MOB103

SAP Runs SAP – How SAP securely runs its mobile

apps infrastructure
Tobias Weber – HANA Enterprise Cloud / IT Security & Risk Office
SAP TechEd 2013
Disclaimer

This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
strategy and possible future developments are subject to change and may be changed by SAP at any
time for any reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly negligent.

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 2

Abstract

SAP runs about 40,000 iOS, 16,000 BlackBerry and 5,000 Android devices with more than 50
business apps, of which 30 apps are enabled via SAP Mobile Platform.

This session will share experiences from the Global IT Security and operations team including e.g.
connectivity from the internet, used infrastructure, software upgrades and IT processes and device
management using Afaria. Additionally, the session will demonstrate how SAP’s own internal security
departments enabled “Bring your own device (BYOD)” for corporate usage, balancing security vs.
business requirements.

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 3

Agenda

Mobile status of Mobile Mobile device Bring your own

SAP application security at SAP device (BYOD)
platform setup at SAP
and operations

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 4

Mobile status of SAP
Mobility status of SAP IT

BYOD

15,300+ Phones 22,000+ iPads Samsung Galaxy Nokia Lumia, 5,000 private (bring
24,000+ iPhones SII + III + Note Samsung Ativ and your own) devices
130+ iPods Samsung Galaxy Microsoft Surface
Tab 10.1 in evaluation
4800+ devices
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 6
Different application types at SAP

Productivity Collaborative
Your everyday business helpers. Team up like never before. Go social,
Connect, check, approve – on the go! cross borders and distances.

Analytics Foundation
Always in sync, always able to decide: Got a new device? These are must-
Facts you need. Where you need. haves to fully enjoy SAP Mobility.

Line of Business
Serve your customers best with the
best internal business solutions.

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 7

History

Mobile apps only worked in the SAP IT globally deployed

SAP corporate network, via VPN the first productive
using Web Services or using mobile application using
BlackBerry Enterprise Server. Sybase Mobile Platform
(SUP) and SAP
NetWeaver Gateway for
Supplier Relationship
Management.

First native mobile app to

do daily business activities
via mobile devices over
the Internet.

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 8

Risk based approach for mobile devices and scenarios

Security has four

Security involves dimensions: People /
everyone & everything Processes / Technology
/ Organization
Design/Strategy

Business decisions are

about taking risks
Goal:
Find the right balance

Roll-out mobile devices and scenarios on a large base at SAP

and cover security gaps via risk acceptance
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 9
Mobile application platform
setup and operations
Statistics on our scenarios and platform

Current More than 50 More than 30 More than 10 Currently Implemen-

platform mobile apps apps built on SAP mostly native tation of
setup is live are currently top of Sybase business apps are HTML5
since end of productively Unwired systems are used. applications
2011 at SAP Platform and connected (UI5) is
NetWeaver growing
Gateway.

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 11

Architecture for mobile application scenarios

ON DEVICE Managed
Internet/3G/LTE with
Afaria
HTTPS

Sybase Relay Server

DMZ Sybase Unwired Platform 2.2
HTTPS

HTTPS

Separated Network Segment SAP NetWeaver Gateway 2.0

RFC
(encrypted)
Secure Zone SAP Business Systems
(Back-End Systems) powered by SAP NetWeaver
ON PREMISE

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 12

Mobile application scenarios – mandatory requirements

 End-to-end encryption of
communication from Mobile HTTPS

Device to Back-End Sybase Relay Server

HTTPS

Sybase Unwired Platform 2.2

 User authentication on every
system HTTPS

SAP NetWeaver Gateway 2.0

 Tailored user authorizations
RFC

 URL Filter on every system SAP Business Systems

(encrypted)

powered by SAP NetWeaver

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 13

Operational model at SAP IT

Infrastructure
Team in
Development of charge of
new apps and installations,
enhancements upgrades
Certain new
and technical
developments,
configuration
development
governance

Overall
Operations and technical
maintenance of Coordinator
existing apps

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 14

Used infrastructure, upgrades and platform versions compatibility

 5-tier landscape is used

 NetWeaver Gateway System is HTTPS
separated
Sybase Relay Server
 Regular patching cycles in place HTTPS

Sybase Unwired Platform 2.2

 Application components of all involved
systems need to be in sync HTTPS

SAP NetWeaver Gateway 2.0

 The general lifecycle of connected
business systems has to be considered
RFC
 Dependencies before upgrades need SAP Business Systems
(encrypted)

to be clearly analyzed powered by SAP NetWeaver

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 15

End to end support for mobile apps

We use “feedback shake”

for some apps capturing
End user training options  Screenshot
 Links to accessible web  Environment Incidents can have many root
pages causes
 Logs of various layers
 Put simple step by step  Platform outages: software,
procedures in pictures hardware and network
included in app package.
 Device problems and network
 Contact options in case of issues
problems
 Application specific issues related
to the back-end

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 16

Mobile device security at SAP
Overview of security measures

Device Mobile
OS Scenario
Security Security

Mobile
Awareness Device
Management

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 18

Minimum security requirements for mobile devices 1/2

Data encryption of all SAP data on the device

 Device hardware based encryption is used for storage of the data
 Transmission of data needs to be done encrypted

Enforcement of mandatory device policies e.g.

