Welcome to our webinar today. I'm John Tolbert, Director of Cybersecurity Research here at KuppingerCole, and today I'm joined by Markus Nüsseler-Polke, who's Head of Consulting and Projects from Secude.
Welcome, Markus. Welcome, John. Nice to see you. Good to see you. Today our topic is Zero Trust Unveiled, Securing Critical Data in SAP, CAD, and PLM Systems.
So, a little bit of logistics information before we get started. Everyone's muted centrally, so there's no need to mute or unmute yourself. We're going to do a couple of poll questions during my presentation, and then we'll look at the results at the end. We'll also take questions, and you can enter questions at any time in the CBINT control panel. And then lastly, we're recording this, so both our slides and the recording should be ready in a few days.
So, with that, I'll start off by talking about ERP, PLM, and the data ecosystem, our information protection lifecycle, and access controls that fit there. So, first up, what are the challenges of data protection, especially with regard to sensitive data in CAD, ERP, and PLM systems? Because they can be very complex applications that contain lots of very important confidential information.
So, as you know, if you operate these systems, CAD, ERP, and PLM systems can have pretty decent role-based and attribute-based access controls built into the application. And that's how they are protected when they're being used inside those applications. On the other hand, if you're part of a bigger supply chain, you may be, let's say, creating drawings and sharing those with suppliers to build those. Oftentimes, you have to export that into some sort of file format that can be easily moved between instances or systems.
And that's when it can be a little bit more difficult to provide good access control. So, here's a look at some of the different kinds of file formats that can be used for interchanging data between organizations. I won't read through all of them, but you can see that there are some that are common to the IT world, too. Things like PDFs, spreadsheets, common to limited files, HTML, XML, but there are also other kinds of formats that are pretty specific to these kinds of systems.
So, let's say you have IT security solutions that may be well-adapted to working with some of these kinds of files, but not all of them without some customization. So, once the data has been exported from a, let's say, a CAD or a PLM system, again, you know, you've got good, mostly have good security controls inside the PLM system or the ERP system, but once it's exported, then you have to figure out how do you protect it, where it lies.
So, you know, SAP solutions on the ERP side, for example, have, actually, there's a whole ecosystem of security tools that pertain to SAP environments, but if you've got, let's say, PDFs, drawings exported as PDFs or something of that nature, then you have to protect it, you know, in the file system.
So, you may think, well, we can encrypt it, and that's really good because that can help with two out of the three pillars, you know, the confidentiality, integrity, and availability, but encryption itself can be difficult to manage, difficult to scale, especially, again, if you're in a, let's say, primary contractor and multiple secondary contractor relationships where you need to spread files out amongst, you know, lots of other different companies in order to collaborate with them.
So, this would be a good place to stop and just ask, does your organization today use CAD or PLM systems or SAP, and do you need to address the security risks associated with sharing that? And we've got multiple choice answers here.
First is, yes, we have SAP or ERP. The next one is, yes, we have CAD or PLM. The next one is, yes, more or less all of it, SAP and CAD, PLM. Option D is no, and option E is I'm not sure.
So, I'd appreciate it if you could respond to the poll, and we'll take a look at the results at the end. So, yes, feel free to go ahead and enter at any time. And I'll go ahead and talk about our information protection lifecycle. This is something that we came up with a few years ago. We wanted to look at the whole picture, you know, from the time a document or, you know, any kind of information object is created. What are the different phases, and what are the different kinds of actions that can be taken to protect an information object?
So, we start here on the top left. You know, from creation to disposition, we say.
So, you may come into possession of an information object through the supply chain, or your people, your employees or contractors may create that themselves. And this is the right time to do a first assessment and inventory of those data objects, what kinds of information they contain, and what could be, how they should be classified. And I'll kind of dive into that in a bit more detail in a minute. The other actions, most of which fall into this category of what we call active use life, something we sort of borrowed from archaeology.
There's control access, securing, and here's where encryption or tokenization can come in. Monitor and detect. It's important to know if nefarious things are happening to your information objects. If there is an event, let's say ransomware, because we're all concerned about ransomware these days, and rightfully so, how do you contain the damage, limit the damage, and then recover from it?
