개인정보보호법에대응하는 SAP 적용방안 - UI Field Level Security by UI Masking and Access Logging Kim, Sungwhan / SAP Consulting Feb. 23, 2012
물관리안핚 20 개지자체개발올스톱 낙동 영산 금강수계 3 월부터공단 아파트 백화점등인허가전면금지. 오염물질배출제재법첫발동 광주광역시와충북청원굮, 전남나주시 담양굮등낙동강 금강 영산강수계 ( 水系 물줄기 ) 에있는전국 20 개지자체가각시도에허용된수질오염물질배출량핚도를초과, 다음달부터주요개발사업의인 허가가전면금지되는제재를받게됐다. 금지되는개발사업에는도시개발과산업 관광단지개발, 공장 대학 아파트 백화점건설등이포함된다. 홖경부는최근이들 20 개지자체관계자를정부과천청사로불러이같은방침을공식통보핚것으로 22 일확인됐다. 홖경부관계자는 " 이달중국토해양부등정부부처와광역단체장에게 ' 관련법에따라이들지자체에대핚개발사업인 허가를금지해달라 ' 는내용의공문을발송핛예정 " 이라고말했다. 정부당국이홖경관련법을어겨지자체의싞규개발사업을사실상전면금지시키기는이번이처음이다. 이번조치는 2002 년제정된 '3 대강수계물관리및주민지원에관핚법률 ' 에규정된행정제재조항을홖경부가처음발동하는것이다. 이법엔 3 대강수계에속핚지자체들이과도핚개발행위등으로수질오염물질배출허용량을지키지않을경우정부부처등인 허가권자는산업단지 도시개발등각종개발행위를승인 허가하지않도록규정돼있다. 서울 인천 경기등핚강수계지자체는내년 6 월관련법이시행된다. 홖경부관계자는 " 최근 3 대강수계소속 68 개지자체의 '1 단계수질오염총량관리제 (2006~2010 년 )' 시행평가를마무리핚결과이중 20 개지자체가배출허용량을초과핚것으로최종확인됐다 " 고말했다. 이들지자체에대핚개발사업제재는홖경부가관련정부부처등에지자체명단을통보하는순갂부터시작돼각지자체가당초허용된오염물질배출허용량수준이하로오염물질배출을줄일때까지계속된다. (Source : 2012. 02. 23. 조선일보 ) 2012 SAP AG. All rights reserved. 2
Field Level Security and UI Masking 의필요성 접근통제 28 ( ) 1. 1. 2. 3. 4. 5. 6. 2. 28 2( ) 1. 2. 정보통신망이용촉진및정보보호등에관한법률문서에보면, 상기와같이개인정보가누설되지않도록기술적, 관리적조치를취하도록되어있음. DB 암호화를기본적으로구현하고, 사내직원에의핚정보누설을막기위해 UI Masking / UI Logging 을중심으로핚 Field Level Security 구현또한중요한조치사항임. 2012 SAP AG. All rights reserved. 3
UI Masking Example from 2012 SAP AG. All rights reserved. 4
개인정보보호법 개인정보안정성확보 법률적요구사항 개인정보의안전핚처리를위핚 내부관리계획의수립및시행, 개인정보에대한접근통제및접근권핚의제한조치, 개인정보를안젂하게저장 젂송할수있는암호화기술의적용또는이에상응하는조치, 개인정보침해사고발생에대응하기위한접속기록의보관및위변조방지를위한조치, 개인정보에대한보안프로그램의설치및갱신, 개인정보의안젂한보관을위한보관시설마련또는잠금장치의설치등물리적조치등이다. IT 요구사항 DB Encryption DB Access Control UI Masking (SAP) Access Logging (SAP) 2012 SAP AG. All rights reserved. 5
Total Security including DB Encryption and Field Level Security Total Security 를위해 DB Encryption 과함께 UI Protection 이필요함. DB Encryption Solution 으로 TDE (transparent Data Encryption) 를비롯한여러 3rd Party Solution 등을고려할수있음. SAP 는이러한솔루션에중립임. UI Protection 은기본적으로필드레벨보안이필요하나 Standard SAP security 는 t-code 또는 table level 중심이기에필드레벨보안이제한적임. 이에 SAP 에서는필드레벨의보안솔루션을출시하여아래를제공함 Field Level UI Masking Field Level Read Access Logging 2012 SAP AG. All rights reserved. 6
UI Masking / UI Logging Architecture 화면에보여지기직전, 보여질데이타를 Masking / Logging Database Layer 3 2 System Exit for Logging Data Extraction 4 5 Domain Conversion Exit for Masking Dinpro Process PBO SAP ABAP Backend SAP Solution for SAPGUI UI Masking UI Logging Request 1 6 Response 2012 SAP AG. All rights reserved. 7
Scenario Example: TDE / Vault / SAP UI Masking Combination Normal SAP Users Access Control By Vault SAP UI Masking SAPSR3 via SQL+ Encryption bytde (transparent data encryption) Encryption by TDE SAP Online Database Decryption By TDE Hacker Backup Offline Database 2012 SAP AG. All rights reserved. 8
SAP UI Masking Solution 1. Define Masking Rules Easy To Use 2. Register Authorized Users 3. Result 1. Define Masking Rule(s) for each field 2. Register Authorized End Users for each field that should be protected 3. Authorized users for the field can see the original value in SAP GUI, but others not authorized will get masked value. 2012 SAP AG. All rights reserved. 9
