"Security is the bedrock of trust in the digital world. Prioritizing it in your applications isn't just about safeguarding data; it's about nurturing the trust your customers place in your brand."

In this blog I am going to explain the how to secure your customers data in SAP Customer Data Cloud tool.

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. While it is primarily the customer's responsibility to ensure their data security and proper user management, SAP supports security by providing relevant features and functions. SAP is also responsible for managing the lifecycle of the application for security improvement.

The importance of data privacy and need of security:

Data privacy measures and controls have three main goals: To protect the information’s confidentiality and integrity, to build trust with customers, and to comply with data privacy laws. Failure to implement these controls can lead to a breach which can have serious consequences for both individuals and organizations.

Impact on individuals

Individuals whose data is stolen may become victims of identity theft or fraud. The hackers may use the stolen data to impersonate the victim and open lines of credit, apply for loans, etc.

The loss of sensitive or private data may also cause the victim to face humiliation, discrimination, financial losses, or psychological damage. In serious cases, their health, life, or family may be threatened.

Impact on organizations

Data breaches hurt organizations as well, especially financially. According to IBM, the average cost of a breach has gone up to $4.35 million in 2022. Breach costs can include attackers’ ransom demands, plus “cleanup costs” related to breach remediation and forensic investigations. Regulatory fines and lawsuits may also add to the cost.

A breach can also damage the company’s reputation, customer perception, and stock prices. It may lose its customers’ trust and struggle to meet its contractual obligations, which could affect its business relationships and profits.

What CDC offers to secure customer data?

Amid the rapid technological advancements, consumers employ diverse devices and applications, each with unique identity preferences. Mobile devices often supplant desktops, and many opt for streamlined social identity authentication. Regardless of the method chosen, consumers anticipate a seamless, uniform experience from brands they engage with. In this landscape, brands must establish trust-centric relationships with their customers through the SAP Customer Data Cloud (CDC) platform, delivering an integrated omni-channel experience while upholding stringent security protocols.

CDC provides a Security Dashboard and the security policies for Authentication, Identity Verification, and CAPTCHA.

Security Dashboard

The SAP Customer Data Cloud Console’s Security Dashboard allows you to see the current and accurate state of the security of your sites (per API key). You can use this dashboard to quickly determine if there are any issues that need to be addressed in real time.

The Security Dashboard contains the following information:

SSO Group Dashboard Blocked Login Attempts - This is only visible on the parent site of an sso group.

• Overall Security Rank


• Total Login Attempts


• Login Risk Score


• Top 50 Blocked IPs


• Total Blocked Device IDs


• RBA Rules and RBA Enforcement


• Blocked Login Attempts


• World Map - Risk Management


• Invalid Credentials / Total Logins


• Top High-Risk Ips

More details can be found in CDC Security DashBoard

The CDC Platform implements various out-of-the-box security measures when transacting with end-user data saved in CDC's Account.

1. Implement Strong Password Policies:

Using a strong password is essential because it helps protect your personal and sensitive information from unauthorized access. Hackers and cybercriminals use various methods to crack weak passwords, such as dictionary attacks, brute force attacks, and social engineering. Once they gain access to your account, they can steal your personal information and money or use your account to commit fraudulent activities.

Using a strong password makes it more difficult for hackers to crack your password and gain access to your account. A strong password is usually long, complex, and includes a combination of upper and lowercase letters, numbers, and special characters. Using a unique password for each of your accounts is also important, as using the same password for multiple accounts increases your risk of a security breach.

In addition to using a strong password, following other security best practices, such as enabling two-factor authentication help to protect yourself against cyber threats and keep your personal information safe.

To implement strong password policies in CDC , please check Password Policy Setup in CDC

2. RBA (Risk-Based Authentication):

Risk-based authentication, often referred to as context-based authentication, is the procedure of validating a user's identity during the login process. It involves evaluating the user against a predefined set of criteria to determine the level of risk associated with the login attempt, based on which access to specific resources is authorized or denied.

In the contemporary digital landscape, the traditional approach of relying solely on a username and password for user authentication falls short. Today, authentication mechanisms extend beyond the fundamental username-password combination. Businesses must adopt a more comprehensive approach, factoring in various elements to ascertain a user's identity before granting access to sensitive data.

Risk Based Authentication

Below risk factors are considered in CDC

Any of the following events can trigger a requirement for a higher level of authentication:

• Failure to log in after a specified number of attempts, from a specific account or IP address.


• Percentage of failed logins, triggered after a specified number of attempts.


• New device used for login.


• First login from a different country/region.


• Login from an unknown location.

How RBA Works?

How Risk Based Authentication Works

Failed logins, logins from an unknown device and other security events can trigger an additional security layer, lockout, or other RBA measures.

Risk-based authentication is used for adding an additional security layer to the account login scenario. The following logic applies to RBA:

• Failed loginscan trigger an account lockout or a CAPTCHA A high number of failed logins could be the result of a brute force attack to uncover the account's password. These are calculated for a given account. In addition, you can use the IP ratio counter to lock an IP address based on the percentage of failed logins of the total attempts for that address.


• Following a successful login, you can request a second-factor authentication if the user is logging in from a new device and/or new country/region.

For More details on how to setup RBA in SAP CDC , Please check CDC Risk Based Authentication

3. Account Takeover Protection (ATO Protection):

Account Takeover (ATO) is an attack whereby cybercriminals take ownership of online accounts using stolen passwords and usernames. Cybercriminals generally purchase a list of credentials via the dark web – typically gained from social engineering, data breaches and phishing attacks. They use these credentials to deploy bots that automatically access travel, retail, finance, eCommerce, and social media sites, to test password and username combinations and attempt to login.

Account Takeover Protection (ATO) is CDC’s recommended Risk Engine based on AI/ML (artificial intelligence/machine learning) that you can add to your site or site group and will apply to all sites of that group*. ATO provides an additional risk-score that can be used in RBA to trigger rules. When ATO Protection is enabled and there are multiple sources of risk-score for the site/group, RBA returns the score of whichever sources is the highest risk. For example, if RBA has a reCAPTCHA V3 score of 0.6, a client Context score of 0.5, and an ATO score of 0.7, the risk score used by RBA is 0.7 (received from ATO).

In CDC ATO enables prosecuting malicious activity/bad actors while leaving a frictionless user experience for legitimate users, by using ATO with RBA's "high-risk" rule templates. ATO forces malicious users and bots to pass a CAPTCHA challenge while regular users log in unencumbered.

For more details , please check Account Take Over Protection

4. TFA (Two-Factor Authentication):

Two-Factor Authentication

Two-factor authentication (2FA), a subset of multi-factor authentication (MFA), enhances access security by demanding two distinct methods, known as authentication factors, for identity verification. These factors encompass knowledge-based elements, like a username and password, paired with possession-based elements, such as a smartphone app, which is employed to validate authentication requests.

In CDC Two-Factor Authentication method used for an authentication session depends on the Risk-Based Authentication (RBA) rules configured by the Admin in the SAP Customer Data Cloud console. For more information on RBA, see Risk-Based Authentication.

To enable TFA with RBA in CDC, please check User Enabled TFA

Conclusion:

In a world where technology evolves at a rapid pace, the security landscape continuously adapts and expands. As such, SAP Customer Data Cloud (CDC) stands as an emblem of ongoing innovation in safeguarding customer data. With evolving needs and ever-enhancing security measures, SAP CDC is at the forefront of adapting to new challenges, ensuring a seamless and secure experience for both businesses and their customers. To explore the full scope of these advancements and learn more about the application, delve deeper by following the link below.

SAP_CUSTOMER_DATA_CLOUD