Deceive, this is about using distributed deception platforms to create realistic-looking environments and even realistic-looking data objects to attract would-be attackers away from the real assets and learn about what they're doing. And then lastly, once the data is not really actively needed anymore, dispose of it, whether that be through archive and delete. And I'll drill down into a little bit more detail on each one of these here. So acquire and assess. This is a great time to do a first inventory, first assessment.
I should say up front it's always good to do periodic reassessments to see if classifications change. But when they're first created, it's a great time to figure out what the content is and whether or not specific organizational-level classifications should come into play. There are two major ways of applying classifications. The first of which is metadata tagging. This is applicable to unstructured data objects, office files, for example, or any other kinds of files that live on a file system.
Many of them have the ability to accept, let's say, an XML or JSON-type representation of metadata, and that can live with the file. It's also important that that should be signed so that it can't be tampered with. For structured data, it's also possible to identify particular cells in a database about their sensitivity. Rows and columns can be added for tracking sensitivity information, and that in itself can be used for providing some access control policies.
But again, it's good to do this, first of all, when the data comes into being, whether it's created by your organization or received through a collaboration agreement or something like that. Access controls. The OASIS organization is a standards body that creates many XML-based standards and others. XACML is the authorization standard. Even though XACML language might not be commonly used today, the reference architecture still certainly is very valid, and I think we find it instantiated in many products today.
And four of the key concepts here are policy enforcement point, which is what sort of mediates access between the user of the application and the information object they're requesting access to, the policy decision point, which is an externalized function from the policy enforcement point, which can then evaluate all the conditions of resource and user and environmental context at runtime.
It evaluates those policies that have been preconfigured at policy administration points by either business owners or IT admins, and if additional attributes are needed, it can call out to a policy information point. And again, this is designed to work at runtime and provide centralized, if not logically centralized, if not physically centralized access controls. So monitoring and detection.
Again, it's important to keep an eye on your information objects and make sure that they're being used appropriately. Here in this diagram, we're trying to show that your infrastructure, which can contain your CAD, CAN, PLM, ERP systems, can be creating a lot of telemetry about information object usage, and then also the various network and endpoint controls like NDR, EPDR, even firewalls, cloud instances, infrastructure and software as a service.
They can be collecting information, sharing that with the SIEM, the security information and event management system, which can then interoperate with a SOAR, security orchestration automation and response system, which looks at current threat information, the CTI, cyber threat intelligence. And this is a bidirectional communication such that when threat information is detected, SOAR, XDR, your other security systems then should be able to help contain and or recover, which is the next phase. So containment, you know, let's say there is an event like ransomware.
It's important to limit the extent of damage that can happen from that. That's why network segmentation is important. Firewalls can help with that. Zero trust. Zero trust is a concept that we've been talking about for a while that is very applicable, especially to these CAD, CAM, PLM, and ERP kinds of systems where we want to authenticate and authorize every user device and application and access request. This is an embodiment of the principle of least privilege.
And by doing strong enforcement, you really can help limit potential damage when any type of malware event or data loss event may happen. It can also provide automated responses if you're using things like getting one of these tools here below, endpoint protection detection and response, network detection and response, XDR, extended detection and response, SOAR. And that can enable your security admins to detect manual actions based on playbooks or even in some cases launch automated actions like node isolation or blocking communications to prevent data exfiltration.
And again, this is particularly relevant for organizations that have very sensitive data in their PLM or ERP types of systems. For recovery, normally we recommend to everyone, you know, have onsite and offsite backups, be able to test them periodically, test your restore operations, make sure that they work, and then incident response communication, both internal and external. So that's the recovery piece. A little bit more about deception. This is a way to, you know, it's not a honeypot.
You may have heard of honeypots in the olden days where security vendors might take, you know, a server, put it on the internet and try to entrap hackers to see what they were doing. Distributed deception platforms are sort of the modern version of that. And they're designed to look like your infrastructure, look like your networks, your servers, even your data and credentials. And that's to draw in the would-be attackers and, you know, see what kind of tactics, techniques and procedures they use and keep them away from your real assets.
So this is another component of the information protection lifecycle. And again, it's quite relevant for the types of data that we're talking about here today, especially since many of the, let's say, the drawings and PLM or CAD systems are very sensitive proprietary information. You would not want them to fall into the wrong hands. So having an extra layer of protection like a deception platform can be very useful for that. Our last phase here is disposition.
