Skip to Content

Many SAP applications contain sensitive and confidential data. Examples include personal data, product related data with information concerning intellectual property, and many other data types.

Within SAP systems, the access to this information is protected by authorization checks. Only users who are assigned to appropriate roles can access applications in which such data is displayed.

However, usually there is no further protection once this information leaves the SAP system – for example after downloading it as a document in a Microsoft Office format, in PDF or other formats. Without further enforcement, such documents can be copied, forwarded, printed, modified, etc.

This article provides an overview on how such data can be protected by applying Digital Rights Management (DRM). The general procedure is to encrypt the document that is to be protected. The encryption is performed by a dedicated DRM server. The information about the users who may perform which action on this document (such as display, edit, forward, print, etc.) needs to be provided to the DRM server. The DRM server then encrypts the document. When the document recipient wants to access this document, he has to connect to the DRM server first to receive the decryption key.

In the following section, I will describe this scenario in detail. We are still in an evaluation phase, and have not yet implemented this scenario. A separate section describes the feasibility, options, and limitations of an integrated solution of DRM within SAP systems. Finally, I will provide information on how to get involved by participating in the SAP Customer Engagement Initiative.

Scenario

This section describes more in detail what an integration of a DRM solution into SAP systems could look like. The scenario shows the integration of an SAP NetWeaver Application Server ABAP system. However, the general idea is to enable the integration of other SAP technologies as well. For this reason, the DRM functionality will be a separate component with an open, technology-independent interface. A similar approach was chosen successfully e.g. for SAP’s virus scan interface.

This article talks about DRM functionality in general, without specifying a certain DRM solution. The most common product for business-related documents in this field is the Microsoft Rights Management Services (MS RMS) which mainly handles MS Office files. At SAP, we have realized first proofs of concept with MS RMS such as SAP Product Lifecycle Management. However, the general concept allows us to use any DRM solution, such as for example Adobe LiveCycle.

DRM_Overview.jpg

Figure 1: Components of a DRM scenario for documents originating from an SAP AS ABAP Server

Figure 1 shows  the scenario. Documents with sensitive data are created in an SAPNetWeaver Application Server ABAP system by a human document creator or an automatic process in step 1. The configuration within the SAP AS ABAP system has determined that this document needs to be protected by DRM. Information on the document owner (this may be the document creator or another user), as well as the users and their permissions for this document, are sent to the SAP DRM functionality in step 2. Here, DRM maps the SAP user to the domain user. For this purpose, sufficient user information needs to be provided, for example the mail address or SNC name.

In step 3, the SAP DRM functionality provides all necessary information to the DRM server: The domain user information for the document owner and permitted users, the DRM rights to be assigned to these users, and the document itself. The DRM server encrypts  the document and sends it back to the SAP DRM functionality in step 4. From here, the encrypted document is forwarded to the SAPNetWeaver Application Server ABAP system in step 5.

The application them makes the encrypted document available to the document recipient, for example by sending it as mail attachment or making it available for download. The access to this document is shown as step 6.

When trying to access this encrypted document for the first time, the recipient needs a connection to the DRM server (step 7). This connection is needed to receive the decryption key. The DRM server identifies the user and what he wants to do with the document. Only if this matches the information available in the document, the decryption key is provided (step 8). Now the recipient can access the document. As appropriate decryption information is saved on the recipient’s device, the same document can be accessed again without further calls to the DRM server until this decryption information expires. Note: If the same user tries to access this document from another device, the access to the DRM server is required again.

Limitations / Out of scope

The scenario described in the previous section allows the integration of DRM into business transactions that are processed in SAP systems. Some limitations have to be considered for the implementation of this scenario. These are described in this section.

The term Digital Rights Management covers a broad range of media. For this article, only business-related documents are considered, such as office documents in formats created by Microsoft Office products, or documents saved in the portable document format (PDF).

Any media formats such as those for films, music, etc. are not considered.

SAP does not plan to develop its own solution for DRM protection itself. Instead we plan to support the integration of existing DRM solutions. The most commonly used products are Microsoft Rights Management and Adobe LiveCycle.

Depending on the DRM product, restrictions may apply to the operating system of the domain. You will also have to configure a mapping between the SAP user and the domain user, for example by using the e-mail address.

Another restriction applies to the first access to a document. When accessing a protected document from a device for the first time, the recipient needs to be able to connect to the DRM server.

SAP Needs Your Help! Plans for Proof of Concept and Request for Feedback

We are planning to  implement a proof of concept and publish information on this soon here on SDN. This proof of concept will show how to send a document to a particular DRM solution (planned: Microsoft RMS) for encryption. The planned scenario will not contain solutions for mappings of SAP authorizations to DRM rights, nor for general mappings of SAP users to domain users.

We would like to extend this scenario to include your specific requirements!

Let us know which challenges your organization is faced with when managing the security and privacy of confidential information once it leaves your SAP systems. Get involved and actively influence our development planning by contacting the security development team directly by writing to kathrin.nos@sap.com

To report this post you need to login first.

11 Comments

You must be Logged on to comment or reply to a post.

  1. Abhijit Tannu

    Very happy to see an article on EDRM (or IRM as they sometimes are called) applied to transaction system like SAP. This is a very nascent domain and not many organizations have exploited the full potential. Frameworks like what you mentioned here can definitely help in that process.

    One of the reasons for non-consumption is the integration un-friendliness of most EDRM systems. Most EDRM product vendors look at the EDRM as a solution for a point problem and not really as a platform for other enterprise systems like ERP, CRM, DMS to hook into for their EDRM requirements.

