In the digital age, securing enterprise applications requires a new approach as the increasing number of application interfaces can lead to increase in risk of data being compromised. SAP security focused player, SECUDE has sensed a huge opportunity in making enterprise applications more secure with its new technology called ‘HALOCORE’. This is a unique technology that protects intellectual property and other sensitive information extracted from SAP systems. By integrating directly with SAP, HALOCORE protects data with automated classification, blocks unauthorized reports, and helps generate fine-grained access policies. This approach allows enterprises to maintain a high level of control and security over sensitive documents extracted from SAP throughout their lifetime, even if these have been shared via email, downloaded to a recipient’s PC, or printed as PDF.
Dola Krishna, Director, SECUDE Solutions India Private Limited, shares with Express Computer’s Rachna Jha, on the huge opportunities that his firm is eyeing, as more and more firms go digital.
Some edited excerpts:
What are some of the major risks for enterprises with respect to enterprise applications such as SAP?
SAP is the core of many organizations as it is used to run key business processes and store amounts of sensitive, business-critical data. As data resides within the boundaries of SAP, it is considered safe and protected as only authorized users have access to the data, activity is monitored within the system, and the internal control of Segregation of Duties (SoD) further and fraud. However, these protection mechanisms do not extend outside of SAP, to the digital world we live in, with cloud computing, sharing apps, and mobile devices that make it easy to take sensitive data on the go.
Data Loss Prevention (DLP) strategies have been widely deployed to help enterprises protect against the threat of users sending sensitive information beyond the organizations internal networks. DLP is a rule-based security solution that examines file contents and confidential or critical information from leaving thecorporate perimeter. When configured effectively, a DLP solution can monitor user activity, restrict confidentially classified information from being exported on a USB stick, etc. However, SAP contains sensitive information that should never leave its systems, e.g. password hashes or certain compliance-restricted data. Unfortunately, DLP policies are often not integrated with SAP processes.
However, DLPs have certain inherent issues. For example, traditional DLP takes an after-the-fact approach to classification by attempting to identify sensitive files after they have been created and stored, using very little contextual information regarding permissions, data owners, and usage authorizations, which makes it an unwieldy and inefficient method to security.
Also, DLP works remotely from where data is created, in different applications, causing it to lack the context of the information and the understanding of the user’s intention with the data in order to make a reliable,informed security decision, for example, whether ornot a certain file should be quarantined or allowed. This lack of understanding usually results in a negative impact on productivity for the end users who are unable to access the information they need to perform their job duties.
HALOCORE is an example of a data-centric protection solution that tightly integrates with SAP while requiring very limited or no end-user interaction.Instead of monitoring generic channels, such as network interfaces, protocols, or storage locations, HALOCORE monitors the core functions of SAP that data has to travel through before leaving SAP. With data leaving the enterprise in enormous volumes and rates, Data Loss Prevention (DLP) for SAP is a key security issue.
HALOCORE’s DLP technology for SAP is a comprehensive solution to help prevent loss of your most sensitive data, while enabling secure collaboration and sharing.This deep integration gives HALOCORE full contextual awareness, including detailed information about the user (roles, authorization objects, etc.), the data itself(transaction, table, etc.) and the technical environment(front-end, SAP modules of application server, etc.).
This added intelligence allows HALOCORE to go beyond traditional DLP functionality and classify, protector block sensitive data at the moment it leaves the application, while allowing only authorized users to have access to that data, thus removing a productivity impact traditional DLP solutions usually have on the workforce. This will prevent certain sensitive data downloads from happening before they even arrive at the user’s chosen medium.
What makes HALOCORE unique?
HALOCORE is the only solution of its kind in the market, and has essentially three key features. HALOCORE’s MONITOR module audits all exports and downloads of critical SAP data regardless from which egress point the data flows. Using pseudonymizing, the HALOCORE audit log meets, by default, Works Council requirements. It is a key extension to the standard SAP Security Audit Log (SAL) and, furthermore, enriches the auditing data shown in SAP Enterprise Threat Detection (ETD) and SAP Digital Boardroom, especially as it audits all exports using an automated classification engine. Closing these GRC compliance gaps even during ‘Firefighter’ activities, HALOCORE’s MONITOR provides real-time experience showing which sensitive data is at risk of leaving the SAP system and sending e-mail notifications in case of data leakage.