You know, when you no longer need data, it's great to get rid of it, but you have to bear in mind what is important, you know, based on whatever jurisdiction you're in, the data retention laws. Your company probably also has data retention policies which meet or exceed those regulatory requirements. When data is no longer actively needed, you can archive it, move it offline, but retain it for however long you need it. And then in general, we like the principle of data minimization.
You know, if you don't need it, get rid of it. It sort of reduces your liability for a number of reasons. It could be, you know, personal information and might be subject to privacy regulations.
But, you know, in general, it's good to minimize data that you have in active use. Next up, our last section here, let's talk about third-party access controls. So I've been talking about attributes as metadata. So I thought maybe we should dive into exactly what we mean here.
So DLP, data leakage prevention, data access governance solutions, can use metadata about particular files. Here I'm using an example of just a drawing rendered as a PDF. And you can see there are lots of different bits of metadata. And this is not an exhaustive list, but these are things that, you know, you might, if you're looking at it on a file system, you can see most of these as properties.
Now, if you have a good DLP system or a security solution that does access control at the file level, it should be able to read these metadata attributes. And you can even build policies, access control policies based on these. Things that are important here might be author, owner, security classification.
You know, and this doesn't have to mean like, you know, national level security classification, top secret. This is, you know, many companies have different kinds of security classifications that they use. They use confidential is kind of a good catch all term. There may be some that are, you know, for the finance organization only or things like that. So security classifications can be used by all kinds of organizations. You may store a bit of access permission information as metadata, digital signature, encryption status, some new geolocation of creation, which can be interesting.
And let me say these are, you know, just the most common attributes that you might find on any given unstructured data file, not specific to any particular application. If we think about CAD or PLM attributes, then you can see that this list gets much longer.
And again, I sort of down selected from, you know, some of the most common to the most common types, but there are many, many more possible attributes that could be listed as metadata. And there are many in common with what you would find with, you know, let's say office docs on file systems, you know, file name, file type, author security classification. But then we also have things like file origin information, associated parts, reference drawings, bill of materials.
That's, you know, can be very important in ERP and PLM. Change revision history, simulation or analysis data, collaborator reviewer comments, ECCNs. I'll say more about that in a minute. But you can see that there's, you know, many, many more attributes that these types of files can have, particularly when exported that are very useful for making access control policies. Kind of going back to the exactable discussion a few years back on the exactable committee, we created two profiles for how to standardize metadata for access control policies for a couple of use cases.
The first one here is intellectual property. Exactly, you know, looks at subject attributes. It also looks at resource attributes. So you'd need to be able to match these two up. So what would you want to know about a subject?
Well, the subject ID, maybe what organization the person works for. What's the business context? Is it a partner? Is it a customer or supplier? What's the subject to organization relationship? Is it an employee or a contractor? And is there an agreement ID that allows sharing of information between different organizations? On the resource side here on the right, you know, you've got the different forms of IP. You might want to tag it as copyright, patent, proprietary, trademark. You need to know who the IP owner is. If it's been licensed to another organization, who the licensee is.
Again, what type of agreement, what the agreement ID is. Is it related to a specific work effort? Does it have an authorized end use? And then these agreements generally have effective and expiration dates. So these are examples of ways you can build access control policies for sharing intellectual property, and they can be instantiated as metadata. The next one was U.S. Export Control. We saw that in one of the previous slides, the ECCNs. Here's another example where you need to know a bit about the subject and a bit about the resource.
You know, in this case about the subject, you need to know nationality, current nationality, where they are in the world, what organization they belong to, what's their U.S. person status. And then on the resource, you know, you need to mark it for what jurisdiction is it. If it has an ECCN or USML, these are codes that are kind of generated about individual technology types, which again is very key to writing access control policies for this kind of data. You also have fields like authority to export, and again, effective and expiration dates for the classifications and the sharing.
