No cog too small: Data security in Materials Management

The case of securing critical information for a military R&D establishment

The world has become increasingly digital and the value of data has grown proportionally, which, today, is often likened to be the ‘new oil’. Due to such increasing importance of data, it is but natural that data breaches, theft and leakages are on the rise. These incidents happen across the spectrum from the factory floor to corporate boardrooms. This is especially so in research and development and the manufacturing sector. Data, such as component price details and technical specifications, is of paramount importance. Adding a layer of security and providing additional capabilities has immense positive ramifications towards building a stronger information security landscape directly impacting business outcomes.

Typical scenarios and challenges

Take, for instance, logistics master data that contains a range of confidential and sensitive information that may have a significantly negative impact on any company if it were to fall into wrong hands. Information, such as pricing, inventory management and consumption-based planning, that are included in SAP Material Management need to be protected. Often access to such complex and sensitive material data is unregulated based on the quoting procedures and exports of such information are frequent.

Often seemingly innocuous lapses, such as unregulated access to complex and sensitive material data based on quoting procedures and providing access to new hires to manage vital processes and data such as inventory, purchase orders, and consumption based planning elements, could be the root to major security incidents in the future.

Comprehensive security best practices are necessary

Needless to say comprehensive best practices are required to stem any potential security risk right at the bud. CIOs and their CISOs need to monitor and control exported data in every department. In parallel, it is necessary to develop a method to teach employees to properly secure confidential materials information. All these efforts need to be reported to the senior management and other stakeholders.

Protecting critical data – An actual issue resolved by SECUDE

Research Centre Imarat (RCI), a leading laboratory of the Defence Research & Development Organization (Ministry of Defence, India), is located in Hyderabad, Telangana. The center is responsible for research and development of missile systems, guided weapons and advanced avionics for the Indian Armed Forces and as such sources components and materials from Original Equipment Manufacturers (OEMs).

Initially, the research center’s multiple users, across functions, not only had access to the center’s Purchase Order transactions, but also had the capability to download and even print copies of POs, thus creating an opportunity for potential data leakages that would be detrimental to India’s national security.

The Director of IT at RCI implemented a system to monitor and block all users who now have been denied access to download or print POs even if they have legitimate access to view and edit the transaction on their systems. The capability to print or download data is possible now only through exceptional authorization to specific users. The research center now has the capability to not only block unauthorized downloads, but also record the same in audit logs thereby giving visibility into any unauthorized attempts made. The research center now has visibility on all data that are extracted from the enterprise.

SECUDE helps secure vital materials information

SECUDE’s HALOCORE uses classification and policies to limit who has access to what types of data. So Materials Management data downloaded from SAP can automatically be classified for specific personnel eyes only, allowing quote requests to go only to the vendor responsible. Expiration timers can also control how long that information is accessible by the recipient. The solution’s user friendly UI, allows employees to reinforce the best classification and protection selection or choose their own. The choice is logged for managerial auditing.

HALOCORE also empowers security practitioners to develop dashboards using BO/BI Visuals Extension to study how many materials downloads were protected versus unprotected, which can be tracked over the course of time to prove the efficacy of applied security policies.

Related reading

[1] Protecting national interests, not just documents: SECUDE’s HALOCORE secures RCI’s PO transactions

[2] The core of digital banking is data. But how secure is the core from a meltdown?

[3] Do you have Microsoft Azure Information Protection? What stops you from using it?