    Even MS RMS poses a challenge as explained by one of our customers. Although MS RMS has APIs to integrate, they only support office formats. There are other vendors who have build products on top of MSRMS to support formats like PDF. But they have their own API and own licensing mechanism. There is no common API interface that can be called to protect CSV, XLS as well as PDF files. This is a huge challenge in any kind of integration.

    At Seclore, we actually integrated with one of our customers which is a huge business conglomerate with more than 25000 employees. Their salary & appraisal information is generated through SAP and is automatically mailed to individual employees and other HR functions. They have successfully integrated with Seclore FileSecure EDRM system to automatically protect these files such that they can only be viewed by individuals themselves of the HR functions. The individuals are not allowed to modify these files. This was easily possible because Seclore’s EDRM solution – FileSecure – provides a single interface to work with more than 140 file formats. You can get more information at http://www.seclore.com/seclorefilesecure_overview.html

    (0) 
    1. Kathrin Nos Post author

      Thank you, Abhijit, for your reply. I am in contact by e-mail with your general manager for Enterprise Solutions who sent me an e-mail. I proposed to him to setup a call to exchange more information.

      (0) 
  2. Joerg Schneider-Simon

    Thank you for this article Kathrin, it provides a nice overview.

    Would it make sense to integrate this funtionality with the already existing virus scan interface, aka turn the latter into a more generic “content security interface”, especially as NW-VSI delivers more than just virus scanning capabilities already today.

    cheers,

    Joerg

    (0) 
    1. Kathrin Nos Post author

      Hello Joerg,

      thank you for your comment on the article.

      As the article is describing overview information, no details on possible integrations were provided. When evaluating more in detail on how to integrate DRM solutions, the virus scan interface might be a candidate.

      As mentioned in the article, we are in a phase in which we generally collect information and feedback. It is not planned to develop an own DRM product. While the article mentions one specific DRM solution – the Microsoft RMS – this does not mean that only this product is taken into account when considering an integration.

      Thank you and best regards,
      Kathrin.

      (0) 
  3. Soujanya Madhurapantula

    Kathrin, thank you for addressing a very important issue that SAP customers are facing today in this highly collaborative and global business environment. From collaborative design and supply chain processes, to outsourcing business functions, such as Human Resources, companies find themselves with an ever increasing need to collaborate. At NextLabs, we have seen a growing number of customers looking for DRM solutions to protect sensitive data leaving their SAP landscape. A rights management (DRM) solution should allow such organizations to apply rights protection automatically using centrally defined policies. Protection should persist when data is downloaded or shared through various communication channels preventing data leakage outside of SAP.

    NextLabs’ Collaborative Rights Management (cRM) enables secure collaboration for sensitive documents flowing through internal and external business processes, by automating document access and usage controls across enterprise applications and endpoints. It supports a broad range of rights management technologies, including solutions from NextLabs, MS RMS and Adobe Livecycle. You can find more information about our Rights Management Solution at http://www.nextlabs.com/html/?q=server or our SAP Integrated Rights Management feature at  http://www.nextlabs.com/html/?q=entitlement-manager-sap

    Thanks,

    Soujanya

    (0) 
    1. Kathrin Nos Post author

      Hello Soujanya,

      thank you for your comment and for providing information on NextLab. In fact, I was contacted by NextLabs’ partner manager a few days ago and will have an alignment meeting early next week.

      Thank you and best regards,
      Kathrin.

      (0) 
  4. Aparna Jue

    Katherin- Good article and this is something we definitely feel strongly about at Secude based on numerous conversations with customers and our own research into information protection outside the traditional SAP borders. In many companies, a complex system of roles and authorizations is put in place to secure the confidential data inside SAP and to manage user access to this sensitive info. However, these control mechanisms are rendered ineffective when users download that data outside the SAP perimeter. As you mentioned, a Rights Management Services solution can solve this problem by protecting data before it leaves secure network boundaries. Microsoft has just recently released a huge update of their RMS that now supports any file type and works with a  variety of mobile devices and services such as iOS, Android, SkyDrive, Dropbox, etc. With this update, any MS RMS limitations that withheld the widespread use of the technology in the past are now resolved.

    We see the future in RMS technologies and wanted to address the issue of data leaving SAP with no protection at all. Our VOC resulted in the new software that is built on MS RMS technology and is directly integrated with SAP. When a user attempts to download a file from SAP via the SAP GUI, the SAP add-on intercepts the call, requests information from the user, sends the file to the Server, which encrypts and protects the file with MS RMS before giving it back to the end user for download. This is a topic we continue to keep at the forefront of our research. Thanks for raising the awareness.

    (0) 
    1. Kathrin Nos Post author

      Aparna, thank you for your comment and the information concerning your efforts at Secude and also about the new release of MS RMS. As SAP currently is not investing in the area of DRM integration, partner solutions such as yours are welcome and appreciated.

      (0) 
  5. Ron Wessels

     

    We know the problem. Enterprise level Digital Rights Management usually means that I can encrypt something, (usually MSFT Office or PDF), but then when I try to share it with someone who should be able to access it I waste a boat load of time trying to get them access and eventually I just send the data in clear text and tell them not to share it. Uh-oh

     

    EDRM sucks or even worse puts me in a position of being out of compliance with internal security policies or even worse . . . governmental regulations. Now to be clear, I have never done anything like this. I am simply giving it as an example of what I have heard from others . . . right? In today’s hyperconnected world I need to be able to share/collaborate securely with people in the extended enterprise, partners, etc. anytime, anywhere and on any device, 24/7. . . is that too much to ask? Oh and by the way, my life is more than just Microsoft Office and PDF documents, I need to share lot’s of different file types . . . you know the drill.

     

    Oh last but not least, I need the EDRM to be automatic, seamless, and deeply integrated with SAP, since that is where most of this work happens for me.

     

    EDRM for SAP

    (0) 

Leave a Reply