The biggest security threat when mobilizing SAP applications is the risk of an employee losing the device and exposing the organization to possible customer data breaches, according to interviews with analysts.
The good news is that, currently, mobile applications present fewer SAP security concerns than PCs do. Because there are so many different operating systems out there, targeting a huge base of users with a virus is difficult. Most devices are enabled with remote wipe capabilities. And many of the CRM-related functions that organizations are looking to mobilize are cloud-based, meaning that the customer data doesn’t reside on the device itself.
But organizations still need to followbest practices in ensuring secure mobile applications. Nearly every state in the U.S. has data privacy laws, and the burden for compliance is significant. To protect themselves, organizations need to have strong device management capabilities in place – including tough data encryption.
“Even if the mobile device isn’t where customer data is stored, it is definitely a gateway into your enterprise environment,” said Chris Hazelton, analyst with 451 Group.
Legal and regulatory compliance is foremost in people’s minds and helps them manage and design how to protect themselves, Hazelton said.
Ensuring compliance with local data privacy laws a top concern
Most states require breach notification, where companies must report any data breaches, including how many records were affected, and make provision for notifying customers. In general, it takes a general counsel or a compliance officer to stay on top of the compliance requirements.
And most companies need and want to be compliant, according to MacDonnell Ulsch, CEO of ZeroPoint Risk Research LLC, a Boston-based risk management research and advisory firm. But there are problems. At some of the largest financial institutions in the U.S., board members and CEOs don’t want data encrypted because it is an inconvenience. Many acquire smartphones and communicate outside the organizational technology infrastructure.
In turn, organizations need to factor in the risk from lost IP and trade secrets. For instance, take a U.S.-based software company that engages third-party companies around the world to develop software. Its engineers are communicating on handhelds, or even having conversations via the devices about restricted proprietary information that could be stolen, Ulsch said.
Best practices in mobilizing SAP applications
The first security challenge -- the shift from a "protected" internal application to an external "untrusted" connection -- isn’t specific to SAP, according to Mariano Nuñez Di Croce, director of research and development at Onapsis, an Argentina-based security vendor that specializes in SAP.
“SAP systems have been usually seen as merely internal systems, but this has been changing rapidly over the last years,” Nuñez Di Croce said in an email response. “Nowadays, it is really common for employees, partners or customers to access SAP applications from outside the company's boundaries.”
Taking a "layered" approach to ensuring security makes sense. First, reduce as much as possible the spectrum of people or systems that can connect with the systems. In this aspect, the use of VPNs, client-certificates and proper network security filters (like firewalls) are of absolute importance.
Next, secure the SAP system itself. It's important to make sure that only required services are enabled, no default credentials are installed and the authorization system is tightly configured, Nuñez Di Croce said.
Then, ensure that the mobile application developed on top of the SAP system has been developed following security guidelines so that the number of vulnerabilities is reduced as much as possible.
Carefully consider what information is going to be placed on the mobile device, Ulsch said. When the data goes onto the mobile device, organizations need to ask: Does it meet the regulation standard of being encrypted? What is the strength of the encryption and is it sufficient to protect the information?
“Companies need to think about [which] employees have access to the information and make sure that data is always encrypted,” Ulsch said. “If we look at the distribution of data, mobility creates a great deal of complexity.”
Tough new data privacy laws like those in Massachusetts are actually pushing people toward mobile SaaS applications, so that the data doesn’t reside on the device, Hazelton said.
Users definitely need a password on the device, he said. IT can set the device to lock after a minute or so of not being used. Generally, the shorter the length of time, the more secure the device is.
In turn, if the customer data is on a microSD card, encrypt the data on the card, because then if it’s pulled and put into another device, it can’t be read, Hazelton said.
For the most part, remote wipe capability is free if the company has Exchange. Pretty much every device except BlackBerry supports Microsoft ActiveSync, he said. BlackBerry does require its own Enterprise Server, but RIM is now making that available free of charge because the other devices don't require it.
Above all, after every layer has been secured, it is important to make sure that the whole solution is secure enough by ensuring that when the components are combined together, no new threats are created, Nuñez Di Croce said.
“The security of the solution must be considered holistically,” he said, “[because] a vulnerability in any of the components that build up the mobile application can compromise the entire solution and thus the company's business information.”