Panelist: Juan Perez-Etchegoyen, Onapsis
Date: Thursday, October 12
Hello, and welcome to today’s live Q&A on security considerations for SAP mobile applications. I’m Kendall Hatch, Conference Producer for SAPinsider, and I’m excited to introduce today’s panelist, Juan Perez-Etchegoyen, CTO at Onapsis. Juan is also a speaker at the upcoming SAPinsider Cybersecurity for SAP Customers conference in Las Vegas this November. We’d like to thank you all for logging on, and we’re looking forward to today’s discussion.
Thanks for joining us today, Juan!
Juan Perez-Etchegoyen (JP): Hi there! Thanks for having me here! This is a great introduction for the SAPInsider CyberSecurity for SAP Customers conference and presentations! I’m happy to be here and help. I will start addressing the questions now.
Comment From Phil: What are current security threats targeting SAP Work Manager?
JP: For SAP Work Manager, there are multiple components, including the mobile apps, the SAP Mobile Platform, and the back ends. The biggest threats revolve around keeping the user applications updated as new security fixes come along, properly protecting the SAP Mobile platform itself, restricting network access, segregating the demilitarized zone (DMZ) and networks zones, configuring Secure Sockets Layer (SSL), and keeping SSL updated. Then, of course, we have the back-end systems, but that is a whole separate chapter, which basically means securing SAP ABAP systems. Remember that SAP Work Manager is designed to be exposed to the Internet, so pretty much every security threat affecting the deployment could be materialized with a high probability.
Comment From Phil: Should a business allow SAP Fiori apps or SAP Work Manager to be installed and used from a personal smart phone or tablet versus one owned and administered by the business? Are there security threats associated with allowing SAP Fiori apps or SAP Work Manager to be installed and used on a device not owned and administered by the business?
JP: This is the good old discussion of bring your own device (BYOD). Users love to use the latest version of the iPhone and the latest devices, and they will use these devices for work as well. It is possible to allow users to leverage their own mobile devices, and the key is whether you want to enforce security policies in those devices and be able to manage them or not. There are mobile device management (MDM) or enterprise mobility management (EPM) products that provide those capabilities. You can check this one from SAP: https://www.sap.com/products/secure-mobile-device-management-cloud.html
Comment From Charles Ahn Baer Group
To what extent would SAP Mobility use the security solutions from Gigya, the company that SAP acquired in September?
JP: As you mentioned, SAP acquired recently the solutions from Gigya for customer identity and access management. We expect to see integration of these applications in the future with SAP Mobility, but it is up to SAP product managers to decide the future of these applications. We have not heard anything in the latest SAP announcements, but it is very early to tell.
Comment From Gary: What are the most important security patches to address mobile security issues?
JP: What a great question. We can start diving into the details of the security patches for SAP mobile products (SAP Security Notes), but I would recommend that you apply all of them. If you cannot do that, then at least prioritize by HotNews and Critical Notes first, and, of course, everything that is Internet facing should be a priority (SAP Mobile Platform, SAP NetWeaver Gateway, etc.).
Comment From Lauren: Our organization is implementing SAP applications, and mobile access to an ERP system will be a new feature for our employees. As we allow employees to access the ERP system via their mobile devices, what are the best practices or things to consider from a security standpoint?
JP: Based on your question, I understand you are implementing SAP applications and you will enable mobile access to those applications. It really depends on the mobile technology you will implement. I will take two examples: Implementing SAP Fiori applications with an SAP NetWeaver Gateway is one thing, as it is all SAPUI5, ABAP, and Open Data Protocol (OData) based, whereas if you implement SAP Mobile Platform, there are other components involved. I would say these are the most important things to keep in mind:
- Secure authentication: Implement a secure authentication mechanism for all your mobile users. You can leverage Single Sign-On (SSO) and enforce two factors whenever possible.
- Strong encryption: Make sure you implement SSL or Transport Layer Security (TLS) encryption for in-transit data and properly manage the certificates.
- Continuous security updates: Implement all patches affecting every single component of the mobile-enabled systems, such as ABAP systems, SAP Mobile Platform, mobile applications, OS, and databases.
- User and security monitoring: Visibility is key, especially for systems that are Internet facing.
- Security configurations: Securely configure and maintain all components, especially the SAP systems (ERP in your case), as these are very complex systems with many different components and potential configurations.
