Introduction
In this blog post, we will learn how to configure masking to protect
User Password Data and
SAP Product Information from unauthorized access.
Approach
We know that
Passwords and its associated information, like,
Password Hash and
Password Salted Hash data are incredibly sensitive and these are the information necessary to access our SAP accounts. These information should not be fallen into the hands of an attacker. If this information falls into the hands of attackers, they can easily impersonate us and get access to our data.
Having robust login credentials is essential for protecting our identity and to ensure that our data stays out of the hands of the bad guys. By applying Data Masking, we can prevent unauthorized access of our SAP accounts.
So, having masking in place for this sensitive information makes it less likely for a cybercriminal to obtain our password data. But how exactly do hackers steal our passwords and its associated information in the first place?
Password Leaks
Every now and then a major company is hacked, resulting in millions of passwords being leaked onto the web. Not only does this mean that a criminal can potentially gain access to your leaked account, they may also be able to use the leaked information to log in to your other accounts.
Brute Force Attacks
A
brute force attack is an attack in which cybercriminals methodically try logging in to your account using every possible combination of characters until they get the correct password.
Keyloggers
A
keylogger is a certain breed of malware that runs hidden in the background of your computer. If allowed to go undetected, a keylogger can track every key you press on your keyboard and transmit this information to a malicious party, enabling criminals to steal your login credentials.
Phishing
Phishing is a form of social engineering that preys on human nature. Essentially, phishing is all about tricking users to willingly divulge sensitive information (such as login credentials, credit card details and so on) by disguising malicious websites and apps as legitimate services.
Post-exploitation tools
Another way that criminals commonly steal passwords is through the use of
post-exploitation tools. As the name implies, attackers use these tools on systems they have already successfully exploited in order to gain better control of the device or network.
Rainbow table
Nowadays, most of the organizations are storing their password as Hashes. A
cryptographic hash is a mathematical algorithm that can be used to produce a checksum. With a cryptographic hash, it is possible for a vendor to verify that a password is correct by crosschecking its checksum with the checksum in the database.
While this might sound like a very secure way of storing passwords, hashes do have their flaws. The most used
hashes (
MD5 and
SHA-1) have a known number of total possible hashes, which means they can be precalculated. These precalculated values are stored in a list known as a
rainbow table that criminals frequently use via simple lookups to reverse hashed passwords. Once they have stolen the hash and cracked the password using the rainbow table, the hackers can use the login credentials on other websites where they suspect the user has reused the password. In this scenario, the length of the password is totally irrelevant as the table only takes the hash into account.
To counter this problem, organizations are increasingly looking to
salted hashes, which incorporate randomness into each stored password to further obfuscate the password. With a salted hash, each individual password requires its own rainbow table to crack, making it computationally impractical for criminals to attempt.
What is Data Masking?
Data masking is a process used to protect sensitive information - such as
passwords - from unauthorized access via obfuscation. An example of data masking is the representation of typed passwords with bullets (•) or asterisks (*) in an application form. We can also use data masking to prevent sensitive data - such as employee salaries or customers credit card numbers - from displaying in applications.
The main reason for applying masking to a data field is to protect data that is classified as
personally identifiable information,
sensitive personal data, or
commercially sensitive data.
Prerequisite
UI data protection masking for SAP S/4HANA is a solution for selective masking of sensitive data on SAP S/4HANA user interfaces – SAP GUI, SAPUI5/SAP Fiori, Web Dynpro for ABAP, and Web Client UI. Data can be protected at field level, either by masking the content (replacing original characters with generic characters, such as asterisks) or by clearing or disabling the field.
The solution uses both
role-based and
attribute-based authorizations, affording customers a high degree of control.
Requirement
In
SAP S/4HANA, Password and its associated information lies within the
USR002,
USH002, and
USRPWDHISTORY tables where as SAP Product information like,
SSF Applications,
Release Status of Software Components are being stored in SSFVARGS and CVERS tables.
There are certain fields, like,
BCODE,
PASSCODE,
PWDSALTEDHASH,
RELEASE,
EXTRELEASE,
SSFFORMAT,
KEYLEN,
ENCRALG in the above mentioned tables which are highly sensitive in nature and needs to be protected by applying masking from unauthorized access.
USR02,
USH02, and
USRPWDHISTORY are standard SAP Tables which is used to store
Logon Data,
Change history for logon data, and
Password History data respectively. These tables are available within SAP S/4HANA systems depending on the version and release level. Masking needs to be configured for
BCODE,
PASSCODE, and
PWDSALTEDHASH fields in these tables.
SSFVARGS is a standard SAP Table which is used to store
SSF Applications with
Versioned Keys data and is available within SAP S/4HANA systems depending on the version and release level. Masking needs to be configured for
SSFFORMAT,
KEYLEN, and
ENCRALG fields.
CVERS is a standard SAP Table which is used to store
Release Status of Software Components in System data and is available within SAP S/4HANA systems depending on the version and release level. Masking needs to be configured for
RELEASE and
EXTRELEASE fields.
Let’s begin
Masking Configuration
Login to
Fiori Launchpad and click on “
Manage Sensitive Attributes” app available under “
UI data protection masking” catalog.
Manage Sensitive Attributes app
The
Manage Sensitive Attributes application allows you to maintain configuration for UI data protection in a SAP Fiori-based UI.
This application brings together several individual transactions, simplifying the maintenance of masking configuration and presenting a holistic picture to the end user. With this app, you can:
Create, update and delete sensitive attributes
Define masking and blocking configurations
Manage technical attribute mappings
Create and assign context attributes
Create and assign derived attributes and lists of values
You can use the app on your desktop, tablet or smartphone.
Please refer the following blog post to configure masking for the above mentioned tables and fields -
Result
Masking in USR02 table
Masking in USH02 table
Masking in USRPWDHISTORY table
Masking in SSFVARGS table
Masking in CVERS table
Masking on System Status screen
Conclusion
In this blog post, we have learnt how
Masking is achieved in
USR02, USH02, USRPWDHISTORY, SSFVARGS, and
CVERS tables to protect User Password Data and SAP Product Information from unauthorized access through
Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011 solution.