And you may have a particular work effort that it's tied to. So a quick look at a couple of the major tool types I've been mentioning DLP. And to bring this back again to like XACML for access control reference architecture, a DLP agent installed on an end user's machine acts as a policy enforcement point. The DLP policy server acts as the policy decision point. And it can be used to write policies to say, look, don't put that drawing, don't put that very important ERP data on a thumb drive or upload it to, you know, some cloud hosting or some cloud-based email solution.
So this really can protect at the level where the users are working. CASB, cloud access security brokers, kind of the same concept as DLP, but for the cloud. If you're using cloud services, if you're moving these key files to, you know, various cloud collaboration solutions or document management systems, CASB in conjunction with DLP can be good for really applying that zero trust access control methodology.
And kind of wrapping up here talking about keys, again, if you're a prime contractor and you're exporting and encrypting files and you need to share those with other members of your supply chain to have them build parts or, you know, perform a service, then this is where it becomes difficult. And this is where key management, enterprise key management, is really helpful in being able to distribute and provide appropriate access for encrypted and shared tools. So kind of finishing up here looking at, you know, the different data types.
I tried to call out here in green the ones that, you know, lend themselves to working with IT standard DLP and data access governance kinds of solutions. And, again, these are mostly the kinds of files that we use within the IT world anyway. In a slightly different shade of green, I put CAD and PLM, proprietary formats. Some of the DLP and DAG solutions cover some of the proprietary formats, always worth checking into. But for the others, you know, it could require customization if you want to work with DLP or DAG solutions out there. So let's take our last poll question.
Does your organization use any of these DLP, DAG kinds of tools like Microsoft Purview for security? So just three choices here, yes, no, or don't know. We appreciate your participation in the polls. It's always very interesting, and we'll look at the results here at the end. And with that, go ahead and take the poll.
But also, if you've come up with any questions in the meantime or before we end, please feel free to submit them in the control panel. And with that, I will turn this over to Markus.
Okay, thank you, John. Thank you for your great presentation about the challenges of data protection and access control. And I hope that all of you can see my screen and that I'm audible. I'm Markus Nüßler, Markus Nüßler-Polke, and I'm Head of Consulting and Projects in Sekude. And today I'm here, after this presentation from John, to give you a live demo about our solutions, Halo Core and Halo CAT, and how we extend Microsoft Purview information protection. But before I can start with my live demo, I have to give you some insights about this Purview information protection.
This is the enterprise rights management solution coming with Microsoft. It's included in Microsoft Office 365, and this solution is part of the compliance and security center of Microsoft. If a customer will go into the journey with Purview information protection, the first step is here. He has to think about his classification, what classification he needs, and based on the classification of the data classification, he has to start with the label configuration. This label configuration is a very necessary first step for customers who will go into this information protection topics.
For my purpose here, I'm working with three labels. Microsoft sometimes assumes that customers should have five labels, but it should not be increased because then it's not manageable. My first label, what I configured here is the label public. Public means to my employees, when I apply this label to a document, this document can be shared with externals. The document is unprotected, and I will not have access control to this document. My second label is a general label. I give the label the name internal. When I apply this label to a document, then the document is encrypted.
And now I have access control because if I will access this document, if an employee will access this document, he has to enter his user credentials, his Microsoft account. And after entering the Microsoft account, the Microsoft information security screen checks the access control rights of this user, and if he is allowed to open the document, then he gets the encryption key to open the document. And I'm speaking here about encryption decryption.
Yes, in information protection, the documents are secured, they are protected, and this means they are encrypted. But the complete key management, John, in the end, presented a slide with this enterprise key management. All this is managed by Microsoft. Our customers need not to care for this. You have a label, apply the label, and the internal or external, if he is allowed to open the document, he can do this, and there is no need for this key management. And then here I configured for my purposes.
The third label is confidential, and confidential, I can have more restrictions into my document. I can prevent that the document can be changed, that the document can be printed out. Screen sharing with this document is not possible. All this I configure as access control when this label will be applied to document. And in the, let's say, last five to six years, Microsoft integrated this label technology into their complete product suite. In example, into the Defender. In the Defender, there is an automatic way to label files.
With Defender, you can scan your e-mails, you can scan folders of files, you can scan the content of the files, and you can configure which label should be automatically applied to a file. Or I have customers I care for. If on the customer side, someone is sending out an e-mail, at first there will be a pop-up message, oh, you have to label, this means to classify this e-mail. Is this e-mail public or internal or even confidential? The user has to apply a label. And then the Exchange Server controls, is this allowed to send the e-mail to the external or not?
