Transcription
WHITEPAPERHow to protect personaldata and privacy inSAP SuccessFactorsDynamic SaaS and cloud environments createnew security challenges
WHITEPAPERAs a result, enterprises that invest in SuccessFactors mustLookout CASB supports all SAPSuccessFactors modules Employee Central Performance and Goals Succession and Development Learning Reports Compensationsecure all data — from mobile endpoints to cloud-hostedSaaS — and reduce business risk by protecting personallyidentifiable information (PII), protected health information(PHI) and other confidential information in accordance withprivacy regulations.The Lookout CASB — a cornerstone of our integrated endpointto-cloud security platform — does exactly that. We give youdetailed visibility into your entire security infrastructure, alongwith dynamic access controls, data protection, cyberthreatdetection and compliance management. Analytics Open Data Protocol (OData) APIs Workflows EmailSafeguard data privacy and maximizehuman capital managementWith Lookout CASB, you can be confident that the privacyof employee data is protected across all fronts — spanninghuman resources, payroll, recruiting, workforce planning, andother strategic HCM business processes.SuccessFactors data security checklist Extend visibility into SAP SuccessFactors cloud usage.SAP SuccessFactors revolutionized the human capital Enable Zero Trust access from any device and location.management (HCM) market, providing everything from Enforce advanced data protection policies to detect, classifycore human resources management to advanced workforceanalytics for thousands of enterprises worldwide.Its popularity soared when legions of enterprises migratedto the cloud to benefit from the software as a service (SaaS)delivery model. This raised security concerns about protectingthe confidentiality of employee information and compliancewith data privacy regulations.The security challenges are daunting. Your apps have leftand secure sensitive data. Apply Zero Trust encryption with 100% ownership ofencryption keys. Secure downloaded data with enterprise digitalrights management. Monitor user activity to identify anomalous behaviorand threats. Support complex global compliance requirements to ensuredata privacy.the building. Employees work remotely using devices andnetworks you don’t control. There are no fixed perimeters inthe cloud. Data must be available everywhere.The challenges deepened with the emergence of internationaldata residency and privacy laws. According to the law firm ofMorrison and Foerster, 133 jurisdictions worldwide had enacteddata privacy laws as of January 2021.2
WHITEPAPEREnable Zero Trust access from anydevice and location Integrates with identity providers — In reverse-proxymode, Lookout CASB integrates with MicrosoftAzure AD, Okta, Ping and Thales to enforce ZeroTrust from devices and locations to authorized cloudapps. Identity, coupled with single sign-on and79 percent of organizations havemultifactor authentication (MFA), give you granularaccess controls for SaaS app log-in activities.experienced an identity-related breachin the last two years, and 99 percentbelieve their identity-related breacheswere preventable. Preventing unauthorized access — Lookout CASBdetects and blocks suspicious login times and locations,such as identifying a user’s attempt to log-in fromoverseas only two hours after the same user authenticatedfrom North America.Identity Defined Security Alliance,May 2020Protect data by using detectionand classificationTo boost productivity across HCM processes, you must firstBefore human resources processes connect toprotect the PII and other confidential data that is uploaded toSuccessFactors, user identities must be verified beforeSuccessFactors and shared with connected third-party apps.granting access. The widespread use of personal devices forThis ensures secure connections for employees, businesswork underscores the importance of identity- and context-partners and contractors who use managed and unmanagedaware access to apps.devices from any location.Lookout CASB lets you define granular, context-aware policiesCloud-delivered data loss prevention (DLP) from Lookoutfor Zero Trust access to data hosted in SuccessFactors.CASB gives you the strongest data protections and accessPolicies are enforced by using a combination of contextualcontrols available for SuccessFactors. We continuously ensurefactors and step-up authentication that prompts workers tothe integrity and fidelity of data in motion and data at restprovide additional credentials to ensure policy compliance.across all SAP modules for SuccessFactors.Contextual factors employed by Lookout CASB include useridentity, user group, location, IP address, devices, operatingLookout data protection for SuccessFactorssystems, baselines of user behaviors, device compliance andCentralized DLP policy engine — Lookout CASB advancedintellectual property risk.DLP extends data protection and access controls toSuccessFactors in the cloud. You can create granular policiesAdditional capabilities Integrates with mobile device management (MDM) andenterprise mobility management (EMM) — Lookout CASBthat scan sensitive data in real-time for assigned classification,rules enforcement, encryption, masking, watermarking,quarantining or deletion.enforces device access-restrictions after retrieving andPolicy creation options — Options include allow or denyclassifying endpoint devices as managed or unmanaged.uploads, logging, notification, denial, protect bulk dataThis prevents users from downloading salary reports andimports, step-up authentication, apply data classificationother confidential data to unmanaged devices.labels, encrypt files to protect data during downloads, user3
