SAP Mobile App Protection by Mocana

SMP Enterprise Grade Mobility – Webinar Series

Allan van Lelyveld / Rapid Innovation Group (RIG)

September, 2013

SAP Mobile Platform

Secure Mobile with Mocana

Brought to you by the SAP Mobile Rapid Innovation Group (RIG)

© 2013 SAP AG. All rights reserved. 2 Public

SAP Mobile Platform: Enterprise Grade Mobility

SCN pages and webinars bring

to you technical details on

Enterprise Readiness aspects of

the SAP Mobile Platform (SMP).

• Webinars are done every

week Thursday until

November. The schedule is

published on SCN.

http://scn.sap.com/docs/DOC

-43425

• OnTopicPages presented

links to White Papers, How-

To Guides, Blogs and other

resources.

http://scn.sap.com/docs/DOC

-43424


Get More Mobile at SAP TechEd Events

Attend Education

Breakout Sessions

to Learn about the

latest Mobile

Solutions from our

Experts

Visit Product

Experts at the

Mobile Tables

on the Technology

Showcase Floor

Participate in the

InnoJam Challenge

to get Hands On

Experience with

SAP Mobile

Solutions

Sign Up for the

ASUG Pre-

Conference

Seminar for

Mobile: Deep Dive

into SAP Mobile

Platform

Register Today!

http://www.sapteched.com

http://sessioncatalog.sapevents.com/go/ab.sessioncatalog/?l=58

SAP Mobile Platform - Secure Mobile

with Mocana

SMP Enterprise Grade Mobility – Webinar Series


Agenda

1. Introduction to SAP Mobile Secure and Mocana

2. Application Wrapping

3. Application Federations

4. Mocana Secure Browser

5. Architecture and Deployment

6. Frequently Asked Questions

7. Demonstration


EMM exists to make mobile successful

Mobile Device Management

Secure

Email

Container

Mobile

Content

Management

Mobile

Application

Management

Enterprise

Application

Store

Telecom

Expense

Management

Systems

Management

Enterprise Mobile Management System

Data Application

Development Analytics

SAP Mobile Security


Meet Strict Regulations

Protect corporate data, meet

compliance & audit

requirements in regulated

industries with additional

encryption requirements

Accelerate App Adoption

No coding or security expertise

required. Eliminate security

bottlenecks for operational app

deployments at scale

Add Flexibility

Ensure security when

managing the device isn’t ideal

(such as BYOD) and when

building B2B and B2C apps

SAP Mobile App Protection by Mocana

HTTP FIPS

HIPAA

SAP Mobile App Protection by Mocana helps organizations accelerate mobile initiatives by

automating app security. MAP’s app-wrapping technology enables enterprises to quickly secure

apps without having to write any code


Mobile app security is a game changer

Mobile Device Management Device-level

Course-grain management, control,

and security policies

Typically requires device client

Ideal for corporate-managed devices

Difficult to separate corporate data

from personal data

Bottom line: Focus is on the device

Mobile App Management Application-level

Fine-grain management, control, and

security policies

No device client

Ideal for corporate-managed,

unmanaged, and BYOD devices

Completely separates corporate data

from personal data

Bottom line: Focus is on the app and it’s data


Where does mobile app security fit in the

mobile app lifecycle?

Mobile Application

Management (MAM) Mobile Enterprise Application

Platform (MEAP)

SAP MAP by

Mocana

Mobile Device

Management (MDM)

