The global and independent platform for the SAP community.

How Microsoft protects its SAP data

Since business processes process data across application and platform boundaries, data should also be protected across the board. Using its own internal SAP landscape, Microsoft shows how effective Azure Information Protection is with the help of Secude.
Holger Hügel, Secude
December 14, 2018
How Microsoft protects its SAP data
This text has been automatically translated from German to English.

If you take a look at today's business processes from start to finish, you will see that most are no longer limited to a specific application or technology platform and in many cases are already based on different or hybrid operating models.

Seamlessly linking these applications and platforms is certainly a key challenge in the digital transformation, but data security must not be neglected if the new automated processes are not to fall victim to the cyber attacks that occur every day.

Globally active companies in particular offer a large attack surface for hackers with a wide variety of motivations to tap into data. In a networked IT world, however, it is practically impossible to ensure data security through firewalls and encrypted communication channels alone.

Hackers always find a weak point to penetrate security perimeters and if data is shared and processed unprotected behind them, they are easy prey.

Adapt safety concept

Microsoft has also recognized this and adapted its internal IT security strategy accordingly. As a manufacturer of enterprise software, cloud provider and operator of its own IT systems, Microsoft has a wide range of perspectives with regard to data security.

The protection of the company's own users and data plays just as important a role as the protection of customer data and the associated compliance with international regulations, such as the new EU-DSGVO.

For global business processes, Microsoft also uses SAP applications internally that are highly integrated with other non-SAP satellite systems.

In addition, data in the form of various Office documents is exported from SAP on a daily basis and processed in downstream process steps. Access control to this sensitive data is ensured within SAP with the authorization concept in place there.

However, the data transfer or file download removes it from the SAP protection system, and there is no longer sufficient technical control over who may access this data and to what extent.

The very simple distribution of Office documents, for example by e-mail, rapidly expands the circle of possible accesses, which makes it impossible to control disclosure, as the GDPR stipulates for personal data.

Together with Secude, Microsoft therefore adapted its security concept for SAP data. It was obvious to use Azure Information Protection (AIP) as a solution for information rights management and file encryption from the Microsoft product portfolio for SAP as well.

The Halocore security solution from SAP security specialist Secude ensures seamless and automated integration of Microsoft AIP in SAP systems.

How microsoft protects its sap data

Control SAP data exports

The challenges were, on the one hand, to bring the most diverse data export functions in the SAP standard under control so that no data could leave the SAP system without authorization.

On the other hand, users and processes were not to be impaired, requiring a high degree of automation, especially in the classification of data.

Only then can the appropriate AIP protection (label) be applied without intervention by the SAP user. Depending on the protection requirements, the export file must also be automatically encrypted.

The intervention in the SAP download functions is the first and decisive step here, because otherwise an SAP user can export all data that he is allowed to view in SAP, provided that he has the download authorization (S_GUI) that can only be assigned generally.

The normal SAP Audit Log (SAL) or similar monitoring solutions do not help here, as they only look into the past and cannot control the export file itself.

The Secude specialists are helped here by their years of experience in SAP security to build a technical solution that can be implemented without much effort and controls the SAP download process independently of SAP business applications or the customer's own developments.

The SAP context information helps to simultaneously determine the appropriate data classification automatically and to include it as meta information in the export file.

Protect critical data beyond SAP

This synchronous control process from Secude generates protected SAP downloads without the user noticing any difference in the download process. This is a key advantage over classic data loss prevention (DLP) solutions that asynchronously analyze the contents of export files or require user interaction to determine the appropriate classification.

"Halocore provides effective classification and protection of sensitive data by controlling SAP exports and encrypting extracted documents with Azure Information Protection"

Shalini Gupta, Principal Privacy Lead in Microsoft IT, explains.

In addition, Microsoft AIP ensures protection on any device and storage location, even beyond corporate boundaries, because no DLP agent is required for data security compliance.

The file encrypted with Microsoft AIP automatically determines the access permission of the user who wants to open the file via Azure Active Directory. This process works for all common file formats, not just native Office files.

Furthermore, Microsoft and Secude are working together to also support special formats, such as those found in the CAD area, in such a way that user-friendliness is maintained.

"Secude shares Microsoft's vision of protecting customers' sensitive data. Therefore, we see Halocore as a natural bridge between Microsoft Azure Information Protection and SAP application data security mechanisms."

emphasizes Gagan Gulati, director of product management for Azure Information Protection at Microsoft.

"Using Secude's Halocore solution at Microsoft helps us keep our business more secure and compliant"

adds Shalini Gupta.


Only if the new digital processes are also secure will the future viability of the company be safeguarded. However, this also means that IT security must be an integral part of every C-level agenda.

Ultimately, the CEO must also be aware that digital business processes always exact a price for minimizing IT security risks.

Global companies such as Microsoft, which use SAP as the central platform for their business processes, also process critical data outside SAP in most cases.

To protect intellectual property and ensure compliance with the GDPR in the case of personal data, data security must be set up across applications and platforms and implemented in step with digital transformation.

Due to the complexity of these business processes, IT security must always have a high degree of automation if it does not want to be seen as an obstacle to the company's success.

It is therefore only logical for Microsoft to use its own IT security solutions in internal SAP operations as well. Within SAP, the data is secure thanks to the authorization concept.

However, if data is also required outside the company and extracted from SAP via corresponding export functions, Azure Information Protection (AIP) from Microsoft ensures that the documents are protected and that only authorized persons have access to the data they contain.

For the seamless and automated integration of AIP into SAP, Microsoft uses the Halocore solution from SAP security specialist Secude. Every SAP download is automatically classified with Halocore, the export file receives the appropriate AIP label and opens in the usual way for the authorized user. Unwanted downloads are also prevented on a rule-based basis if required.

The protection of critical SAP data is thus guaranteed regardless of device and platform. The high degree of automation leads to great acceptance among users and ensures that the concept also works in large, globally distributed IT environments, such as that of Microsoft.

Holger Hügel, Secude

Holger Hügel is Vice President Products and Sercvices at Secude

Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024


Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT


Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024


Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.