And the attachments will be protected. Same with Teams. And on the other hand, Microsoft did a great integration to the Office Suite. If you have Office 365, the Microsoft Private Information Protection is integrated into these apps. But customers not only have Microsoft solutions in place, they have other solutions. John spoke about this. They have CAD PLM solutions. And CAD means they use their drawings. And for a lot of my customers, their drawings are their intellectual property. The money is into their drawings. Or they have SAP solutions. And in SAP, they have sensitive data.
They have their personal data. They have their finance data into these SAP systems. And later on, I will explain to you why we need to extend here the technology of information protection. And Microsoft itself not have a solution for CAD PLM and for these third-party systems.
But here, they offer an SDK. It's called Microsoft Information Protection Toolkit. And with this toolkit, third vendors like Secude are able to enhance, to extend Microsoft private information to the non-Microsoft applications. And this is what Secude makes unique. We are working close together with Microsoft. We are partners in Visa, in the Microsoft Intelligence Security Association. And our product management is closely connected with the MIT Product Management. And with this, we are able to get the frameworks from Microsoft, put it into our solutions called HaloCore and HaloCAD.
And then we can enable this technology into SAP, into CAD, and into PLM applications. We have two product suites. One is called HaloCore. And HaloCore is a plug-in into the SAP server. And it's into the backend. And with HaloCore, when users are working with SAP, often they export the data into the SAP systems. And the data are very secure. You have all concepts. You have the authorization concept. You have a closed user group. You know exactly who is allowed to access what data into the SAP application.
But users, like finance administrators, like to export the data. Then it is an Office file, Excel file. And this Excel file, in the SAP standard, the data leaves the boundaries of SAP. And this document does not have protection in place. It's an unprotected Excel file. Everyone who has access to the file can look into it. With HaloCore, plugged into this SAP server, we control each functionality into the system where data can leave the system. Even if it's printed, or sent as email attachment, or download to a local file. And our first step is that we monitor all these data exports.
Because our customers, when they begin the journey with us, do not know what data is leaving the SAP system. They do not have a monitoring what data is leaving my system. They have no control about this. With HaloCore, we monitor all the data export. The next step is, HaloCore classifies the data. We heard a lot about metadata. This is exactly what HaloCore does. We collect all the metadata. Who is the user? What is the file name? What is the application context? Is it financial data or HR data? We collect this metadata. In HaloCore, we have a classification engine.
Based on the metadata, we derive the classification of this document. And then a label will be applied.
And then, when the document is at the front end, into the hands of the users, it's like a company policy. The document is classified, labeled, encrypted. And when the user will open the document, he has to do this with his Microsoft account. He needs to be authenticated before access to this data. And this label goes together with the document. No matter whether he will share it in Google Drive or Dropbox or on a USB stick or via email, the label is connected together with the document and flows with this document.
When I would share this protected file as an external, and he is not part of my label definition, he has an encrypted document. He cannot open this.
OK, now I will come to my demo. What I have with me, I have, of course, an SAP server. I have a user from the finance department. And I will show you at first that this user, how it works without HaloCore, downloading the Excel, sharing this Excel.
Then, in the second part of my demo, I have the same SAP server. The same user logs in, but HaloCore will be enabled. This means we monitor this data export, we classify the data export, and we label the data export. So I'm working here with different screens. I have to go to another screen. Here I have Microsoft Remote Desktop because our demo is not running locally on my PC. It's in our demo center in Lucerne. Secude is a Swiss-based company, and our data center is running in Lucerne. When I click here, my PC opens a remote connection to our data center.
And now I'm on a workstation of my finance user. This here is my finance user. It's visible here. And this user starts a GUI. It's a live demo. I hope it works. He logs into his demo system. This is the SAP logon screen. I have single sign-on enabled, but I have two users which I can log in. And at first, I use the user without HaloCore. And this SAP system is a German system. This means only HaloCore, means without HaloCore. The user is logged in, and now he's started into SAP application to view his balance sheet. He has pre-configured the selection criteria, what data he will have.