 Remote wipe has to be supported
 Passcode requirement enforcement
 Passcode length, complexity and timeout (10 minutes)
 Passcode failed attempt enforcement (wipe)

Support for Mobile Device Management by SAP Sybase Afaria

 Reporting, tracking, deployment and management.
 Must be fully supported by SAP Sybase Afaria

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 19

Minimum security requirements for mobile devices 2/2

OS level support for secure access to SAP Infrastructure and

secure OS
 ActiveSync or BES Support including policy enforcement for all
required policies
 Custom Certificate support for Wi-Fi and portal access and other services
 VPN access including 2-factor authentication

Device OS Manageability
 Timely security updates
 Secure back up
 Secure restore App Store/Marketplace compliance (based on platform)

Compliance with all required regulatory and data protection requirements

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 20

Mobile device management with Afaria at SAP IT

As consumer focused mobile platforms like Apple iOS don’t offer integrated management,
an enterprise mobile device management solution is required to fill the gap.
SAP uses Afaria to:

 SETUP: one-stop enrollment  MANAGE: update settings and

automatically installs emails and certificates without users impact,
VPN configurations, security and optimize support with
policies, default root certificates, troubleshooting and hardware
and internal links. inventory

 SECURE: enforce company  DELIVER Apps: offer company

security policies (e.g. password internal apps and links to official
encryption…), remote actions Apps in App Store
(e.g. lock, wipe, remove
password…), jailbreak detection,
identify outdated OS versions

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 21

Security measures for mobile application scenarios

 Mandatory security concept is required  Security assessments for critical

for every new mobile technology scenarios

 Code Scans for own developed  Apps in SAP’s Internal App

apps Gallery have to follow an aligned
governance process

 Work closely together with SAP /  Work with Mobile device and Mobile
Sybase product development teams Operating system vendors to ensure
during implementation that security requirements are
addressed and to plan future security
enhancements
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 22
Mobile security trainings offered to employees

Not everything in regards to device security can be controlled via IT tools

Employee Security Awareness needs to strengthened
SAP is therefore offering Mobile Security Trainings to all employees where the following
aspects are covered:

 Why mobile and endpoint security is  Attack Scenarios and other bad things that
important to protect SAP? can happen
 The assets which have to be protected  How to protect SAP?
 Why we need mobile security?  Security status of different mobile devices

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 23

Bring your own device (BYOD)
at SAP
SAP runs SAP – BYOD global perspective

Germany
Korea
Canada
Japan

USA Over 5,000 Hong Kong

China
devices
deployed India Taiwan
worldwide
Venezuela Philippines
African Region Thailand
Indonesia
Brazil
Malaysia

Australia
Singapore
Argentina
New Zealand

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 25

Overview of security measures

Device Mobile
OS Scenario
Security Security

Mobile
Awareness Device
BYOD Management
Security

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 26

Security requirements for BYOD at SAP

 To ensure security and protection of SAP intellectual property,

employees are required to enroll their device with Afaria and to
install the Afaria Client on their mobile device.

 All devices supported by SAP for corporate use are eligible for
connection as long as they have the recommended minimum OS
version installed.

 Devices that are seen as a security risk due to lack of updates or

other reasons will be denied access to the corporate network

 The use of personally-owned devices is restricted to specific

countries with country specify regulations for certain countries

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 27

Feedback
Please complete your session evaluation for MOB103.

Tobias Weber, SAP HANA Enterprise Cloud – IT Security & Risk Office
tobias.weber@sap.com

Thanks for attending this SAP TechEd session.

Further Information

SAP Public Web

SCN Security Community
http://scn.sap.com/community/security

SCN Security Forum

http://scn.sap.com/community/security/content

SCN Mobile Community

http://scn.sap.com/community/mobile

Watch SAP TechEd Online

www.sapteched.com/online

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 29

SAP TechEd Virtual Hands-on Workshops and SAP TechEd Online
Continue your SAP TechEd education after the event!

SAP TechEd Virtual Hands-on Workshops SAP TechEd Online

 Access hands-on workshops post-event  Access replays of keynotes, Demo Jam, SAP TechEd
 Available January – March 2014 LIVE interviews, select lecture sessions, and more!
 Complementary with your SAP TechEd registration  View content only available online
http://saptechedhandson.sap.com/ http://sapteched.com/online

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 30

© 2013 SAP AG or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and
SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth
in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and
other countries.

Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 31