SAP Mobile App Protection by Mocana
-
Upload
shawnlorenz -
Category
Documents
-
view
149 -
download
1
Transcript of SAP Mobile App Protection by Mocana
SMP Enterprise Grade Mobility – Webinar Series
Allan van Lelyveld / Rapid Innovation Group (RIG)
September, 2013
SAP Mobile Platform
Secure Mobile with Mocana
Brought to you by the SAP Mobile Rapid Innovation Group (RIG)
© 2013 SAP AG. All rights reserved. 2 Public
SAP Mobile Platform: Enterprise Grade Mobility
SCN pages and webinars bring
to you technical details on
Enterprise Readiness aspects of
the SAP Mobile Platform (SMP).
• Webinars are done every
week Thursday until
November. The schedule is
published on SCN.
http://scn.sap.com/docs/DOC
-43425
• OnTopicPages presented
links to White Papers, How-
To Guides, Blogs and other
resources.
http://scn.sap.com/docs/DOC
-43424
© 2013 SAP AG. All rights reserved. 3 Public
Get More Mobile at SAP TechEd Events
Attend Education
Breakout Sessions
to Learn about the
latest Mobile
Solutions from our
Experts
Visit Product
Experts at the
Mobile Tables
on the Technology
Showcase Floor
Participate in the
InnoJam Challenge
to get Hands On
Experience with
SAP Mobile
Solutions
Sign Up for the
ASUG Pre-
Conference
Seminar for
Mobile: Deep Dive
into SAP Mobile
Platform
Register Today!
http://www.sapteched.com
SAP Mobile Platform - Secure Mobile
with Mocana
SMP Enterprise Grade Mobility – Webinar Series
© 2013 SAP AG. All rights reserved. 5 Public
Agenda
1. Introduction to SAP Mobile Secure and Mocana
2. Application Wrapping
3. Application Federations
4. Mocana Secure Browser
5. Architecture and Deployment
6. Frequently Asked Questions
7. Demonstration
© 2013 SAP AG. All rights reserved. 6 Public
EMM exists to make mobile successful
Mobile Device Management
Secure
Container
Mobile
Content
Management
Mobile
Application
Management
Enterprise
Application
Store
Telecom
Expense
Management
Systems
Management
Enterprise Mobile Management System
Data Application
Development Analytics
SAP Mobile Security
© 2013 SAP AG. All rights reserved. 7 Public
Meet Strict Regulations
Protect corporate data, meet
compliance & audit
requirements in regulated
industries with additional
encryption requirements
Accelerate App Adoption
No coding or security expertise
required. Eliminate security
bottlenecks for operational app
deployments at scale
Add Flexibility
Ensure security when
managing the device isn’t ideal
(such as BYOD) and when
building B2B and B2C apps
SAP Mobile App Protection by Mocana
HTTP FIPS
HIPAA
SAP Mobile App Protection by Mocana helps organizations accelerate mobile initiatives by
automating app security. MAP’s app-wrapping technology enables enterprises to quickly secure
apps without having to write any code
© 2013 SAP AG. All rights reserved. 8 Public
Mobile app security is a game changer
Mobile Device Management Device-level
Course-grain management, control,
and security policies
Typically requires device client
Ideal for corporate-managed devices
Difficult to separate corporate data
from personal data
Bottom line: Focus is on the device
Mobile App Management Application-level
Fine-grain management, control, and
security policies
No device client
Ideal for corporate-managed,
unmanaged, and BYOD devices
Completely separates corporate data
from personal data
Bottom line: Focus is on the app and it’s data
© 2013 SAP AG. All rights reserved. 9 Public
Where does mobile app security fit in the
mobile app lifecycle?
