Protecting IP and Ensuring Compliance in Global Product Collaboration \ E.K. Koh VP Solution Management NextLabs, Inc
Agenda Trends driving Global Collaboration Challenges in Global Product Collaboration Information Risk Management Solution Existing Approach Recommended Approach Case Study Question and Answers Slide 2
Key Business Trends Industry Consolidation Globalization Anywhere.. Any device Continued M&A activity anticipated 76% of executives anticipate at least one acquisition in 2013* Joint Ventures and partnerships on the raise Competitive threats keep companies on edge for IP Protection Firms expanding footprint to international markets to drive revenue growth and reduce cost of operations Trade and information exchange is crossing company and country borders Firms looking for next frontier of operational efficiency gains Desire to minimize IT maintenance and support costs Firms look for enabling employees with required access to data from anywhere and through any device * KPMG Survey on M&A Activity 2013 Slide 3
Global Collaboration Supplier/Partner Customers Supplier Collaboration My Company Customer Collaboration Offshore Subsidiary Offshore Manufacturing Research Collaboration Joint Venture Slide 4
New Product Innovation and Introduction Market Research Delivery and Support Prelim Concept Production Line and Quality Testing Full Concept Testing and Approval Slide 5
Global Product Design and Innovation Supplier/Partner Customers Market Research Supplier Collaboration Delivery and Support Prelim Concept Customer Collaboration Offshore Subsidiary Offshore Manufacturing Production Line and Quality Testing Testing and Approval Full Concept Research Collaboration Joint Venture Slide 6
Challenges in Global Product Innovation Supply Chain Security Exposure of company, partner and customer IP such as recipe information Control access to material Safety Data Sheets for REACH/ROHS reporting Compliance violations in the supply chain Supplier/Partner Customers Export Compliance Comply with CWC and export regulations for controlled chemicals Market Research Supplier Collaboration Delivery and Support Prelim Concept Customer Collaboration Offshore Subsidiary Offshore Manufacturing Production Line and Quality Testing Testing and Approval Full Concept Research Collaboration Joint Venture Data Security Privileged user control Data loss, contamination Intellectual Property Control Breach of NDA, PIA, and Contracts Loss of valuable IP recipes, ingredients Slide 7
Export Compliance for Controlled Chemicals SAP US Person Technical Data Export : - Email to foreign supplier - Travel overseas with laptop - Access from non-us location - Storage in a non-us datacenter Technical Data Foreign Person Deemed Export: - Access to technical data on controlled chemicals by Foreign Person in the US - Email ingredient list of controlled chemicals to a non-us coworker - Data copied to storage where non-us persons have access Contamination and Dual Use: - Re-use of commercial chemicals in defense applications - Inadvertent inclusion of controlled chemicals in commercial products Slide 8
Intellectual Property Protection in Global Collaboration Engineering Contract Manufacturing Protect recipes, ingredients, production processes, material safety datasheets across multilevel collaborations Suppliers JV Partners Protect recipes and ingredient list from foreign subsidiaries Overseas Subsidiary Control access to recipes and ingredients to comply with information sharing agreements Slide 9
Security & Compliance Challenges in the Product Innovation Lifecycle imagine design plan make service Critical Data Market Research Product Requirement Marketing Plan Drawings Prototypes Design Change Orders ebom Vendor Analysis Demand Forecasts Production plans Material Master mbom Change Orders Routings Instructions Quality Data Processes Knowledge Base Service Instructions Support Solutions Management Systems Doc Mgmt File Servers Email Endpoints PLM Doc Mgmt File Servers SCM ERP Portals ERP PLM Portals CRM SM Security & Compliance Challenges How do I protect market research and product concepts? How do I protect my Product Designs? How do I ensure supply chain security? How do I ensure export compliance? How do I protect sensitive service manuals? Slide 10
Information Risk is Never Far Away The US Department of State levied more than $100M in fines for ITAR violation just in the last 2 years. (source: US Dept of State) In a 2010 study by Ponemon Institute, the average cost of a data breach is $7.2 million per incident. (source: Ponemon Institute) Slide 11
Intellectual Property Risks and Impacts Source: Forrester Research Slide 12
Alternatives - RBAC is not Sustainable Common mistake is to use Roles to manage Data Entitlements We have more roles than employees Global companies have multiple access variables, each with multiple values Multiple Export Jurisdictions (e.g. ITAR, EAR, DOE) Multiple Projects and Product groups(e.g. Program X, Project Athena) Multiple Locations(e.g. US, UK, etc) Traditional role based access control (RBAC) explodes with rule complexity Required Access Rules Number of Access Variables Slide 13
