During outsourcing projects, SAP reporting systems are secured in a timely manner according to VS-NfD criteria, thus ensuring maximum security.

100 percent perfection with maximum security: That's what was required in the project that SAP consultancy Xient worked on with Siemens AG.

First case: Siemens GS IT, which provides IT services to all business units and external customers, wanted to outsource a central reporting system (SAP BW) in the support area. In the process, sensitive data, which should not be publicly accessible and is subject to a degree of confidentiality, was circulated.

To solve this problem, Xient helped Siemens AG prepare for the outsourcing process by collecting this specially classified data and VS-NfD-information ("confidential information - for official use only") must be fully protected against unauthorized access.

"Reliability and excellence were crucial for collaboration," says Mamun Natour, IT manager at Siemens. "It was unacceptable for any data to be seen, even on the smallest scale, as there was maximum security risk."

An authorization concept for maximum security

Xient was the ideal partner because the team brought the necessary expertise and the right skills in data analytics and business intelligence as well as security and data protection to this complex case. Xient also provided an important interface between the client's specialized departments and the IT department.

The approach to solving the problem involved the creation of an authorization concept. The customer's original order to Xient was to use an algorithm to find invariants in the entire BW system. To do this, some data and terms in the system were anonymized. The requirement was that the anonymization could not be reversed and decrypted. The concept was sound - but it proved to be too dangerous and risky for data integrity in a BI system with millions of new data every day. A plan B was needed that ultimately succeeded: a hybrid solution of data analytics algorithms supported by an authorization concept. Starting from the data sources and based on the data objectives, Xient identified a concrete and complete list of all source systems relevant to VS-NfD.

Xient then took measures to completely restrict access to confidential information. This required a new and customized authorization concept, which Xient implemented.

The goal was to adapt the authorization roles so that they could be used in the daily work of the support team. And without people in this group being able to see the data related to VS-NfD.

Description of the data analytics search algorithm

Xient programmed all analysis tools through ABAP (report) that can be run at any time on the target system. The Xient search algorithm can find all data targets repeatedly where relevant data may be scattered. The tool even surprised the customer. Because it unexpectedly revealed otherwise unknown and automatically authorized or blocked areas.

Regarding the source systems, two logical systems were connected to the reporting system. Of these, the extraction of transaction data containing information about the VS-NfD took place.

"The project was successful. Thanks to the collaboration, we made steady progress on this task," says Yavuz Yildiz, Managing Director of Xient. "We then applied the knowledge gained from this project directly to another project at Siemens AG."

Conclusion 

Xient was able to successfully protect the sensitive data of the SAP BW system involved. This allowed the customer's external service providers to continue their work without access to the encrypted information.

Following the project, a penetration test conducted by a specialized company confirmed the successful outcome. Any attempt to gain access to sensitive data and information by any means failed. As a result, Siemens could be sure that unauthorized access to the data was indeed impossible.

"Since we often increase outsourcing efforts and involve external service providers in order to reduce costs while maintaining data security, in cooperation with Xient we have developed a procedure that can be reapplied in similar situations and speed up the entire process of creating authorization concepts," explains the Siemens IT manager. "Overall, the cooperation with Xient was very good, collaborative and always very constructive."