And then he clicks Execute, and now he's selected the commercial balance sheet of Germany for this period. It's a few years old, and this means the data after 10 years are not confidential.
No, I'm kidding. It's an SAP test system with test data from SAP.
OK, our finance guy can work with this data into SAP, but he decided, oh, I will have it in Excel. Goes to this menu, List, Export, Spreadsheet, and now I have to give a name. And I call it without HaloCore. That is clear for us. It's unprotected. Without HaloCore means it's a security vulnerability to export this data.
OK, speaking and typing at the same time. And this export of the data is part of this business process. The user not export the data, and it's a security incident. He will maybe ask to create a pivot table or to make a dashboard for his management, and this cannot be done into SAP. He has to export the data. They are out of SAP, and now they are implanted. This is standard Excel, how it comes from Microsoft. And after the download, Excel opens this document automatically. I configured this.
OK, let me close this. The user logs off, and now he will share this document. He put it on a shared folder. It's into this folder. This is the timestamp from the document. He copied this file to a shared folder. Now it's here. And other colleagues from the same company now have access to this file. And I will change the workstation. This is the second workstation. Same name here in my RDP list. But you see now I'm logged in. This is another account.
Here, this is my administrator. And this is the shared folder. This is my document.
And yeah, it's nothing new. He can open this document, and he has full access to it.
OK, this is my demo without Helio Core in place. And now I have to disconnect. Go back to my finance user. The finance user here logs into SAP system again with the other user account here, userfi. And for the user into SAP, it's transparent that there's Helio Core in place. There's no need that he's informed about this. Nothing changed. And if you introduce this to a huge company with thousands of employees, it's always good that the software is transparent and does not the user need not to change how they are working. He selects the application.
He has to enter his pre-selection here, clicking Execute, and then the same data on the screen. And the user, again, decided he will export the data to an Excel sheet.
List, Export, Spreadsheet. This is the old one from before. This is without. And I think I saved time. But it's balance sheet with Helio Core. Save the data. And now the data will be transmitted to the front end, and Excel opens automatically. And it seems that nothing has changed. Same document is open. But now we have to look to this document, to the Excel, a little bit more in detail. Because here you can see there are some buttons grayed out. And if you read this, the document permissions are restricted. This command is currently disabled.
Now this document is labeled, and the label controls the functionality of my application. I cannot copy an example out of this document. Now when I go here in the Print, Print and Share is grayed out. And the label, which is applied from Helio Core to this document, controls the access. And this is standard Excel without any changes. We are integrated into the SAP, into the backend side. On the front end, it's Microsoft. And here you see the label name, Evo-Heidi Confidential. This is our security administrator configured. This is in the Azure portal and together with this message here.
This can be customized from the Microsoft customers. And here's a small button. Here the user can look up his permissions he has. He can view the file. He can edit the file. He is not allowed to copy to print. He is allowed, in example, to save the file. When he tries here to copy something, it's grayed out. It's not possible for him. But what he can do in my demo environment, he exports the file as a PDF. And I store the PDF in the same folder. Press and publish. And now we have to wait some seconds because now Excel creates the PDF, exports the PDF to the file.
And then the Adobe Reader starts automatically. Here's my Adobe Reader icon. It opens this PDF. And maybe this is new for you. Here's a local symbol. And this is a standard Acrobat Reader, the free version. And here the document is protected by Microsoft Personal Information Protection, Evo-Heidi Confidential. I can look into my permission details. I'm not allowed to print the PDF because my label does not give me the access permissions to this document to print it out. And when this document is exported out of Excel to a PDF, then Excel applies the same label to this PDF file. Yeah. OK.
It closes. It closes Excel. And I have to log out from my SAP server. We want to log off. Yes. I go here to my SAP GUI. I have two new files with HaloCore. Copy it to my shared folder. Now I have all these three files in my shared folder. This is my finance user account. I log out from this account. Go to the other user and connect to the desktop of the other user. This is my administrator user here. And now the new files are shared. And he tries to open the balance sheet with HaloCore. And I can tell you he is allowed to do this because he has permissions to do this.
