Web-based access to your SAP environment can result in increased convenience, cost savings, and flexibility, but deploying and maintaining a Web browser on the local desktop can open up a Pandora’s box of security, administration, compatibility, and performance issues. For example, in 2004 alone, Microsoft released 49 critical Internet Explorer (IE) security patches that had to be not only installed on every desktop, but also tested for compatibility with existing applications.
When users connect to your SAP system via local Web browser applications — whether from a third-party location, home PC, Internet kiosk, or remote/mobile device — you cannot realistically ensure that the client is secure. Leaving the management of browser software in the hands of the individual creates risk because many people do not have the skills or knowledge to configure settings, install upgrades and patches, or implement virus protection. With the profusion of worms, Trojan horses, viruses, and other malicious code on the Internet, it is only a matter of time until an unmanaged browser unleashes a threat to corporate resources.
For example, SAP recommends several browser security settings for SAP NetWeaver Portal (formerly called SAP Enterprise Portal) for scripting and cookies, but the browser allows users to change those settings and manipulate cookies, permissions, and other options. This leads to a patchwork of different scenarios across the organization. If users choose security settings that are too restrictive, a Web page may not display correctly, resulting in a loss of functionality, as well as additional support costs. If the browser security settings are not restrictive enough, you may suffer security vulnerabilities and losses in productivity. In addition, organizations run into other challenges as they deploy multiple Web applications, such as Lotus iNotes, Microsoft Outlook Web Access (OWA), Oracle, and Siebel, each requiring its own independent browser version and security configuration.
Secure and Manageable?
The 10 questions that follow can help you determine how secure and manageable your corporate Web access really is.
- How many users access your Web applications? The more users you have, the more points of potential failure you have in your organization. Each user’s actions (e.g., changing settings, downloading and installing programs, adding browser plug-ins), device type, location, and network connections can potentially complicate and negatively affect the SAP Web experience.
- What is the user experience like and where are the users located? Unreliable or substandard application performance is a source of frustration for users, and it’s typically due to insufficient bandwidth. For example, SAP NetWeaver Portal uses 60 to 120 kilobits per second (kbps) per connection, and bandwidth can exceed 240 kbps when using SAP Business Information Warehouse (SAP BW) and other complex modules. Therefore, users in satellite offices with low-bandwidth or high-latency connections including extended global wide-area-network (WAN), dial-up, and wireless links, can experience slower application-response times and decreased productivity, than those in the main office location.
The administrator must focus on managing bandwidth-demand fluctuations while keeping costs and other variables under control. Typically, when the user experience is poor, businesses tend to either upgrade the bandwidth, increase the number of Web servers, or invest in browser-acceleration solutions such as secure-sockets-layer (SSL) accelerators or Web cache servers. To use a medical analogy, these solutions cure only the symptoms, not the disease. In addition, while they address the browser’s performance, they do not address browser management and security.
- How many different access devices and Web browsers are in use in your organization? Companies need to consider the CPU power, memory capacity, operating system type (and version), device form-factor, and much more when deploying any application. In a Web environment, these complications do not disappear. In addition, desktop browsers can generate a heavy administrative workload for IT departments. If users have an older version of a browser due to a failure to install upgrades, they may experience incompatibility or functional issues with SAP NetWeaver Portal or other SAP Web applications, thereby requiring IT support. Also, SAP NetWeaver Portal has compatibility issues with third-party browsers such as Apple Computer’s Safari browser and Opera Software’s Opera browser, versions of Internet Explorer older than 5.5 SP2, and Web access from non-Windows client environments.
- How current are all your desktops with regard to browser security patches, and are all browser option settings correctly configured on all devices? The browser is tightly integrated with the operating system. Organizations need to worry about patching the browser and operating system. Patching only the browser or the operating system will open back doors for malicious attacks. Compare it to locking the doors to keep out burglars, but not locking the windows.
Again, to ensure that the Web application is operationally functional for all users, each browser needs to be configured correctly. While browser settings are crucial for a good user experience and company security, the ultimate control is in the hands of potentially thousands of individual users. Variability from one user to the next can increase the frequency of technical problems and help desk costs.
- How vulnerable are your Web-accessible enterprise data and applications? Have the risks to your organization from viruses, worms, and other malicious threats been increasing? As your control over the user desktop becomes more and more limited, you may be compromising your protection against these external threats.
- How many security solutions are currently required for enterprise-application access via various access scenarios (e.g., client/server vs. the Web)? There are many ways to secure Web traffic such as IP security (IPSec) virtual private networks (VPNs), SSL VPNs, and reverse-proxy servers (RPS). These are tactical solutions that do not address the evolving nature of most IT infrastructures. RPS and SSL VPNs allow only limited access to client/server applications and files. IPSec allows access to all your applications and files, but may have difficulty with firewall traversal and “too much access.”
Since users are connecting from within — and without — the firewall using different devices and access methods, it can be very challenging and costly to implement a single solution and provide each user with easy, secure access. In addition, in a distributed computing environment, data on laptops is inherently sensitive to theft.
- Are your users able to access all applications through their browsers? User satisfaction, training, and productivity improve when users can access all company applications through SAP NetWeaver Portal, including client/server applications, non-SAP applications, and productivity applications.
- How many calls does your tech support organization receive regarding Web access? Perhaps your company’s help desk is receiving lots of complaint calls involving application performance, device configuration, or compatibility issues, or perhaps they’re being challenged with new-employee access to applications. It may also be challenging for your support organization to collaborate with users and troubleshoot technical issues or provide functional support.
- What regulatory-compliance challenges does your company face in areas such as desktop certification and standardization, end-to-end application security, and application-usage auditing? How many versions and configurations of the Web application/browser do you need to test and certify? Can you see when, where, and by whom all the applications are being accessed? Can you ensure that the data is safe and the connection is secure? During an unplanned business disruption, can your users access their applications even if they’ve lost access to the main company computer?
Another example: The most essential form of IT control for Sarbanes-Oxley compliance is access control. If organizations cannot easily access applications and databases, they have no way of providing reasonable assurance that the information they report has not been tampered with or corrupted. Ensuring access control is a challenge for many organizations for a number of reasons. For example, IT departments don’t always have an easy way to track, limit, or secure which user is accessing which application, when, for how long, and why.
- Where do you use single sign-on (SSO)? While SAP includes SSO with SAP NetWeaver Portal, what about all the other application, system, and Web site passwords? A strong password policy — requiring complex passwords and regular password changes — can be effective in preventing unauthorized access to critical applications. However, without a mechanism in place to enforce them, strong password policies often fail due to a lack of user cooperation. Frequently changing passwords and creating complex passwords cause users to write their passwords on post-it notes, for example, or forget their passwords and increase the help desk’s costs.
Weigh the Risk
You can address any of these questions using one of the many products available or by developing your own. You could also adopt a centralized browser-deployment model, where the browser is moved from the client workstation to the data center. The local browser on the desktop is only used to authenticate and launch the browser hosted on the multi-user Windows or Unix operating system. This model can address all the Web-based application access challenges related to security, manageability, collaboration, performance, user experience, compatibility, and control. Whatever solution you choose, the one choice you can’t afford to make is to ignore the inherent risks of browser-based access to your enterprise data.
Michel Koopman, director, corporate development, has been with Citrix Systems, Inc., since May 1999. He has managed several of the company’s most important alliances and is currently responsible for the global partnership with SAP AG. Before Citrix, Michel held sales, marketing, and business development positions at Baan Company, International Distillers, and Morgan Stanley.