OpenSAP Mobile1 Week 06 Enterprise Security Concept Outlook
-
Upload
bee-nuttakorn -
Category
Documents
-
view
16 -
download
0
description
Transcript of OpenSAP Mobile1 Week 06 Enterprise Security Concept Outlook
Week 6 Unit 1:Mobile Security
© 2013 SAP AG. All rights reserved. 2Public
Mobile SecurityMobile Introduces Additional Risks for Enterprise Data
Mobile (enterprise) applicationsAccess enterprise data and functionsStore sensitive data (login or businessdata)Run in an untrusted environment
Mobile devicesAre carried aroundLost or stolenOffer a unique combination of dataprocessing and communication capabilities
Mobile usersMerge personal and corporate data(BYOD)Tend to accept security popups
© 2013 SAP AG. All rights reserved. 3Public
Mobile SecuritySome Threats
Malicious apps on device
Man-in-the-middle attacks
Eavesdropping
Denial-of-service attacks
Conclusion:
Need to take security seriously andestablish protection mechanisms!
© 2013 SAP AG. All rights reserved. 4Public
Mobile SecurityEnterprise Security Means Protecting All Layers
On deviceApply vendor-specific securitymechanismsLeverage Mobile Device ManagementProtect enterprise applications
Network infrastructureSecure communication using HTTPSMulti-layered defense against threats likedenial of service
Back endAuthenticate usersCheck authorizationsValidate incoming data
Back-End Server
SAP Mobile PlatformSAP NetWeaver Gateway
Mobile App
Application Code
Application Code
OData
© 2013 SAP AG. All rights reserved. 5Public
Mobile SecurityProtecting the Back End
Authenticate usersVarious options, such as basicauthentication, X.509, OAuth 2.0,SAML 2.0
Check authorizationsUse back-end authorization concept
Validate incoming dataValidate OData request based onmetadataProtection against injection attacksVirus check of binariesXSRF protection
Back-End Server
SAP Mobile PlatformSAP NetWeaver Gateway
Mobile App
Application Code
Application Code
OData
© 2013 SAP AG. All rights reserved. 6Public
Mobile SecurityProtecting via Network Infrastructure
Secure communicationUse HTTPSRely on defaults and trusted librariesNo certificate dialogs
Multi-layered defenseNo direct access to the back endProtect the back end against denial ofserviceReverse proxy of VPN accessAuthenticate/validate requests on networkedge
Back-End Server
SAP Mobile PlatformSAP NetWeaver Gateway
Mobile App
Application Code
Application Code
OData
© 2013 SAP AG. All rights reserved. 7Public
Mobile SecurityProtecting On Device
Apply vendor-specific securitymechanisms
App sandboxKeychains
Leverage Mobile Device Management
Protect enterprise applicationsEncrypt sensitive dataProtect access to the application
Back-End Server
SAP Mobile PlatformSAP NetWeaver Gateway
Mobile App
Application Code
Application Code
OData
© 2013 SAP AG. All rights reserved. 9Public
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation orwarranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation orwarranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
Week 6 Unit 2:Protecting Enterprise Applications
© 2013 SAP AG. All rights reserved. 2Public
Protecting Enterprise ApplicationsEnhancement 1: Securely Store Back-End Credentials
Most mobile applications need to storesome sort of sensitive data.
We will extend the Android applicationto securely store back-end credentials.
In our example: username and password ofSAP NetWeaver GatewayCould also be X.509 certificate or anaccess token
© 2013 SAP AG. All rights reserved. 3Public
Protecting Enterprise ApplicationsEnhancement 1: Implement a Secure Store with Data Vault
SAP Mobile Platform Data VaultSecurely stores secrets on deviceStandalone libraryDelivered with SAP’s mobile SDKAES 256-bit key encryptionCan be locked/unlocked with a passcodeIs deleted after a configurable number offailed login attemptsTimeout mechanism
© 2013 SAP AG. All rights reserved. 4Public
Protecting Enterprise ApplicationsEnhancement 2: Protect Access to the Application
Sensitive data and functionscan be accessed when theapplication is resumed frombackground.
We will extend the Androidapplication to protectaccess.
© 2013 SAP AG. All rights reserved. 5Public
Protecting Enterprise ApplicationsEnhancement 2: Typical Life Cycle of a Native Mobile Application
Native mobile applications in“suspended” mode keep living inthe background.
Usually closed only if the device runsout of resourcesMeans they might be open for weeksPotential source of sensitive dataleakage
Installed
Started
Running
Suspended
Closed
User launchesanother application
Low memoryLow battery
Low memoryLow battery
User navigatesback to theapplication
© 2013 SAP AG. All rights reserved. 6Public
Protecting Enterprise ApplicationsEnhancement 2: Protect Access with the Application Passcode
(Mobile) application passcodeUse the data vault passcode asapplication passcode.Lock the data vault when app issuspended or closed.Prompt the user when starting/resumingthe application.Unlock vault and application withapplication passcode.Delete vault in case of too many failedattempts.
