Protecting SAP Customer Data Cloud with F5 Distributed Cloud Services

Business-to-consumer (B2C) sellers come in every size and shape online—from retail and e-commerce sites to a vast array of online providers across the financial services, travel and hospitality, and digital services industries, to name a few. One thing nearly all online B2C companies have in common is the desire to “know the customer.” Online businesses that offer consumer-based services or products often need to go beyond just selling value and benefits—they need to invoke an emotional connection with the consumer. Since every customer is different, creating an emotional connection begins with delivering a personalized experience.

For a B2C business, knowing the customer requires first identifying each individual visitor—and that requires a robust Identity and Access Management (IAM) solution. SAP is a well-known leader for its Customer IAM (CIAM) and general commerce products and services for B2C businesses. This use case explores how these businesses can introduce F5 Distributed Cloud Services into their defenses to optimize their investment in SAP and deliver a secure, frictionless customer experience.

SAP for B2C business

SAP Customer Data Cloud (CDC) is a multi-tenant SaaS solution that provides the ability to store and govern consumer profiles. For its approximately 700 customers (and growing) SAP hosts more than 1.4 billion consumer identities, stores 1.6 billion consent transactions per month (addressing requirements of regional data protection laws such as GDPR, CCPA, and LGPD), provides integration for 4 billion consumer devices, and processes around 18 billion API calls per month. For many online B2C businesses, their SAP CDC solution is part of an overall SAP Customer Experience Solutions that also includes SAP Commerce Cloud. Among other capabilities, SAP CDC delivers:

  • Customer Identity (CIAM): including registration-as-a-service, social login, and identity federation/SSO (single sign-on)
  • Customer Consent: consent management for all aspects of GDPR, such as the ability to control access to, export, and even deletion of consumer profile data
  • Customer Profile: including records of consent and other preferences; orchestration and governance; data analytics; and reports

Distributed Cloud Bot Defense for bot and fraud protection

It’s not unusual for 90 percent or more of a B2C web site’s daily log-in attempts to be from non-human visitors. Unfortunately, non-human in this case usually means bot-based attack traffic. These cheap, rudimentary bots simply cycle through the millions and millions of stolen and leaked credentials that are already in the wild, one after another, over and over, throwing username and password combinations at your commerce site hoping for even a tiny fraction to make it throughs.

 

It’s a process known as credential stuffing and it can be costly. All those automated login attempts are a constant, steady drain on bandwidth and server resources; and things can go from bad to worse if one of those bots is able to log-in with stolen credentials.

F5 Distributed Cloud Bot Defense identifies all manner of harmful, bot-driven network traffic and blocks it before it becomes a drain on your resources (or worse).

There are two stages to a Distributed Cloud Bot Defense deployment: observation mode and mitigation mode. In observation mode, Distributed Cloud Bot Defense analyzes the logs of all incoming requests to an application in order to identify threats and customize a defensive resolution.

Fig 1: Through monitoring, Distributed Cloud Bot Defense discovered that 90% of login traffic was from bot attacks.
Fig 1: Through monitoring, Distributed Cloud Bot Defense discovered that 90% of login traffic was from bot attacks.
Fig 2: Once deployed, Distributed Cloud Bot Defense reduced the amount of login traffic from bot attacks by 90%.
Fig 2: Once deployed, Distributed Cloud Bot Defense reduced the amount of login traffic from bot attacks by 90%.

While analyzing logs to distinguish between malicious and legitimate login traffic, Distributed Cloud Bot Defense also has the ability to categorize requests into attack campaigns for analysis. If an attack campaign tries to bypass F5 by somehow retooling (typically by updating software or leveraging new proxies), Distributed Cloud Bot Defense is still able to identify the campaign based on hundreds of other signals.

Once F5 and the customer are confident that no legitimate human traffic will be impacted, mitigation mode can be activated. From that point, when it is determined in real-time that an application request is from a fraudulent source, that source is immediately blocked—all without introducing any friction (such as the need for multi-factor authentication, CAPTCHA, etc.) to legitimate human users.

Summary

Online fraud is a real and growing threat from which B2C businesses need to protect their customers—but those protections must not inject friction into the user experience for risk of losing those same customers. While SAP helps convert your unknown users to known, loyal customers, F5 Distributed Cloud Bot Defense works behind the scenes to dramatically reduce your exposure to automated, fraudulent bot attack traffic, help ensure the security of your SAP services, and remove friction from the user experience.

For more information about F5 Distributed Cloud Bot Defense, visit f5.com/cloud/products/bot-defense.

Protection Against Bots and Other Automated Attacks

Distributed Cloud Bot Defense protects against the most sophisticated credential stuffing and account takeover attacks, carding, and the rest of the OWASP Automated Threats to Web Applications, including:

  • Account Takeover: Stops fraudsters from rapidly testing stolen credentials on your login applications, which means they can’t take over accounts in the first place.
  • Scraping: Control how scrapers and aggregators harvest data from your website, allowing you to protect sensitive data and manage infrastructure costs. 
  • Carding: Prevent criminals from using your checkout pages to validate stolen credit cards.
  • Gift Card Attacks: Ensure gift card value, loyalty points and other stored value remains in your customers hands.
  • Inventory Hoarding: Ensure your campaigns and most in demand items and are sold directly to your customers, not to scalpers.
  • Marketing Fraud: Ensure your business analytics and marketing spend are based on bot free data.

 

Challenges
  • Digital transformation exposes organizations to new threats and new types of attacks, including business abuse and e-commerce fraud
  • For cybercriminals, apps represent the single most lucrative class of targets—online fraud losses are projected to surpass $48 billion by 2023
  • When web attacks are blocked, attackers quickly move to other channels such as mobile applications; any security solution must address all platforms

Benefits
  • Slash fraud and abuse
  • Prevent reputational damage
  • Remove friction from the user experience
  • Improve application performance and uptime
  • Increase security