Comment From MD: How do you mitigate the risks of allowing employees to have access to sensitive data via mobile apps on personal devices or phones (i.e., lost or stolen phones)?
JP: This question was partially covered before, but we can do a deep dive on the topic. Your users will access business data, depending on their authorizations and levels of access. The new key risk relies on the fact that users can access this potentially sensitive and strictly regulated data from mobile devices that have a higher risk of physical security issues (lost or stolen as you mentioned). The way you mitigate this risk is by having remote capabilities to manage and potentially erase devices. These features are provided by MDM or EPM products. You can check this one from SAP: https://www.sap.com/products/secure-mobile-device-management-cloud.html
Comment From John: What are current or successful methods to secure these applications?
JP: That will depend on the actual mobile technology you are using. The most recent trend – one that is getting a lot of traction – is using the mobile apps based on SAP Fiori. SAP is really pushing this technology, and in terms of security, it will depend on whether it is a standard application or a custom one. For custom applications you basically need to make sure the development lifecycle incorporates a peer or code review from a security standpoint. If you are talking about the standard applications developed by SAP, then you need to make sure you are using the latest version released.
Now regardless of the SAP Fiori application, you need to secure the whole landscape, so make sure encryption is enabled, make sure the configuration and versions of the SAP NetWeaver gateway are secure, and ensure that the interface between the SAP NetWeaver Gateway and the back-end systems is also secure.
Comment From Andrea: How much do you typically need to sacrifice in terms of productivity to put in place really effective mobile security measures?
JP: It is definitely a balance. Security sometimes comes up with a cost of usability, which ends up affecting productivity in the end, but I would say that there are products that really provide governance and security of mobile-enabled devices and applications, so in the end, this is an investment in security that you need to do to enable a productive, effective, and secure mobile environment.
Comment From Jesse: Our company is a way out from implementing SAP mobile apps, but out of curiosity, do mobile apps allow for customization? If so, what best practices should be put in place to produce secure, in-house customizations?
JP: Yes, mobile apps from SAP allow for customization, as does just about every business application from SAP, because not all business processes are the same from company to company.
To ensure your custom apps are secure, besides securing the landscape, you basically need to make sure the development lifecycle incorporates a peer or code review from a security standpoint, reviewing for potential vulnerabilities, such as SQL injection, code injection, and cross-site scripting.
Comment From Suneel: Do you recommend implementing an application programming interface (API) gateway over the SAP Multichannel Foundation for Utilities and Public Sector layer while exposing it to the Internet?
JP: Both are very different products. One incorporates cloud-based components, and the other is mainly on-premise. In the end it is a decision that you have to make with all the facts. Does your organization adopt cloud-based technologies? Do I have a standard for doing so? Do I have secure configuration guidelines for the components that this solution entails? I would say that if you properly manage and configure any of them, you should be OK, but you should really evaluate what it means, as you might need to maintain totally different products and components. I hope this is helpful.
Comment From Phil
SAP Mobile Secure has functionality to detect compromised devices. How do you detect a compromised device?
JP: I went back to my research team and experts, and they helped me to complement this answer: SAP Mobile Secure incorporates a rebranded mobile application that is based on the SAP Afaria product from SAP (https://play.google.com/store/apps/details?id=com.Android.Afaria is the Android example). Compromised device detection basically relies on the mobile application’s ability to detect if the device has been “jailbroken” or “rooted.” You can find more information about that capability in SAP Afaria here: Android Remediation, and similar use cases in other MDM products (non-SAP) here: “Detecting Compromised Devices” (PDF) and “What is a Compromised Android Device or iOS Device?” I hope this answer helps you.
Comment From Phil: In a BYOD situation, would employees actually give their employers the authority to remotely lock and wipe their personal devices?
JP: Yes, employees would give their employers the ability to wipe the device, as long as it is managed by the employer and it is reported as lost.
That about wraps up our time for today’s live Q&A, but I’d like to thank everyone who participated, and thanks especially to Juan Perez-Etchegoyen for taking some time to join us today and answering our questions. For more on this topic, join us at SAPinsider Cybersecurity for SAP Customers, Nov. 29–Dec. 1 in Las Vegas. We hope to see you there!
JP: Thank you all! Looking forward to see you in the SAPinsider CyberSecurity for SAP Customers conference. Have a good day!