Protecting SAP CUI Exports with HaloCORE

Many businesses in the Defense Industrial Base (DIB) utilize SAP in their ERP landscape. Let’s take a deeper look at security for CUI from SAP.
Share in:

Introduction

Business-critical applications such as ERP, SCM, CRM, PLM, and others support essential business functions and processes for the world’s largest commercial and government organizations. This includes supply chain, manufacturing, finance, sales and services, and defense.

Many businesses in the Defense Industrial Base (DIB) utilize SAP in their ERP landscape. When such operations rely on SAP, it is important to secure SAP applications with advanced security controls, and unfortunately, this is usually not the case. Let’s take a deeper look at security for CUI from SAP.

Shortfalls in SAP Security

The SAP security landscape is changing rapidly. SAP security faces challenges as it shifts from on-prem to hybrid and cloud landscapes. This shift presents many challenges in security. Most organizations utilize multiple security layers so that if a vulnerability exists in one layer, the countermeasures in other layers would compensate.

The Multi-layer security market size is expected to reach USD 11.7 Billion during the period 2020-27. This multi-layer approach includes security focused on the perimeter, endpoint levels, and network layer. However, this layered approach still does not provide adequate security for the flow of data. Most of the companies apply the standard SAP security controls which are robust for user authentication and restrict access to the business modules. These security controls are transaction focused and only indirectly data-centric, and do not consider external data flows.

Cyberattacks and the impact of unsecured SAP systems

Hackers can exploit SAP flaws to disrupt business, steal or alter data and erase logs. Since mid-2020, Onapsis researchers have recorded more than thousands of exploitation events and 300 successful exploit attempts on unprotected SAP instances. Some attacks were automated and some involved attackers sitting at their keyboards, but most aimed to exploit known issues and weaknesses.

The US Department of Homeland Security’s CISA and Germany’s Federal Office for Information Security (BSI) have developed and released alerts on defending SAP applications from active threats, but they do not cover protection of data exports.

Does SAP security meet the CUI demands?

For a DIB company, many SAP transactions may process and retain Controlled Unclassified Information (CUI). The types of CUI contained in SAP may include information related to DoD contracts, which often is marked as CUI, and might include financials, material BOMs, design and production documents, etc. This must be protected as CUI throughout the contract.

Furthermore, the CUI must be protected by subcontractors who may not use SAP but still need the CUI. While one may argue that SAP is very secure and protects CUI, this is true for a closed system or an enclave, but in practice, the CUI may end up being very accessible and would be useless if completely locked.

How HALOCORE enables marking sensitivity labels for SAP application data exports.

In SAP, users with specific transaction access can view CUI on their desktop screens. This is often necessary for the user to perform his tasks, and in some cases, he will want to have a local copy of the information. Frequently, exporting data from SAP is necessary for business purposes. For convenience, SAP has enabled the SAPGUI (user interface) with the ability to download information to spreadsheets (such as MS Excel) or MS Word or other formats like PDF.

This convenience has created a security flaw, however. Just trusting an employee with access to CUI should not allow him to copy and disseminate it, but once it is removed from SAP, control may be lost. Employees may not have malicious intent, but mistakes can be made, and files can be spread. In some cases, foreign nationals or hackers might obtain the downloaded CUI.

For a solution to this problem, SECUDE has teamed with SAP and Microsoft to provide a Zero-Trust security approach to data removed from SAP. SECUDE’s HALOCORE® is a unique enhancement for Microsoft Purview Information Protection (MPIP, aka MIP or AIP), the leading platform for Enterprise Digital Rights Management (EDRM). HALOCORE is an add-on package for SAP that uses Microsoft’s Purview API library to apply security controls to the exported data.

HALOCORE® automatically applies encryption and security labels in a manner consistent with Microsoft’s data protection design. This means that the files containing CUI are encapsulated within a security shell, and if transported externally still maintain Purview protection, and cannot be stolen, replicated, or modified. This protection of CUI satisfies CMMC standards.

Key features:

  • Dynamically apply a security label to data.
  • File access permissions depend on user rights.
  • Security labels are applied by SAP metadata.
  • The permissions available are viewing, editing, copying, exporting, and changing rights.
  • View only users are unable to snip or do anything else with the file
  • Conclusion

    You need to protect your CUI data to secure DoD contracts. SAP is a widely used ERP solution that helps you manage your business and supply chain. However, SAP file export security can expose your CUI data to risks.

    The best way to safeguard your SAP CUI exported data is to use SECUDEs add on software for SAP. To learn more, email your inquiry to contact@secude.com

    See How HALOCORE® Protects Your Business-Critical SAP Data