And now I will enable the tabs. But you see the amount of the buttons here are grayed out. The user cannot change the label. The user cannot modify the document. If he clicks here and will type in something, it's not possible because I configured the label that the administrator is able to view the document, but he's not allowed to change it. And if he will export it as a PDF, it's not allowed to him. Same company, two users. The second user has more restrictions on this document. I can show you, of course, a use case where he cannot open this document.
But here I will show you that we have detailed permissions, what you can give to users. Not yes and no. Is he allowed to print? Is he allowed to copy? Can he view the documents? Let us click here. And you see he has few enough edit permissions. And for that, the complete edit functionality is spread out. But he will share this content with externals, and he will use the snipping tool to make a screenshot. And in the moment, he will cut the screenshot. The operating system makes the black screen. The operating system recognizes Excel is open.
There is a document where export and copy is not allowed. And with this, it's not allowed to make a screenshot of this. This is controlled by the operating system. Now I will not change my changes. Now let's go to the PDF. PDF has the same label. I start Google Reader. And I am saying here the logger. The logger is here since four or five years. Microsoft has a strong partnership with Adobe to bring the information protection technology into PDFs and into Adobe Suite. Five years ago, there were two different standards, Microsoft and Adobe, and they do not fit together.
But, yeah, they have an agreement as well with this. And now you see the user has restricted permissions to this document. And last but not least, when he tries to make a screenshot, then the operating system, oh, it's a protected document. You are not allowed to make a screenshot out of this. Okay. This is my admin user. And he's also the Helicoad administrator. And here I press refresh. Now my user is logged in with my account to this SMP system. It's the same SMP system which the finance user is using. And here this is our monitoring. Now these are the details of the monitoring.
And each and every data export of this SMP system is logged here. You can send it to ZM system. You can send it to Microsoft Sentinel. You can send it to Splunk or to Curator. To every ZM system you want to analyze this data, then you have in-time analysis of all the exports with data which is leaving the SMP system. And here you can see, but these are not all the data we have. This is part of them. And policy name, I put the label in here. I will analyze the data. I can see which data are labeled with which label, for example. What is the file name? What is the size of the file?
All of this is into our monitoring trend. And this dialogue here is part of the helical installation of this SMP system. Now I will disconnect from this system. Go back to my slides here. This was a demo. And a live demo is over now. And we have the same solution which you have seen in the SAP world. We have it to the PLM. PLM is an abbreviation for Product Life Cycle Management. These are applications like ZMath Team Center or windshield from PTC. And our customers have their drawings. They manage their drawings into the system. And they do not know about these systems.
There is no MIP integration. This is our HeloCAD. We have plug-ins to these PLM systems. And whenever an employee exports data out of this Product Life Cycle Management system, HeloCAD is in place to classify, to protect the data. And then we have integrations to the CAD applications. When you open, for example, an AutoCAD protected file, you have the same look and feel like you have in your office suite. We show the label. And if the user has fewer permissions, we prevent that the user, for example, is able to edit the data or to print the data.
For SAP, we have a server-side solution. For the CAD world, we have integration into PLM and into the CAD client on the client's workstation. So now I come to my end of my presentations. I stressed you five minutes more, but it's a necessary topic which you have to understand.
Okay, now I would give my word back to the discussion, to your questions. Yeah, let us move into looking at the results from the polls.
Yeah, let's see what we have here. Okay, so first question. Does your organization use CAD PLM systems or SAP and need to address the security risks associated with sharing or storing the data? Good distribution here. So the number one answer is yes, we have it all, SAP and CAD PLM. Yeah. That's not surprising.
I mean, if you're the kind of business that's going to have one, you're probably going to have all of it. I mean, especially if it's, you know, PLM and CAD types of things. But SAP comes up by itself here at 25%. And then almost 44% are not sure or no. Does this look like what you would have expected, Markus?
Yes, yes, yes. We have to put A and C together, and then we have more than 50% of our audience which is using SAP systems. And then we have people who do not know.
But yeah, SAP is a common application. Yeah.
Okay, let's look at the next question. Does your organization use DLP or DAG tools like Microsoft Purview Information Protection for security?
Yes, at 43%. More than half, though, don't know. Don't know means, after my experience, they do not have it. Because when this technology, information protection, is introduced, normally the employees are taught how to use the label, how to classify documents. There was a data classification project to separate the data. Don't know. Use normally, they don't have it.