WHITEPAPERcompliance coaching, document highlighting, redaction,Biggest security concernswatermarking, permanent deletion and user remediation.Field and file-level data protection — Lookout CASB protectsSuccessFactors field-level data (structured) and unknown filesor notes (unstructured). Protected fields include personalemployee records and extend further to names, addresses,63%phone numbers, email addresses and social security numbers.Custom fields can also be protected to encrypt sensitiveindustry-specific data, such as Military IDs.Data classification — Lookout CASB classifies data whileproviding visibility into and protection across SuccessFactorsmodules and apps, users and devices. This protects employeeData Loss/leakagerecords and sensitive data from unintended exposure. We alsointegrate with Microsoft Information Protection (MIP) and Titusto extend data classification and governance to any documentin any cloud.63%Apply Zero Trust encryption withexclusive key controlData privacy/ConfidentialityOver 64% of financial servicescompanies have 1,000 sensitive filesopen to every employee.AWS Cloud Security Report 2020 for Management: Managing theRapid Shift to CloudVaronis, 2021 FinancialAdditionally, many cloud app key management policies andServices Data Risk Reportprocesses might not comply with GDPR, HIPAA and CCPAdata protection laws because SaaS providers – not theircustomers – control encryption keys.Although some SaaS providers protect at-rest data, suchLookout CASB Zero Trust encryption for SuccessFactorsas in storage, most do not secure in-use data and in-transitoffers the most compelling approach to data protection. Itdata. This can leave sensitive and confidential clear-textprovides tighter controls over SuccessFactors HCM modulesinformation in SaaS apps vulnerable to devastatingwithin apps.data breaches.4
WHITEPAPERWe use 256-bit AES encryption to protect PII ininformation about employees, salary reports and relatedSuccessFactors while preventing unencrypted dataworkflows during downloads to user devices for last-milefrom leaving your network. You exclusively retain validdata protection.encryption keys to prohibit unauthorized users, cloudprovider system administrators and outsiders fromaccessing data without permission.You can define EDRM policies to permit file access anddownloads on managed devices only and restrict accessto authorized users who are granted permission to decryptUnique benefits of Lookout CASB encryptiondownloaded files using the Lookout CASB lightweightEDRM client.Hold your own keys — Lookout CASB key management givesyou sole ownership of keys to encrypt data. SuccessFactorsdoes not possess keys, decrypt data or share it with any thirdparty app, which stops unauthorized data disclosures.Additional EDRM protectionsFull visibility and data ownership — Lookout CASBgives you complete visibility into any data accessed andFormat preservation — Strong encryption from Lookout CASBdownloaded by internal and external users, includingpreserves field-level policy formats in SuccessFactors. Wecustomers, vendors, and partners. We empower you toalso deliver partial field encryption when searching, sorting,control downloaded files, regardless of where they arereporting and charting data. This empowers you with best-in-being shared.class data protection and without interfering with criticalHCM processes.Decryption key management — Lookout CASB lets you revokedecryption keys and stop user access in real-time to protectconfidential data on lost or stolen devices. This also protectsSecure downloaded data withenterprise digital rights management“There are undeniable risks in permittingemployees’ access to corporate”resources from personal devices.data from misuse, such as preventing former employees fromtaking customer data to new companies.Identify anomalous user behaviorsand cyberthreatsAny SaaS platform – SuccessFactors included – can fall victimto malware that will initiate a cyberattack that spreads laterallythroughout your cloud infrastructure, propagates to otherclouds and bypasses conventional antivirus systems.ForbesThese cybercriminals typically use command-and-controltactics to compromise devices and apps and hijack personalThe growing number of employees who are using personaland administrative login credentials. Access privilegesmobile devices for work creates new challenges to protectcontinue to escalate until they find confidential data andconfidential data as it travels outside the cloud environment,valuable intellectual property, which results in a catastrophicextending the need for secure offline data access.data breach.Enterprise Digital Rights Management (E-DRM) in LookoutLookout CASB addresses this manner of cybersecurity threatCASB applies strong protection controls to confidentialby aggregating and correlating related data from acrossdata in SuccessFactors. We automatically encrypt personalenterprise networks, clouds, SaaS and mobile environments.5