Design Build Test Deliver Secure Stage Deploy Manage Remove

MAP automates what today requires

manual coding

Efficiency advantages are realized for

ISVs and their customers

MAP enables true BYOD by abstracting

enterprise data security and

management from the device

MAP allows for true app lifecycle

management at scale and volume

Now with MAP…


SAP Mobile App Protection by Mocana Zero to secure in seconds

Mocana MAP

Web Console & Server IT Admin / LoB

Upload Enterprise App “Point & Click” Policies

1 2 3

Distribute Wrapped App

Managed or Unmanaged

User Devices


Key Benefits

1

Protects corporate data, meets compliance & audit requirements

Accelerates app adoption: No coding or security expertise required

Enterprise IT

Mobile App ISV

1

Lines of Business

Standardizes security: Single approach for iOS & Android apps

Business enablement: Eliminates security bottlenecks for

operational app deployments at scale

Does not compromise the user experience

Enables focus on core business innovation, not security

Increases enterprise adoption: No need for security customizations

2

1

2

2

3


No encryption

Data transport in the clear

Open device-wide VPN risk

SAP Mobile App Protection by Mocana

Communication

No authentication

Offline use

No central policy

Access

Unprotected local data

Unlimited copy/paste

No expiration

Data Protection

Native experience

Anywhere

Anytime

Any duration

Usage

IPsec VPN tunnel

Pre-configured profiles

FIPS 140-2 end-to-end encryption

Eliminates open device-wide VPN

Communication

PIN/passphrase

Block offline use

Central policy management

Access

FIPS 140-2 encrypted data

Secure copy/paste

Jailbreak detection

Data Protection

Preserves native experience

Geo-fence

Time-based

Controlled duration

Usage

Unsecured App

MAP-

Secured App

Application Wrapping


Overview of Mocana Features


Security policies

Application-Level

Security and Usage Polices Description and Benefits

Data Loss Prevention (DLP)

Data-at-Rest Encryption Protect data stored by a specific app using AES-XTS (256bit) encryption,

without having to encrypt the entire device

Prevent malware and rogue apps from accessing data

Secure Copy/Paste Prevent sensitive enterprise data leaking by prohibiting unauthorized

copying and pasting from specific apps

Secure File Sharing Secured attachment or file transfer between only secured, wrapped apps

(Android only)

Secure Communications

Data-in-Motion Encryption

App-specific VPN tunnel to prevent rogue apps and malware from accessing

or performing reconnaissance on enterprise networks

Seamless certificate-based authentication with enterprise VPN gateways

Automatically re-establish VPN tunnel when Internet connectivity changes

such as WiFi to 3G or LTE

Smart Firewall

Avoid man-in-the-middle (MITM) attacks by blocking potentially insecure

traffic to the app

Block all non-SSL TCP traffic and non-DNS UDP traffic

Trust only specific servers by “pinning” their certificates to the app


Security policies

App-Level

Security and Usage Polices Description and Benefits

Contextual Usage

Jail-Broken Device Detection Disable a specific app when the device is compromised by jailbreaking or

rooting

User Agreement Customizable user agreement screen presentable to the user at admin-

configurable periods

Expiration Data Set an expiration data on an app to create a time-limited access window for

employees or contractors

Location Masking Enable advanced geo-location privacy and security by obfuscation GPS

location data embedded in app data

Geo-Fencing Restrict app usage and availability within a specific geographic perimeter

Prevent data leakage and help meet compliance requirements, such as PCI

and HIPAA

Access and Authentication

User Authentication Authenticate user prior to granting access to a specific app

Passcode Recovery Secure app passcode recovery on app lockout due to failed authentication

attempts

Data Wipe Wipe the data of an app based on triggering conditions such as too many

failed authentication attempts


Technology Comparison

Technology Description

No App

Source Code

Development

Does Not

Modify User

Experience

No Device

Management

Dependence

SAP

MAP App

Wrapping

Security policies inserted

into post-production app

Virtual

Machines

Installation of secondary

OS on device – apps run

within this VM

Simple

Containers

Security-enforced apps

custom built for container

(by container vendor)