Well, yeah, even as we saw in your demo, there are some not-so-subtle ways of knowing that documents have been labeled and that other controls have been placed upon them. So, yeah, if you're not sure, you probably do not have that. Definitely something that you would want to consider, especially if you're running these kinds of systems.
Well, let us now move into the Q&A. There are various government regulations coming into force that require strong security like Zero Trust to avoid extremely expensive fines. I'm thinking here of NIST 2 in Europe, but also CMMC 2.0, which affects everyone doing business with the U.S. defense. Kind of got cut off.
You know, that's a good point. It's kind of a good way to sort of pull it all back together. These two particular regulations, in the case of NIST 2, you know, it's about critical infrastructure and other infrastructure, including manufacturing, many of which are going to be using SAP and PLM and CAD types of systems. And that's exactly where Zero Trust can be of use. If you look at what, you know, CMMC, that's about protecting controlled and classified information in the U.S. And that's also, you know, there are three levels of certification.
The last one actually requires an independent audit. And if you kind of read through their materials, you see that it's requiring many of the things that we talked about here today, like strong access controls, incident response, having a SIM for monitoring and detection, anti-malware, multifactor authentication, DLP. So these regulations are in many cases for these specific industries, the kinds of industries that are going to be running these kinds of systems. They have to have these kinds of access controls in place. And Zero Trust is a great way to help get there.
What would you add to that, Markus? No, nothing. I don't think it's OK. What I can add here is that, in example, Microsoft is working together with the governance of some countries. We have U.S.
customers, UGS customers, and they are in the DSS high cloud. This means if we speak about Microsoft cloud services, most of my customers are in the commercial cloud. But for special areas, for governance, for defense, Microsoft offers high security clouds with high secure solutions. And I know from Microsoft Germany that they are working closely together to have the same offering here in Europe. Let's see. Next question. We use Autodesk Inventor. What is the difference between the SecuDA product and me just saving files to a directory and encrypting all the files in that location?
Yeah, we are integrated. The SecuDA HeloCat is integrated into AutoCAD and Inventor. And what makes SecuDA unique here is customers at Trust have not to care for the key management because all the key management is handled by Microsoft. And often when customers have Autodesk Suite, they have Autodesk Vault. It's a PLM system from Autodesk. The files are stored there. And here we have an automatic approach. The user need not to care for the encryption, need not to care, apply a label.
With HeloCat plugged into the Autodesk Vault, servers, documents are labeled automatically and protected automatically. And they will be not a manual job. And this is a company policy for access to these files because the rules how to classify the exports and how to label the exports are defined into the HeloCat server. It's like a company policy. All the files have to be labeled and protected. Here's another one. Is there a link between granular access rights in SAP to the not-so-granular labels in MPIP? This question goes to me.
Yes, when this classification could be in the data management servers of SAP, there are attributes which defines the classification of this data. And this is the metadata. We get this as a metadata and we can then assign the label to it. The customer has to define when this security class is configured into SAP, then please put this label to the file. And with HeloCat, it's possible to configure this link from the classification into SAP to the label. And in Secuda, we have the bridge between SAP and the Microsoft world. We have the link between.
Well, here's another kind of product specific. How is the protection Secuda offers for downloaded SAP data any different than what I get from SAP already? Or put it another way, why do I need Secuda when I have SAP protection?
Ah, the SAP protection ends on the boundaries of the SAP system. SAP, as far as I know, not offers a solution to protect data export out of SAP. The data is queued into SAP, but not when the users export the Excel files. Another one, how do you protect metadata?
Well, generically, I would say have digital signatures to at least know if there's been any attempt to tamper with it. That would be one way to protect metadata.
Yeah, I have here nothing to add. The metadata is into the CAD file, the envelope, the complete drawing. And then the metadata of this drawing are also encrypted together with the content of this drawing.
Well, we have reached the top of the hour. Thank you, everyone, for participating and taking the poll questions and submitting questions. And thank you, Markus, for your excellent presentation and demo. I appreciate that. And please join us at our next event. And thank you. Any parting words? Thank you from my side, John. Thank you for the chance to present here our solutions. Great.
Well, thanks, everyone. Have a good rest of your day.