Alternatives ABAP Customization is Costly Think TCO: 67% of your software cost is maintenance! Ask the tough questions! Criteria Core function Functional Fit Roadmap Alignment TCO Scalability Timing Questions Is Authorization Mgmt a core function of your business? Is your application extensible to provide the functionality you need? Can you keep up with future requirements? What is the total cost of development and ongoing maintenance? Will your customization scale with more users and more requirements? Can you keep up with the agility of your business? Slide 14
Alternatives ABAP Customization is Costly Manual Extensions to ERP to enable authorization checks: ABAP Customization Info Risk Management Foundation Slide 15
Information Risk Management https://rapid.sap.com/se/ Slide 16
Information Risk Management Information Risk Management automates information controls across key business processes to protect critical data and enable global business operations Information Centric focused on protecting information rather than infrastructure Across Business Processes designed to integrate across key systems Global Business Enabler empowers the business to collaborate and share data globally Slide 17
Solution Architecture Product Information Domains R&D Manufacture & Manage Collaborate Entitlement Mgr Product Lifecycle Mgt Custom R&D Apps Entitlement Mgr SAP Entitlement Mgr Fileservers SharePoint Communications (Email, IM, FTP, LiveMeeting, etc) Info Risk Mgmt Existing Information Risk Management Foundation Information Control Policy Electronic Export Control Intellectual Property Control Etc. Resource Classification User Classification Compliance Audit SAP MM IDM SAP HCM Trade Mgmt Slide 18
Example Information Risk Management Suite ERP PLM Server Desktop Entitlement Management SCM CRM ECM Rights Management Client Data Protection Email Collaboration Custom Apps On Demand Communications Control Center Information Control Platform Information Control Policy Identity Controls Data XACML Slide 19
End-to-End Information Controls Secure Data @ the Source Secure data use Prevent data loss, Secure external collaboration Project Y Project Y Recipe Recipe Entitlement Management Rights Management Data Protection Allow Only US Engr from JV to access Chemical Y recipes Deny Copy/Paste of Chemical Y Recipes Deny Sharing Chemical Y data outside Chemical Y Team Control Center Information Control Platform Information Control Policy Identity Controls Data XACML Slide 20
Policy-based Authorization Management Allow only JV Engineers in US Locations to access Chemical Y recipe User Attributes Location Data Classification Slide 21
Data-Level Access Control ACCESS DENIED: Only members of JV US Engr can access Chemical Y recipes ACCESS DENIED: Access to ITAR data requires export authorization. Slide 22
Intellectual Property Protection Solution Approach Manage IP Authorizations Manage authorizations for internal IP Access Manage IP sharing agreements such as PIEA, NDAs, Security Classification Identity and Automatically classify sensitive data based on business associations to materials, processes, customers etc Classify users by project, roles, company etc Control Access to IP Data Prevent unintended disclosures of recipes, ingredients, process specs, etc Control where IP etc can be stored Apply remediation workflow Audit Track all data access approvals and violations Centralized visibility into data activity Slide 23
IP Protection Global leader in Energy. 100,000 employees, 140 countries Objective: Provide global SAP PLM platform for secure collaboration and export compliance Challenge: Protect intellectual property as engineers collaborate world wide on product design. Comply with export and DOE regulations Challenge Challenge Provide global instance of SAP to enable global product design collaborations with offices, subsidiaries and partners worldwide Protect corporate IP and competitive information during the design phase of the product lifecycle. Ensure only authorized personnel have access to sensitive product data Enhance compliance with US ITAR, EAR and DOE and other foreign regulations by actively controlling access to technical data Manage global IT to ensure adequate privilege while limiting data access to comply with IP and regulatory mandates Solution Centrally define and manage access policies for IP and electronic export compliance Automatically classify data by project and sensitivity as documents or materials are created, updated or uploaded. Control access to parts, eboms, based on user citizenship, object export security classification, export license number, role and project membership to ensure access is based on need to know Audit and track all access approvals and denials to demonstrate regulatory compliance and compliance with IP protection mandates Centrally track access for compliance reporting Slide 24
Sample Customers A&D Chemicals High Tech IMC Benefits Enable Secure Product Collaboration with external parties Improve Governance and Compliance programs Enhance Data and IP Security Accelerate value and adoption of Global Consolidation Oil & Gas Slide 25
Thank You! For More Information, contact: SAP Ray Adams (ray.adams@sap.com) NextLabs Rob Robbins (rob.robbins@nextlabs.com) E.K. Koh (ek.koh@nextlabs.com) Slide 26