Mobile Application
Management (MAM) Mobile Enterprise Application
Platform (MEAP)
SAP MAP by
Mocana
Mobile Device
Management (MDM)
Design Build Test Deliver Secure Stage Deploy Manage Remove
MAP automates what today requires
manual coding
Efficiency advantages are realized for
ISVs and their customers
MAP enables true BYOD by abstracting
enterprise data security and
management from the device
MAP allows for true app lifecycle
management at scale and volume
Now with MAP…
© 2013 SAP AG. All rights reserved. 10 Public
SAP Mobile App Protection by Mocana Zero to secure in seconds
Mocana MAP
Web Console & Server IT Admin / LoB
Upload Enterprise App “Point & Click” Policies
1 2 3
Distribute Wrapped App
Managed or Unmanaged
User Devices
© 2013 SAP AG. All rights reserved. 11 Public
Key Benefits
1
Protects corporate data, meets compliance & audit requirements
Accelerates app adoption: No coding or security expertise required
Enterprise IT
Mobile App ISV
1
Lines of Business
Standardizes security: Single approach for iOS & Android apps
Business enablement: Eliminates security bottlenecks for
operational app deployments at scale
Does not compromise the user experience
Enables focus on core business innovation, not security
Increases enterprise adoption: No need for security customizations
2
1
2
2
3
© 2013 SAP AG. All rights reserved. 12 Public
No encryption
Data transport in the clear
Open device-wide VPN risk
SAP Mobile App Protection by Mocana
Communication
No authentication
Offline use
No central policy
Access
Unprotected local data
Unlimited copy/paste
No expiration
Data Protection
Native experience
Anywhere
Anytime
Any duration
Usage
IPsec VPN tunnel
Pre-configured profiles
FIPS 140-2 end-to-end encryption
Eliminates open device-wide VPN
Communication
PIN/passphrase
Block offline use
Central policy management
Access
FIPS 140-2 encrypted data
Secure copy/paste
Jailbreak detection
Data Protection
Preserves native experience
Geo-fence
Time-based
Controlled duration
Usage
Unsecured App
MAP-
Secured App
Application Wrapping
© 2013 SAP AG. All rights reserved. 14 Public
Overview of Mocana Features
© 2013 SAP AG. All rights reserved. 15 Public
Security policies
Application-Level
Security and Usage Polices Description and Benefits
Data Loss Prevention (DLP)
Data-at-Rest Encryption Protect data stored by a specific app using AES-XTS (256bit) encryption,
without having to encrypt the entire device
Prevent malware and rogue apps from accessing data
Secure Copy/Paste Prevent sensitive enterprise data leaking by prohibiting unauthorized
copying and pasting from specific apps
Secure File Sharing Secured attachment or file transfer between only secured, wrapped apps
(Android only)
Secure Communications
Data-in-Motion Encryption
App-specific VPN tunnel to prevent rogue apps and malware from accessing
or performing reconnaissance on enterprise networks
Seamless certificate-based authentication with enterprise VPN gateways
Automatically re-establish VPN tunnel when Internet connectivity changes
such as WiFi to 3G or LTE
Smart Firewall
Avoid man-in-the-middle (MITM) attacks by blocking potentially insecure
traffic to the app
Block all non-SSL TCP traffic and non-DNS UDP traffic
Trust only specific servers by “pinning” their certificates to the app
© 2013 SAP AG. All rights reserved. 16 Public
Security policies
App-Level
Security and Usage Polices Description and Benefits
Contextual Usage
Jail-Broken Device Detection Disable a specific app when the device is compromised by jailbreaking or
rooting
User Agreement Customizable user agreement screen presentable to the user at admin-
configurable periods
Expiration Data Set an expiration data on an app to create a time-limited access window for
employees or contractors
Location Masking Enable advanced geo-location privacy and security by obfuscation GPS
location data embedded in app data
Geo-Fencing Restrict app usage and availability within a specific geographic perimeter
Prevent data leakage and help meet compliance requirements, such as PCI
and HIPAA
Access and Authentication
User Authentication Authenticate user prior to granting access to a specific app