In addition, Monitor has a unique feature (one of its kind) called Data Stream Intelligence (DSI). DSI provides monitoring and classification of data flow (RFC, IDOC, Webservice) between SAP systems and the connected satellite systems. It extends HALOCORE MONITOR’s capabilities to scan ‘machine-to-machine’ background communication through various SAP APIs for integrating with other business applications. Enterprises gain insights into ‘invisible’ SAP application activities and, thus, significantly reduce their IT security risk.
The second module, Block, effectively prevents business-critical data and documents from leaving the protected SAP application and, thus, protects against accidental or intentional data leaks. Directly integrated into SAP, it works based on the HALOCORE audit log at the source of all recorded data flows. Users without a corresponding SAP-authorized profile cannot download any file. Furthermore, a granular, bespoke policy can be implemented using automated data classification, which tailors the control over SAP exports to the specific needs of your organization.
The third module is called Protect. It extends SAP access control shield for intellectual property and other sensitive information beyond SAP boundaries. HALOCORE intercepts data being downloaded and applies fully customizable classification labels to the document metadata.
Using Microsoft Azure Information Protection (AIP) and / or Rights Management System (RMS) each document exported from SAP is efficiently encrypted on the server level before it arrives on any device. Using the automated HALOCORE’s classification engine, granular authorizations and user rights are assigned to sensitive data, allowing easy and secure exchange of documents between employees, partners or suppliers.
HALOCORE is the only solution in the world that bridges both worlds – SAP and Microsoft. Microsoft AIP and HALOCORE complement each other when extracting confidential data from an organization’s SAP enterprise landscape. Deploying HALOCORE helps end users adopt Microsoft AIP without a hitch. Microsoft AIP’s strong document encryption feature runs in the background without impairing ongoing business processes thus doing away with intrusive manual encryption processes. HALOCORE in combination with Microsoft AIP is the only truly comprehensive solution that secures priceless SAP data exiting at end points. The solution is device and platform agnostic, i.e. it works on desktop, laptop, and mobile end points as well as on SAP and non-SAP platforms. HALOCORE automates classification and protection of SAP data applying Microsoft AIP policy assignment for SAP downloads without any user intervention. The solution supports all common files types (with labeling) securing exchange of all documents types with colleagues, partners and customers. Naturally, Microsoft AIP protected data eliminates the need for DLP.
Your firm recently signed RCI? How will a solution such as HALOCORE help the firm?
Research Center, Imarat (RCI) is HALOCORE’s first official client. RCI is a leading laboratoryof the Indian Ministry of Defence. The immense importance this institute has for India’s security is witnessedin its invaluable contribution towards the developmentof several state-of-the-art strategic and tactical missiles.
To streamline and to improve internal operations, RCI leverages information technology to a great degree. To break operational silos and to integrate vital processes for a seamless throughput, they use SAP as their central solution for ERP. This is where all the sensitive and strictly confidential data of the organization is stored and processed. Before HALOCORE was installed,multiple users across functions not only had access to the center’s Purchase Order (PO) transactions,but also had the capability to download or even print copies of the confidential documents. That increased the risk of data loss and misuse, which can not only affect operations of the research center, but also the national security of India.
To make sure that the highly confidential data do not leave the organization and to close the security gapbetween the SAP system and its users, best-of-breed solutions were in demand.
The key challenge in getting into RCI was in getting the attention of the key people involved in data security. After a string of discussions, demonstrations and a pilot project to gauge the solution’s performance within the operational environment, RCI decided to implement HALOCORE – currently the only ideal solution for such demand in the market.
What are your firm’s goals in the coming years?
SECUDE’s main focus is to continue to provide the necessary solutions on the Data Security and Data Governance space around SAP platform. From the market perspective, SECUDE’s goals currently are to expand its client base across geographies – Europe, USA, Middle East and Asia.
From the product perspective, SECUDE’s goals are to build new capabilities on Data Security into the product which would keep pace with the changing technologies. We are looking at elements of machine learning to analyze the logs that are generated by HALOCORE and to extract actionable insights. We are also looking at IoT as the next technology frontier and its impact on data security.
What would be the key technologies that government and enterprises need to focus on?
“Digital is the new Economy” and “Data is the new oil” We come across these statements these days in the media. We are witnessing a huge digital transformation wave happening in our society not only on the enterprise side but also on the G2C initiatives (Government to Citizens). We also are realizing that at the centre of all this is the data which powers all the activities, initiatives, schemes, plans, etc. Therefore, it is imperative for governments as well as enterprises to give due care and concern to the safe keeping of such a valuable resource – data. So, apart from existing focus areas, there needs to be a plan around safeguarding the sensitive, confidential and critical data that resides with the Government or with the Enterprises.