WHITEPAPERUser and entity behavior analytics — User and entitybehavior analytics (UEBA) in Lookout CASB leverages“The average cost to recover from acyberattack for organizations with moresophisticated machine learning algorithms to monitoractivity in SuccessFactors, including unusual region or”than 1 billion in revenue is 4.6 million.time of day, attempted bulk file downloads, and otheranomalous behaviors.UEBA provides real-time alerts about anomalous behaviorsTechBeaconthat might originate from a cyberattacker or malicious worker.In this case, Lookout CASB will block actions based onWe give you full visibility into the earliest signs of threatvariations in normal behavioral patterns.behaviors so you can quickly mitigate attacks and stopExamples of these anomalies include an abnormally largedata breaches.number of downloads from an individual user, an unusuallyhigh volume of login attempts from the same user orDetect suspicious behaviorsand cyberthreatspersistent login attempts by an unauthorized account.Zero-day threat protection — Integrated antivirus/antimalwarecollected on-premises to the cloud by integrating with(AV/AM) in Lookout CASB scans all inbound and outboundMicrofocus ArcSight, IBM QRadar, Intel Security, LogRhythm,cloud content to defend against viruses, malware andand Splunk SIEMs. This enables you to combine incidentransomware with industry-leading detection rates. Infectedmanagement automation with centralized analysis andcontent is quarantined on the fly withoutreporting of endpoint-to-cloud security events.SIEM support — Lookout CASB extends user activity logsnoticeable latency.Additionally, URL link protection and on-premises sandboxintegration enable you to quickly detect and remediatetoday’s most advanced cyberthreats.Ensure regulatory compliance toprotect data privacy and residencyData protection laws like GDPR require you to preventpersonal data from being retained in or traveling throughcountries that do not have data protection standards that are“By 2023, 65% of the world’s populationequivalent to the resident country.will have its personal informationThis creates a complex global challenge for organizationscovered under modern privacythat rely on SuccessFactors and other SaaS app platforms.”regulations, up from 10% today.Cloud services often involve multiple data centers that aregeographically dispersed among several regions to ensurehigh availability and minimize latency.Gartner Report: The State ofLookout CASB uses cloud encryption gateways to providePrivacy and Personal Data Protection,secure, centralized compliance and governance. This includes2020-2022absolute data residency, protection from government forceddisclosure, and safe harbor from breach notifications.6
WHITEPAPERCentralized compliance and governanceAbsolute data residency — Lookout CASB encryption andkey management allow one global instance of a SaaS appand selectively encrypts and tokenizes data for each requiredcountry to meet local residency requirements. This absolutecapability for data-residency control ensures that PII andconfidential data from SuccessFactors are not revealedoutside of the country or area of sovereignty.About LookoutLookout is an integrated endpoint-to-cloud security company.Our mission is to secure and empower our digital futurein a privacy-focused world where mobility and cloud areessential to all we do for work and play. We enable consumersand employees to protect their data, and to securely stayconnected without violating their privacy and trust. Lookout istrusted by millions of consumers, the largest enterprises andProtection from government forced disclosure — Lookoutgovernment agencies, and partners such as AT&T, Verizon,CASB delivers a unique and powerful key managementVodafone, Microsoft, Google, and Apple. Headquartered incapabilities that always remains under your control andSan Francisco, Lookout has offices in Amsterdam, Boston,jurisdiction. This prevents access through forced governmentLondon, Sydney, Tokyo, Toronto and Washington, D.C.disclosures and empowers you with 100 percent control overdata access.To learn more, visit www.lookout.com and follow Lookout onits blog, LinkedIn, and Twitter.Safe harbor from breach notification — Data most oftencannot be breached if it is encrypted and if related dataencryption keys reside solely with you. Under mostcompliance regulations, you are not required to notify yourcustomers or employees if a cyberattacker or maliciousinsider gets hold of encrypted data, which protectsreputational risk and eliminates the cost associated witha publicly disclosed breach.lookout.com 2021 Lookout, Inc. LOOKOUT , the Lookout Shield Design , LOOKOUT with Shield Design , SCREAM , and SIGNAL FLARE are registered trademarks ofLookout, Inc. in the United States and other countries. EVERYTHING IS OK , LOOKOUT MOBILE SECURITY , POWERED BY LOOKOUT , and PROTECTED BYLOOKOUT , are registered trademarks of Lookout, Inc. in the United States; and POST PERIMETER SECURITY ALLIANCE is a trademark of Lookout, Inc. All otherbrand and product names are trademarks or registered trademarks of their respective holders. SAPsuccessFactors wp 20210618-Lookout-USv1.07
to extend data classification and governance to any document in any cloud. Apply Zero Trust encryption with exclusive key control Over 64% of financial services companies have 1,000 sensitive files open to every employee. Varonis, 2021 Financial Services Data Risk Report Although some SaaS providers protect at-rest data, such as in storage, most do not secure in-use data and in-transit data .