Passcode Recovery Secure app passcode recovery on app lockout due to failed authentication
attempts
Data Wipe Wipe the data of an app based on triggering conditions such as too many
failed authentication attempts
© 2013 SAP AG. All rights reserved. 17 Public
Technology Comparison
Technology Description
No App
Source Code
Development
Does Not
Modify User
Experience
No Device
Management
Dependence
SAP
MAP App
Wrapping
Security policies inserted
into post-production app
Virtual
Machines
Installation of secondary
OS on device – apps run
within this VM
Simple
Containers
Security-enforced apps
custom built for container
(by container vendor)
Integrated
SDKs
App modified with API to
add security at
development time
© 2013 SAP AG. All rights reserved. 18 Public
MAP – User Acceptance of Usage Policy
• End User Agreement
• Periodic Prompt
• Fully Configurable
© 2013 SAP AG. All rights reserved. 19 Public
MAP – Self-Defending Apps
Application Federations
© 2013 SAP AG. All rights reserved. 21 Public
App Federations
• Multiple applications grouped together in an application federation
• Data can be exchanged between apps in an app federation
• Each app federation is marked with a specific overlay icon so a
mobile user can easily identify to which federation an app belongs
to
• Applications in a federation share wrapping policies
• Shared Copy/Paste
• Shared Login Credentials
• Shared Timeout
• Failed Login Attempt Count
• Application federation app level VPN applies (wrapped with their
own TCP/IP stack and Ipsec module, own secure tunnels)
Unprotected App Protected App Protected App
with custom icon
Mocana Secure Enterprise Browser
© 2013 SAP AG. All rights reserved. 23 Public
Secure Enterprise Browser Overview
• Secure Enterprise Browser (iOS and Android)
• Provides network Single Sign-On (SSO) for web apps
• Secure Enterprise Browser is wrapped with the Per App VPN
(PAVE) policy
• Browser can also be configured for a variety of SSO methods,
including:
• HTTP Auth (Digest, Basic, and NTLM)
• HTML Forms
• Browser functionality may also be configured:
• Restricting printing
• Restricting email
• Removal of history
• Removal of search bar
• Admins can apply the desired security policies, SSO, and configure
the browser through the MAP Console
Architecture and Deployment
© 2013 SAP AG. All rights reserved. 25 Public
3
Deployment Options Standalone deployment model
App Catalog or
3rd-Party Corporate App Store
Active
Directory
Employee B
Android Tablet
Customer C
Apple iPhone
Executive A
Android Phone
3rd-Party MDM
Upload the binary app file (.apk or
.ipa) to the MAP server via the
browser-based admin console.
Select the new security policies to
add to the app.
MAP creates new secured versions
of the app.
Manually import the new app into
the MDM’s or MAM’s enterprise app
store.
Assign different policy-packaged
versions of the new app to the
appropriate user group, according
to corporate security policies.
Provision apps to users as usual
using the MDM’s or MAM’s
enterprise app store capabilities.
No matter where they land, MAP-
secured apps stay protected.
1
2
3
4
5
6
4
5
6
Customer
Employee
MAP Wrapping
Service and Policy Console IT Admin
Enterprise
App
Executive
Executive
Employee
Customer
Wrapped Apps
1 2
© 2013 SAP AG. All rights reserved. 26 Public
Customer
Employee
MAP Wrapping
Service and Policy Console IT Admin
Enterprise
App
Executive
Executive
Employee
Customer
Wrapped Apps
1 3 2
Deployment Options MDM integration model
4
App Catalog or
3rd-Party Corporate App Store
Active
Directory
Employee B
Android Tablet
3rd-Party MDM
Upload the binary app file (.apk or .ipa) to
the MDM’s app store and select the
security policies to apply.
The MDM automatically transfers the app
to MAP, along with the IT admin’s
requests for specific policy wrappings.
MAP creates new instances of the app,
each with its own security features.
In the MDM, the IT admin assigns the
newly secured app versions to various
end users per their corporate directory
service profiles and privilege levels.
MAP-secured apps are provisioned to
users as usual.
No matter where they land, MAP-secured
apps stay protected.