Installed
Started
Running
Suspended
Closed
User launchesanother application
Low memoryLow battery
Low memoryLow battery
User navigatesback to theapplication
Unlock data vault
Unlockdata vault
Lockdata vault
© 2013 SAP AG. All rights reserved. 7Public
Protecting Enterprise ApplicationsEnhancement 1 + 2: User Interface (UI) Changes and Flow
UI for loginInitial login: Enhanced login view to setthe application passcodeData vault login: New view to enterapplication passcode
FlowOn initial application launch:
– Trigger initial login view.– Create data vault and store credentials.– Access application.When application is started or resumed:
– Trigger “data vault login”.– Unlock data vault with application passcode.– Access application.When application is closed or suspended:
– Lock data vault.
Initial Login Data Vault Login
© 2013 SAP AG. All rights reserved. 9Public
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation orwarranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation orwarranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
Week 6 Unit 3:Introduction to MAF LogonComponent
© 2013 SAP AG. All rights reserved. 2Public
Introduction to MAF Logon ComponentAbout SAP Mobile App Framework
SAP Mobile App FrameworkExtensibility framework + set of reusablecomponentsPart of SAP’s SDKBuilds on mobile operating systemservices and lower-level SAP MobilePlatform client librariesAvailable on iOS and Android.
Build native mobile applicationsmore efficiently
© 2013 SAP AG. All rights reserved. 3Public
Introduction to MAF Logon ComponentSAP Mobile App Framework: Functional Scope
ExtensibilityExtend screens (for example, add,remove, or rearrange fields) viaconfigurationChange the flow or add actionsNo need to recompile
“Skinnable” UI componentsEnables enterprise branding (style, color,images)Primitive: button, label, list, and so onCompound: Calendar, settings, log, logonNo need to recompile
Helper componentsLocale-aware formatters (for addresses,phone numbers, currencies)Logon Component
© 2013 SAP AG. All rights reserved. 4Public
Introduction to MAF Logon ComponentMain Features of MAF Logon Component
Secure data store (data vault)
Application passcode handling
Password policy handling viaSAP Mobile Platform
Timeout mechanism
Registration process
Integration with mobile devicemanagement (SAP Afaria)
Various authentication and singlesign-on mechanisms
Auto-detection of server landscapes
© 2013 SAP AG. All rights reserved. 5Public
Introduction to MAF Logon ComponentSteps to Add MAF Logon Component to an Application
Add SAP Mobile App Frameworklibraries and resources
Implement LoginActivityonCreate(): Instantiate Logon Componentand call the login view.Implement LogonListener interface tolisten to login result.OnLogonFinished(): Check for success,set up communication, and triggerapplication’s main activity.
OptionalAdapt login views.Access data vault included inLogonComponent to store furtherapplication secrets.
© 2013 SAP AG. All rights reserved. 7Public
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation orwarranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation orwarranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
Week 6 Unit 4:Mobile Device Management withSAP Afaria
© 2013 SAP AG. All rights reserved. 2Public
Mobile Device Management with SAP AfariaFeatures Along the Device Life Cycle
Enrollment portal (EUSSP)Configure devicesAssign to groupsDeploy apps by roleConfigure and enroll ine-mailConfigure wifi and VPNaccess
Remote lockRemote wipeAccess violation lockDisable device, network,application and e-mailaccess
Track assetsMaintain/modify configurationMonitor hardware, software,and packagesApp notifications and updatesTelco expense managementLocation trackingEnforce security policiesMonitor/track securityviolationsCompliance activity loggingAccess control
Monitor hardware, software,and packagesManage roaming and carrierMonitor complianceLocation trackingDrilldown by data element
© 2013 SAP AG. All rights reserved. 4Public
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation orwarranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation orwarranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
Week 6 Unit 5:Wrap-Up and Outlook
© 2013 SAP AG. All rights reserved. 2Public
Wrap-Up and OutlookThe Journey So Far
Build an integrated mobile applicationusing enterprise tools
Enterprise requirements are quiteextensive
Mobile platform tools help developersfulfill enterprise requirements
Build services to suit the conceptualmodel of the mobile application
There is more than 1 way to build amobile solution
Security is key for the enterprise
Introduction to Mobile SolutionDevelopment for the Enterprise
© 2013 SAP AG. All rights reserved. 3Public
Wrap-Up and OutlookLearn More About SAP Education
SAP EducationClassroom training at authorized SAPtraining centersVirtual Live ClassroomsE-LearningCertification
SAP Community Network (SCN)Engagement between SAP and ourcustomers & partners– Blogs– Documents– Discussions/Questions
SAP Developer CenterResources for developing software based onSAP technology
© 2013 SAP AG. All rights reserved. 4Public
Wrap-Up and OutlookThe Journey Continues
On-premise version of SAP MobilePlatform
App Builder, SAP‘s next gen UIdevelopment environment
Kapsel, Phone Gap Plug-Ins for theEnterprise
New OData SDKs supporting ODatawith offline and cached transactions
© 2013 SAP AG. All rights reserved. 6Public
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation orwarranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation orwarranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.