Can SAS user-written formats be encrypted or otherwise hidden securely?

Reply
New Contributor
Posts: 2

Can SAS user-written formats be encrypted or otherwise hidden securely?

[ Edited ]

Hi,

we are working on distributing a SAS application. With SAS application we mean a bunch of SAS programs containing Base SAS Procedures / Datasteps / Macros) and some SAS tables. We want to make sure that nobody can steal our intellectual property. So far we have come up with the usual solution of using compiled macros to hide source code, and with encrypting and password protecting SAS datasets/tables.

 

Now we realize that we are using formats generously in the application, and they contain some of our key intellectual property.

We have googled around a bit: there seems to be neither encryption nor password protection for SAS catalogs (i.e. for format entries in formats.sas7bcat)

 

We think that a MALICIOUS_USER could copy the SAS formats while the program is running and – with some work – figure out some of our - er – secrets.

 

So far we are thinking along two lines:

 

1) We could do some aggressive setting up and deleting of formats within the SAS code

 

2) Is there a way to load the SAS formats into memory (RAM) for the duration of a SAS session (or even only for the duration of a Data step or Proc step and deleting the SAS macro catalog?

 

Any ideas and suggestions would be appreciated.

 

Yours truly,

SASMeister

(currently not feeling like a SASMeister)
 

Note: We have

SAS (r) Proprietary Software 9.4 (TS1M3)

This session is executing on the X64_SRV12 platform (Windows Server 2012 R2 Standard / 64-bit Windows)

 

Late addition:

Re: my thinking line #2: I thought of a way to test if a format can be used in absence of its FORMATS catalog.

The answer is NO. Run the attached code to see for yourself...

Attachment
Super User
Posts: 7,433

Re: Can SAS user-written formats be encrypted or otherwise hidden securely?

In times like this, I'd supply the application as a webapp (stored processes) where users only have access to the web interface.

SAS itself is, typical for older mainframe applications (and any interpreting system) an open source and collaborative environment, where code is quite freely shared. Just look at this forum.

---------------------------------------------------------------------------------------------
Maxims of Maximally Efficient SAS Programmers
New Contributor
Posts: 2

Re: Can SAS user-written formats be encrypted or otherwise hidden securely?

Hi Kurt,

thanks for your reply - with which I agree in principle. I am posting this on behalf of one of our departments, and they have special needs.

 

 

Super User
Posts: 3,235

Re: Can SAS user-written formats be encrypted or otherwise hidden securely?

If you have a department with special security needs then a full SAS security audit may be required, if you aren't in the process of doing one already. This would look at:

 

  • SAS data in-flight - securing and encrypting SAS network traffic and in memory
  • SAS data at rest - securing and encrypting SAS files and data on disk
  • Securing the SAS environment - firewalls, VPN, SAS user access etc. 

 

I'd recommed getting expert security advice from SAS or a recognised partner.

Super User
Posts: 3,235

Re: Can SAS user-written formats be encrypted or otherwise hidden securely?

One option to explore would be to dictate that ALL user-written SAS formats must be created in the SAS WORK library only from SAS source code for every job. This means the FORMAT catalogs only exist for that SAS session and only the user or an administrator would have access to that WORK directory.

Ask a Question
Discussion stats
  • 4 replies
  • 135 views
  • 3 likes
  • 3 in conversation