Integrated

SDKs

App modified with API to

add security at

development time


MAP – User Acceptance of Usage Policy

• End User Agreement

• Periodic Prompt

• Fully Configurable


MAP – Self-Defending Apps

Application Federations


App Federations

• Multiple applications grouped together in an application federation

• Data can be exchanged between apps in an app federation

• Each app federation is marked with a specific overlay icon so a

mobile user can easily identify to which federation an app belongs

to

• Applications in a federation share wrapping policies

• Shared Copy/Paste

• Shared Login Credentials

• Shared Timeout

• Failed Login Attempt Count

• Application federation app level VPN applies (wrapped with their

own TCP/IP stack and Ipsec module, own secure tunnels)

Unprotected App Protected App Protected App

with custom icon

Mocana Secure Enterprise Browser


Secure Enterprise Browser Overview

• Secure Enterprise Browser (iOS and Android)

• Provides network Single Sign-On (SSO) for web apps

• Secure Enterprise Browser is wrapped with the Per App VPN

(PAVE) policy

• Browser can also be configured for a variety of SSO methods,

including:

• HTTP Auth (Digest, Basic, and NTLM)

• HTML Forms

• Browser functionality may also be configured:

• Restricting printing

• Restricting email

• Removal of history

• Removal of search bar

• Admins can apply the desired security policies, SSO, and configure

the browser through the MAP Console

Architecture and Deployment


3

Deployment Options Standalone deployment model

App Catalog or

3rd-Party Corporate App Store

Active

Directory

Employee B

Android Tablet

Customer C

Apple iPhone

Executive A

Android Phone

3rd-Party MDM

Upload the binary app file (.apk or

.ipa) to the MAP server via the

browser-based admin console.

Select the new security policies to

add to the app.

MAP creates new secured versions

of the app.

Manually import the new app into

the MDM’s or MAM’s enterprise app

store.

Assign different policy-packaged

versions of the new app to the

appropriate user group, according

to corporate security policies.

Provision apps to users as usual

using the MDM’s or MAM’s

enterprise app store capabilities.

No matter where they land, MAP-

secured apps stay protected.

1

2

3

4

5

6

4

5

6

Customer

Employee

MAP Wrapping

Service and Policy Console IT Admin

Enterprise

App

Executive

Executive

Employee

Customer

Wrapped Apps

1 2


Customer

Employee

MAP Wrapping

Service and Policy Console IT Admin

Enterprise

App

Executive

Executive

Employee

Customer

Wrapped Apps

1 3 2

Deployment Options MDM integration model

4

App Catalog or

3rd-Party Corporate App Store

Active

Directory

Employee B

Android Tablet

3rd-Party MDM

Upload the binary app file (.apk or .ipa) to

the MDM’s app store and select the

security policies to apply.

The MDM automatically transfers the app

to MAP, along with the IT admin’s

requests for specific policy wrappings.

MAP creates new instances of the app,

each with its own security features.

In the MDM, the IT admin assigns the

newly secured app versions to various

end users per their corporate directory

service profiles and privilege levels.

MAP-secured apps are provisioned to

users as usual.

No matter where they land, MAP-secured

apps stay protected.

1

2

3

5

6

7

5

6

7 MAP returns the secured apps to the

MDM app store. 4


Enabling SSL reverse proxy on VPN gateway

App Servers

VPN Gateway

(Juniper SSL VPN)

LAN 1

Smart Firewall:

Certificate Pining

DAR Encryption

Jailbreak Detection

Wrapped

App

Ensures the app does not communicate with any other

server. App would be unable to send contact data to

unknown servers

Protect locally stored data from other apps and hackers

Disable the usage of the app if the device is rooted

Secure Copy/Paste Prevent leakage of data to insecure apps such the device IM

TLS Connection SSL Reverse

Proxy


Enabling per-app VPN on VPN gateway

Per App VPN Tunnel

App Servers

VPN Gateway

(Juniper SSL VPN)

LAN 1

TLS Connection TLS Connection

Smart Firewall:

Certificate Pining

DAR Encryption

Secure Copy/Paste

Jailbreak Detection

Wrapped

App

Ensures the app does not communicate with any other

server. App would be unable to send contact data to

unknown servers

Protect locally stored data from other apps and hackers

Prevent leakage of data to insecure apps such the device IM

Disable the usage of the app if the device is rooted

Per App VPN Establish an encrypted VPN tunnel between the app and

the gateway


Mocana MAP Network Topology Network topology


Installation Requirements

• MAP installation involves two main components: • MAP server and the iOS app-signing server

• MAP server runs in a Linux-based virtual machine

• iOS app-signing server runs on a Mac computer

MAP Server (Linux VM) Requirements

• Supported Virtualization Hypervisors: • VMware ESX or ESXi

• VMware Player 4.0

• VirtualBox 4.1.4 or later

iOS App-Signing Server Requirements

• Mac mini or similar Mac computer

• OS X Lion Server (10.7.3)

• Java 1.6.0_29

• Xcode 4.3.1 or higher

• iOS Enterprise Developer Program (developer.apple.com)

Frequently Asked Questions



• Are there any limitations with MAP? What type of apps can MAP

wrap? • In general, there are no limitations to the types of that apps that MAP can wrap. MAP can wrap

any native app, HTML 5 apps, and hybrid apps as long as the app is in the form of a .ipa or .apk

binary

• The only known limitation is around Adobe Air. Currently, MAP does not wrap apps that leveraged

Adobe Air as their development platform

• Can I wrap or secure apps from Apple’s iTunes App Store or the B2B

App Store? • Simply put, no. MAP is intended for use with Enterprise mobile apps, not commercially available

mobile apps

• What do I need to wrap iOS apps? • Unsigned .ipa (compile app) & your own Apple Enterprise Developer Certificate and Signing

Server



• Do you support multiple users accessing the same wrapped app?

Can you specific multiple sets of credentials? • No, only one set of credentials is supported

• What happens if the user disables the GPS or location-based

services? • The wrapped app will recognise this and fail to launch

• Does MAP support dynamic or “on the fly” policy changes to

deployed apps? • No, the policy changes would require a re-wrap and redeploy of the app

• Does MAP support SSL VPNs? • No. MAP focuses on providing standards-based security with IPsec and SSL Reverse Proxy. SSL

VPN implementations are typically custom to the VPN gateway vendor and is not currently

supported by MAP

Thank you


© 2013 SAP AG. All rights

reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of

SAP AG.

The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software

vendors.

National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without

representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials.

The only warranties for SAP Group products and services are those that are set forth in the express warranty statements

accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered

trademarks of SAP AG in Germany and other countries.

Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and

notices.

http://www.sap.com/corporate-en/legal/copyright/index.epx




© 2013 SAP AG. Alle Rechte vorbehalten.

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch

immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene

Informationen können ohne vorherige Ankündigung geändert werden.

Einige der von der SAP AG und ihren Distributoren vermarkteten Softwareprodukte enthalten proprietäre Softwarekomponenten

anderer Softwareanbieter.

Produkte können länderspezifische Unterschiede aufweisen.

Die vorliegenden Unterlagen werden von der SAP AG und ihren Konzernunternehmen („SAP-Konzern“) bereitgestellt und dienen

ausschließlich zu Informationszwecken. Der SAP-Konzern übernimmt keinerlei Haftung oder Gewährleistung für Fehler oder

Unvollständigkeiten in dieser Publikation. Der SAP-Konzern steht lediglich für Produkte und Dienstleistungen nach der Maßgabe

ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich geregelt ist. Keine der hierin

enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren.

SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind

Marken oder eingetragene Marken der SAP AG in Deutschland und verschiedenen anderen Ländern weltweit. Weitere Hinweise

und Informationen zum Markenrecht finden Sie unter http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark.




SAP Mobile App Protection by Mocana

Documents

Transcript of SAP Mobile App Protection by Mocana