Blog Post

Security, Compliance, and Identity Blog
5 MIN READ

Microsoft RMS is now limiting SAP data leakage with the help of Secude

Azure Information Protection Team's avatar
Sep 08, 2018
First published on CloudBlogs on Feb, 10 2014

Happy Monday everyone,

Today I thought I’d share with you another side of data protection. We often talk about how the Microsoft Office suite, Foxit PDF Reader, and RMS application offer file protection but there is another 800 lb (363.63 kg) gorilla we need to care about. It’s the data stored in ERP (Enterprise Resource Planning) applications such as SAP.

The good news is that not all perimeters are weakening at the same rate. You are losing control over your corporate perimeter far more quickly than you are the SAP perimeter. Said differently, data in SAP is generally quite fortified. The bad news is that this is only the case until such time a report – most often an Excel spreadsheet or a PDF file – is exported from the system. This point of egress is a high source of data leakage from the otherwise well controlled SAP security access. Alas, now we're back to square one, protecting files again. Not only are these files floating around freely within your organization, they are also being sent to employees’ mobile devices, the mailboxes of partners, or being stored in less acceptable places (e.g. consumer-grade cloud services). It’s really strange to me (us) that this very sensitive data is now free to flow to anyone; without any protection or control over it.

The Microsoft Rights Management team partners with other software vendors to create layered offers. Today I’m introducing SECUDE, an experienced SAP security company, who have just released a solution that directly integrates Microsoft’s RMS technology with SAP.

Here’s a little back and forth conversation with them:

Dan: Today, I have Michael from SECUDE. Tell us just a few words about the company and your role.

Michael: Thanks for having me Dan! Engineers from SAP and the Fraunhofer Institute in Germany founded SECUDE in 1996 as a partnership between the two companies. Since then we have developed innovative solutions that help companies protect their data. I’m responsible for SECUDE’s operations in the Americas region.

Dan: Tell us more about the product and what it does.

Michael: The concept is quite simple: think of Halocore (the product name) as an RMS enabler for SAP that extends the RMS technology into the SAP environment. Halocore classifies and protects information downloaded from SAP and leaves behind an audit trail. When we started working on Halocore, our goal was to make it simple for the end-user to protect information leaving SAP. So we spent a lot of time on developing a classification engine that could understand the user’s roles and authorizations within SAP, understand what type of data the user is downloading and combine all that information into a simple decision-making process that is as transparent to the end-user as our customers would like it to be.

Dan: What kind of companies can benefit from this solution?

Michael: Any company that runs SAP and stores sensitive information inside of SAP. Examples of sensitive information include HR and employee data, financial information, customer and partner records, supply chain information, product ingredients etc.

Dan: How can a company find out if sensitive information is even leaving SAP and if so what kind of information?

Michael: Excellent question! The easiest way to find out is to install our free Data Export Auditor for SAP. It’s basically Halocore without the protection feature, but it provides you with a complete audit trail of all the information leaving SAP. Let the tool run in the background for a few days or weeks and you’ll have a very good understanding of who downloaded what and from where.

Dan: Walk us through the setup.

Michael: One of the strengths of Halocore is its flexibility to adapt to existing business processes. Our recommendation is to start with a simple model that provides solid base protection before extending it over time to reflect more complex processes. Halocore is based on Active Directory Rights Management Services (ADRMS) [MA1] so setting that up would be the first step. We recommend using Azure Active Directory and RMS in the cloud because it significantly simplifies the setup process. The next step is to install our SAP NetWeaver ABAP add-in and our Windows Service. The last step is to point our SAP add-in to our Windows Service and you’re ready to go.

Dan: How does Halocore interact with a typical end-user?

Michael: The short answer is as little as possible. In fact Halocore can be configured to classify and protect certain information (i.e. financial data downloaded by a user with a financial role) completely automatically. When interaction is desired or required, Halocore presents the user with a simple dialog that lets the user choose from a short, pre-ranked list of protection templates or optionally allows the user to apply a custom protection scheme.

Dan: Where are you on your product roadmap? What more can we expect from you?

Michael: We’re just at the beginning. Halocore in its current release supports NetWeaver ABAP and we’re currently working on support for Web Dynpro, Business Intelligence/Business Objects as well as Hana among other cutting edge technologies.

Dan: How is this product purchased?

Michael: Ideally through one of our resellers. Our license model consists of a combination of (instance) server and user-based licenses to address a broad range of use-cases – from single SAP instance with 25 users to 70 SAP instances with 100,000 users.

Dan: Great. And lastly, if organizations have questions or want to see a demo, how do they reach you?

Michael: The easiest way is to go to http://www.secude.com/contact/contact-us/ or you can send us an email to info@secude.com .

Well, that’s it. As you can see, this is a pretty powerful combination of what RMS is focused on (data protection) and a company that has specialized in the craft of interacting with SAP. I’ll encourage you to give the free auditor tool a spin. Also, for those of you mired in often cited difficulty of getting something deployed across a slew of IT groups, this might well be the easiest possible way to get RMS into your organization: speak to the small team that does SAP and you’re mostly on your way! In fact, SECUDE did say admit to actively testing their service against Azure RMS making this even more trivial to get going.

Cheers,
Dan

@TheRMSGuy -- our twitter account for late breaking news
www.yammer.com/askIPteam -- a customer facing portal for all things RMS

Published Sep 08, 2018
Version 1.0
No CommentsBe the first to comment