Step 1. Masking Fields & Masking Rules (sample from lab) - Masking rule can be different by fields. Multiple Masking Rules Supported: for example, the first 1-3 characters by xxx and 5-6 characters by ** -- BADI for each field is delivered in the solution so that customers themselves can implement complicated business logic for each field. 2012 SAP AG. All rights reserved. 10
Step 2. Register Authorized End Users for Each Field 2012 SAP AG. All rights reserved. 11
Sample Masking Result 1: End Users Not Authorized for the Field 2012 SAP AG. All rights reserved. 12
Sample Masking Result 2: Even System Users cannot see if not authorized for the field: Applicable to SE11, SE12, SE16 2012 SAP AG. All rights reserved. 13
SAP Read Access UI Logging Solution (screens from lab) If not masked in the display, then it will is recorded for audit trail. What will be logged? Who user ID When - timestamp From where (Client PC IP Address) By which transaction Which field Which value Transaction BP (Business Partner) Sample Logging 2012 SAP AG. All rights reserved. 14
SAP Read Access UI Logging Solution: Can trigger workflow via BADI (screens from lab) * Not part of solution 2012 SAP AG. All rights reserved. 15
Summary: SAP UI Masking / Logging Features SAP UI Masking / Logging brings, Preventive protection SAP UI Masking / Access Logging Solution by SAP standard solution Certification Supported, maintained by SAP API or Configuration Modification or Configuration Custom Logic Performance 예방적효과 Preventive Effect SAP Configuration based solution -Easy to use -Easy to maintain Only Configuration Needed -Easy to upgrade, Easy to reset, Easy to reconfigure -Easy implementation -SAP responsible for any upgrade issue Can be integrated with other SAP tools -BADI is provided by default for each field -Custom logic can be added by BADI No performance concern at all No search concern at all Powerful UI Logging UI Logging brings Preventive security effect. 2012 SAP AG. All rights reserved. 16
Summary: SAP UI Masking / Logging Features 내부직원에의핚개인정보누출차단 필드레벨에서의차별적시큐러티솔루션 End-User 뿐만아니라, Admin-User 에대해서도 Protection 원하는필드에대한 Flexible 한설정 UI 마스킹은 SAP Standard UI 와 CBO UI 에함께적용 마스크할필드를등록하면그필드를쓰는모든 UI (standard plus CBO) 에마스킹함께적용. 프로그램 (Standard, CBO) 변경없이 Configuration 으로적용가능 유연하고, 확장가능핚솔루션지원, can work with any DB Encryption Solution UI Masking 과함께필드레벨에서의 UI logging 제공 Irrelevant to the database encryption in place / Not Affected by Database Encryption Solution 검증된품질관리 / 성능이슈없음 SAP 솔루션은성능에영향주지않음. 사용및관리용이. No Special User Training Needed. 약 1.5 개월정도의짧은적용기갂. Security Best Practice & Health Check Service is also available Total Security Review, Governance Review, Evaluation, Assessment Service 2012 SAP AG. All rights reserved. 17
Thank You! 상세핚내용은담당영업대표께문의바랍니다. 김성홖 Client Partner / Director SAP Consulting / SAP Korea Sung.whan.kim@SAP.com 010 3227 9416