The purpose of this document is to describe the architecture of NextLabs application. 

Out of Scope:

• NextLabs policy design and details will covered in a separate deliverable. 

• Information related to product documentation and can be found online will not be documented here. 

Key Decisions and Requirement

Application Architecture

Overview

The following products from NextLabs will be deployed for SyWay.

• NextLabs Data Access Enforcer (DAE) provides fine-grained, attribute-based access control (ABAC) for data, ensuring that only authorized users or applications can access sensitive data based on real-time policies and contextual information. For SyWay, it enforces authorization decisions to grant access and decrypt sensitive data.
• NextLabs Dynamic Authorization Management (DAM) extends native role-based authorization and enforces finer-grained, attribute-based controls to critical SAP applications. Its purpose is to ensure fine-grained access decisions that adapt in real-time to user, resource, and environmental contexts.

The following diagram describes the different NexLabs components.

Application Components

• Policy Controller: Key component of NextLabs that evaluate data access request against the policies and makes the decisions to deny or allow (decrypt data) access to sensitive data.
• ICENET Servers: Distributes policy definitions from Management Server to Policy Controller and also clears the logs from the policy controllers by moving them to NextLabs's DB (MS SQL).
• Management Server: Administrative component that is used to manage NextLabs instances and policies. It is also used configure policies and when FPE is used, it retrieves the encryption keys 
• Bulk Obfuscation Tool (BOT): Allows users to select which data to encrypt. In addition to encrypting data, it also creates encryption keys, stores them in NextLabs DB and writes the key ID in into a /NXL/ table in HANA DB.
• MS SQL: Database for NextLabs. It stores configuration, policies, logs and encryption keys used for FPE. For NextLabs Azure SQL DB (DaaS) will be leveraged. 
• DAE for SAP: NextLabs binaries that run on SAP application. At run-time, DAE for SAP will intercept data request for sensitive request and send it to Policy controller to evaluate if access should be granted.
• NextLabs add-on: Installs NextLabs programs and tables in S/4HANA application. 
• Azure Files: Network files systems are required between DAE for SAP & Policy Controller and ICENET servers & Management Servers.

NextLabs Data and Security Flow

NextLabs Installation

Encryption

1. User selects which data to encrypt in BOT Web UI.
2. BOT creates an encryption key for the selected data, encrypts the data and writes the key ID in into a /NXL/ table in HANA DB.
3. BOT stores the encryption key and key ID in MS SQL DB.

Sensitive Data Access

System Landscape

NextLabs landscape will consist of a common DEV instance deployed to EU region and QAS, PAR, PRD instances deployed to EU and US regions.

*QAS instance will be integrated to INT and UAT landscapes.  

Hosting Details

NextLabs system will be hosted in both EU and US region. Since NextLabs requires low latency network connection to S/4HANA, NextLabs will be hosted in the same Azure region and physical zone as SAP RISE.

In EU and US, NextLabs will be deployed to 3 Azure Subscriptions and in both regions, NextLabs subscriptions will be attached to region's Syensqo's Hub. 

• Non-PRD: DEV and QAS NextLabs instances.
• Pre-PRD: Parallel Run NextLabs instances.
• PRD:  Production NextLabs instances.

For more details on NextLabs infrastructure please refer to Network and Infrastructure Architecture.

Development 

Development NextLabs instance will follow combined deployment where multiple components are deployed together.

QAS

QAS NextLabs instance will follow a distributed deployment with no high-availability (HA).

Production and Parallel Run

Parallel run instance will follow a high-availability architecture. 

• Multiple instances of Policy controller and ICENET servers will be deployed in an active-active configuration. 
• Management server will be deployed in an active-passive configuration using RHEL Pacemaker.
• Azure built-in high-availability will be leveraged for SQL DB and Azure Files. 
• Since BOT is runtime critical, it will be deployed without HA. 

Application Security

User Access

BlackLine is a SaaS application and can be accessed by users over the internet via HTTPS using their web browser. No Syensqo infrastructure or application is required to access BlackLine.

User must have their IDs created and assigned with the correct role before they can login to BlackLine.

Authentication

BlackLine is configured to perform SAML SSO with Syensqo Entra ID. The use of SSO is mandatorily enforced via configuration, and users cannot bypass SSO to log in with a password. 

Communication Security

Data in transit is encrypted using secure TLS protocols (v.1.2 or greater) with 2048-bit keys. 

Data Security

The following controls are implemented to ensure data security:

• Client files and databases at rest are protected using 256-bit AES encryption. 
• To ensure system and client data availability, production data is replicated to the DR site every hour.
• Backups are encrypted and have ransomware protection enabled with audit logging.

Other Controls

Blackline is covered by standard availability SLA for SAP Cloud Services - 99.7%

Operation Architecture

Change and Configuration Management

Blackline does not have a transport tool. Users will need to replicate configurations manual from non-PRD to PRD.

Monitoring

Blackline performs the following monitoring:

• Information Security monitoring: Network intrusion detection and unauthorized access.
• Cloud and Data Center Operations: Monitoring of critical hardware, software and performance. 
• Backup: Monitoring of backup processes.

Blackline system availability can be monitored via Trust Blackline.

Sizing & Capacity Management

Blackline tenants allocates 2GB of storage per users and monitors the usage for the whole instance. 

High Availability & Disaster Recovery

Blackline has implemented high availability throughout its environment to prevent single points of failure. 

It has the following DR targets:

• RPO - 2h
• RTO - 24h

BlackLine conducts disaster recovery tests on an annual basis.

Backup/Restore

BlackLine does backups of Production and non-Production instances daily from 9pm to 1am Pacific Standard Time. Backups are retained for 30 days and this can be increase to a maximum of 90 days by opening a support ticket. 

Users can request for their Blackline instance to be restored using the daily backups for the last 30 days 

Maintenance Plan

Blackline maintenance schedule can be found in Trust Blackline. Syensqo BlackLine tenants are deployed to the following regions:

• Non-PRD: sbeu3
• PRD: eu3

See also

• LeanIX Factsheet - BlackLine Account Substantiation and Automation

Change log