Former Member

‎2014 Sep 24 8:30 PM

0 Likes
544

The best strategy to follow is not to have the data at all, and rather use tokenization services to access the data from a service. Your system only contains a token for the data and at runtime the  system retrieves the data via an encrypted webservice call to the service provider.

If you use the SAP built in encryption, then it only supports selected fields (payment cards and credit card data) to encrypt the data in the DB / data browsers. But if user has access to the application or function which decrypts, then they can access the data in plain text. So you have more requirements to protect your application and basis authorizations and client copies.

I am not aware of anything for the US Social Security Number encrytion (either as supported service or encrypted field), however if you take a look on wikipedia you will see that the whole mechanism is about as secure as your birthday in the internet...

Cheers,

Julius

Read only

Former Member

‎2015 Apr 10 5:05 PM

0 Likes
544

Similar to the answer which Julius has given, an option you may consider is using an external Tokenization solution.  In this approach, assuming the data in question is entered and stored in an SAP system, the sensitive data you wish to protect is sent to an external server or service provider where it is encrypted and a random "token" is assigned to it.  The token is returned to be stored in the SAP database in the same field where the data would have originally been stored.

By using tokenization, you can still access the data by sending the token to the external tokenization server/service and retrieving the original data.  However, because the original data does NOT reside in the SAP DB, should there be a data breach or a DBA downloads some SAP tables, only the token will be compromised.  In order to retrieve the original data the token must be sent to the server/service.  Thus, theft of the token provides little to no value to the thief.

Paymetric offers this tokenization service in SAP.  It is possible to tokenize nearly any type of data in SAP that you wish, although credit card numbers tend to be the most commonly tokenized data.  That said, there seems to be a surge in the desire to tokenize other sensitive data (PII) in the recent months.

Eric