Security Considerations For SAP Technology Using Cloud And Mobile Applications

SAP Security

Both in terms of personal and business use, there is a growing expectation that information is permanently available and delivered across multiple platforms. Technology plays a key role in delivering the correct information to the correct individual through a myriad of different applications and platforms, with cloud computing enabling the data to be stored on and accessed from a central source.

Cloud computing allows organisations to rationalise the costs of both infrastructure and physical space. But with enterprise applications such as SAP, security is a key consideration. Although the actual application authorisation strategy should be largely un-impacted by the hosting strategy, adding the additional complexity of a cloud server into the application topography, introduces a number of security considerations.

Integrated security strategy

The cloud environment requires that security is considered in a more holistic manner. Whilst individual elements may operate independently, these should be deployed coherently, so that they overlap when appropriate but do not conflict or cause potential gaps in the secure environment. It may be tempting to have different teams managing cloud environments, allowing for pockets of expertise, but this can result in a confused and incoherent security framework when viewed as a whole.

Trusting a third party service provider

The most significant security concern when using public cloud servers is trusting third party suppliers with data. Assurances should be sought that the data is protected and not readily available to all other users of the cloud server and also that the administrators of the cloud server cannot also access the data or compromise it through their bona fide administrator activities.

Most of these topics will be covered by a well-written contract as part of the cloud services agreement but it is important that this agreement includes security considerations. There are standards and audit driven checks for this type of service, such as SAS70, SSAE16 or ISO27001, whereby a supplier can be audited on their own internal controls that can then be relied upon by their clients.

Network security

It is vital that organisations deploy their own cloud servers within the correct network zone to connect with the other appropriate applications. This is especially true in SAP landscapes as these interfaces are a key element of any SAP system and it is critical that they continue to work. Therefore, firewall settings and network address configuration of the cloud servers must be analysed to ensure that the applications can still communicate with each other unhindered.

However, because an externally hosted cloud server opens up the corporate network and allows a route for external connections to access internal estate, it must be tightly controlled by stringent firewall settings. It is also important to know exactly which ports are used to communicate with the cloud-hosted applications. Open too few and the application will not work correctly, open too many and weaknesses in the network can be exploited by people external to the organisation.

Encryption also plays a strong role in this area, with the level depending on individual requirements. For example, companies requiring particular compliance status such as PCI-DSS need to demonstrate strong encryption mechanisms to guard against interception and tampering with data. Using cloud servers does not change the requirement but, especially in externally hosted environments, it does add complexity, as additional providers are involved in the encryption landscape.

These are the basic requirements any organisation using the cloud. The second of these two articles will look at maintaining security in the face of the ubiquitous use of mobile devices.

Users now expect data to be readily available through tablets and smartphones without needing to be tied to a single location or network. However, as more apps are released, the use of mobile devices to access corporate information increases risk.

Organisations need to take key decisions from the outset about the type of information and functionality, if any, granted to business users via mobile devices. Should they be able to access any company information from mobile devices and if so, does that include personal ones?

Data protection is a key issue. Loss of payment card details or personal data makes the headlines, but commercially sensitive information is equally significant, as it can cause financial or reputational damage if it finds its way to the public domain. The risk of this occurring is increased through allowing employees to access this type of information from mobile devices.

Mobile devices for SAP

SAP has been accessed via portals and web-browsers for a number of years. Self-service portals are available for trusted suppliers and customers to place orders directly. Often in the public internet domain, they can also be accessed from web browsers on mobile devices. Specific mobile apps can also perform SAP transactional activities in addition to receiving management information reports; adding to the functionality available away from traditional desktop computers.

Network security

As with the cloud server access described in Part 1, positive (ie desirable) network traffic must be allowed whilst unwanted attacks from un-trusted sources are prevented. This should be considered carefully, especially with personal devices and known third parties, as these services are accessed from the public domain. Demilitarised zones (DMZ) and multiple firewalls ensure that the required services are internet-facing whilst providing a ‘buffer’ that protects the sensitive application access through additional defences. However, it does allow people through the first line of an organisation’s defence.

Personal devices

Organisations may not have direct control over personal devices, so these represent a substantial threat to sensitive data. Using encryption throughout is ideal to ensure that an enterprise’s data is secure from the server to the end point. Even a user’s own phone or tablet should allow for a secure zone to be available, with virtual private network (VPN) software (available through app stores) allowing for that security to be provided.

There is still the risk that a user can unwittingly allow a virus to enter the network through the use of an infected device, so up-to-date anti-virus software is a must, along with additional preventative checks such as sniffers and blocking agents.

User authentication

When using apps such as SAP approval, user authentication is a key area of concern. The authentication setup must register a single user’s ID rather than a generic user configured to communicate to the device so that it is possible to trace whom made the approval decision.

As a minimum, the app should store the specific user credentials and transmit that back to the enterprise application for audit tracking purposes. For certain applications, it can make sense to have a centrally administrated admin console which identifies users authorised to use the mobile applications, so administrators can quickly identify and remove users if required.

User authorisation

Users require different levels of system authority and access depending on their role. The application security within SAP allows for tight control, which must remain enforced when the user interacts via a mobile device, rather than all users inheriting unrestricted access via a background user. Therefore, the app must mirror the existing application authorisation design and not work against it.

Controlling access remotely

Mobile devices introduce a fundamental frailty that can let down the most rigid of secure environments. No matter how stringent the network and application security settings, there is always the risk of users not following the policies set by an organisation to increase security. For example a device can be left unlocked, or lost altogether.

A good option is the facility to divorce the device from the data through allowing central management. For example, apps delivered via the Afaria platform have an administrative function whereby the app or the data can be remotely deleted or access removed if there is a chance that the device has been compromised.

End user policies

End user policies governing the use of mobile devices must be put in place and enforced. It is a good idea to remind users, who will always try to find applications or ways of working which will make their jobs easier, that they have a responsibility to use the technology appropriately and that their misuse may result in penalties levied directly to them.

Integrated security for integrated technology

Despite the perceived threats from new technology, as long as security is considered part of the implementation, these risks can be mitigated. With cloud servers effectively becoming just another data centre and mobile apps just another end user interface, the onus is on security professionals to apply the same processes of risk and threat analysis to identify and control those risks. This can be achieved through a combination of technical preventative solutions and non-technical user policies. One thing is certain, as technology becomes more integrated into everyday life, so too should security.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone
Simon Persin

Simon Persin is a senior manager at Turnkey Consulting. He has worked as an SAP Security and GRC consultant designing, reviewing and implementing SAP Security and compliance solutions for major blue chip clients. Prior to joining Turnkey, he gained operational experience at Centrica and developed consulting skills having worked with a number of blue chip clients during his time at Deloitte. Simon also has strong audit experience having reviewed SAP security and authorisations and controls for a number of clients.