1
2
3
5
6
7
5
6
7 MAP returns the secured apps to the
MDM app store. 4
© 2013 SAP AG. All rights reserved. 27 Public
Enabling SSL reverse proxy on VPN gateway
App Servers
VPN Gateway
(Juniper SSL VPN)
LAN 1
Smart Firewall:
Certificate Pining
DAR Encryption
Jailbreak Detection
Wrapped
App
Ensures the app does not communicate with any other
server. App would be unable to send contact data to
unknown servers
Protect locally stored data from other apps and hackers
Disable the usage of the app if the device is rooted
Secure Copy/Paste Prevent leakage of data to insecure apps such the device IM
TLS Connection SSL Reverse
Proxy
© 2013 SAP AG. All rights reserved. 28 Public
Enabling per-app VPN on VPN gateway
Per App VPN Tunnel
App Servers
VPN Gateway
(Juniper SSL VPN)
LAN 1
TLS Connection TLS Connection
Smart Firewall:
Certificate Pining
DAR Encryption
Secure Copy/Paste
Jailbreak Detection
Wrapped
App
Ensures the app does not communicate with any other
server. App would be unable to send contact data to
unknown servers
Protect locally stored data from other apps and hackers
Prevent leakage of data to insecure apps such the device IM
Disable the usage of the app if the device is rooted
Per App VPN Establish an encrypted VPN tunnel between the app and
the gateway
© 2013 SAP AG. All rights reserved. 29 Public
Mocana MAP Network Topology Network topology
© 2013 SAP AG. All rights reserved. 30 Public
Installation Requirements
• MAP installation involves two main components: • MAP server and the iOS app-signing server
• MAP server runs in a Linux-based virtual machine
• iOS app-signing server runs on a Mac computer
MAP Server (Linux VM) Requirements
• Supported Virtualization Hypervisors: • VMware ESX or ESXi
• VMware Player 4.0
• VirtualBox 4.1.4 or later
iOS App-Signing Server Requirements
• Mac mini or similar Mac computer
• OS X Lion Server (10.7.3)
• Java 1.6.0_29
• Xcode 4.3.1 or higher
• iOS Enterprise Developer Program (developer.apple.com)
Frequently Asked Questions
© 2013 SAP AG. All rights reserved. 32 Public
Frequently Asked Questions
• Are there any limitations with MAP? What type of apps can MAP
wrap? • In general, there are no limitations to the types of that apps that MAP can wrap. MAP can wrap
any native app, HTML 5 apps, and hybrid apps as long as the app is in the form of a .ipa or .apk
binary
• The only known limitation is around Adobe Air. Currently, MAP does not wrap apps that leveraged
Adobe Air as their development platform
• Can I wrap or secure apps from Apple’s iTunes App Store or the B2B
App Store? • Simply put, no. MAP is intended for use with Enterprise mobile apps, not commercially available
mobile apps
• What do I need to wrap iOS apps? • Unsigned .ipa (compile app) & your own Apple Enterprise Developer Certificate and Signing
Server
© 2013 SAP AG. All rights reserved. 33 Public
Frequently Asked Questions
• Do you support multiple users accessing the same wrapped app?
Can you specific multiple sets of credentials? • No, only one set of credentials is supported
• What happens if the user disables the GPS or location-based
services? • The wrapped app will recognise this and fail to launch
• Does MAP support dynamic or “on the fly” policy changes to
deployed apps? • No, the policy changes would require a re-wrap and redeploy of the app
• Does MAP support SSL VPNs? • No. MAP focuses on providing standards-based security with IPsec and SSL Reverse Proxy. SSL
VPN implementations are typically custom to the VPN gateway vendor and is not currently
supported by MAP
Thank you
© 2013 SAP AG. All rights reserved. 35 Public
© 2013 SAP AG. All rights
reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP AG.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software
vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP Group products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP AG in Germany and other countries.
Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and
notices.
© 2013 SAP AG. All rights reserved. 36 Public
© 2013 SAP AG. Alle Rechte vorbehalten.
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch
immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene
Informationen können ohne vorherige Ankündigung geändert werden.
Einige der von der SAP AG und ihren Distributoren vermarkteten Softwareprodukte enthalten proprietäre Softwarekomponenten
anderer Softwareanbieter.
Produkte können länderspezifische Unterschiede aufweisen.
Die vorliegenden Unterlagen werden von der SAP AG und ihren Konzernunternehmen („SAP-Konzern“) bereitgestellt und dienen
ausschließlich zu Informationszwecken. Der SAP-Konzern übernimmt keinerlei Haftung oder Gewährleistung für Fehler oder
Unvollständigkeiten in dieser Publikation. Der SAP-Konzern steht lediglich für Produkte und Dienstleistungen nach der Maßgabe
ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich geregelt ist. Keine der hierin
enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren.
SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind
Marken oder eingetragene Marken der SAP AG in Deutschland und verschiedenen anderen Ländern weltweit. Weitere Hinweise
und Informationen zum Markenrecht finden Sie unter http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark.