securing mobile apps in a byod world

SAP Thought Leadership PaperMobile App Security

Securing Mobile Apps in a BYOD WorldProtecting Apps Makes You More Responsive to Demands for Enterprise Mobility

© 2

013

SAP

AG o

r an

SAP

affilia

te c

ompa

ny. A

ll rig

hts

rese

rved

.

2 / 8

© 2013 SAP AG or an SAP affiliate company. All rights reserved.

Table of Contents

4 The Mobile App Tsunami

6 The Power of Self-Defending Apps

Securing Mobile Apps in a BYOD World

3 / 8


We have recently witnessed a major disruption in corporate computing, driven by the adoption of new mobile operating systems and bring-your-own-device (BYOD) environments. As enterprise IT organizations struggle to support new mobile strategies, they must comply with government regulations and internal security policies. With over 80% of North American enterprises supporting e-mail, calendar, and contact information on mobile devices, it has become clear that the devices can boost productivity and competitive advantage.1

1. Mocana Corporation report.


4 / 8


The next wave of exploiting the power of mobile devices involves the apps that run on them. As with sales-force automation and other technologies of the past, today’s business units and front-office divisions are leading the effort to maximize cus-tomer relationships and business results. For them, the answer is mobile apps. Enterprises will see a rising tsunami in the development of in-house apps that promise to achieve these goals. Increasingly, enterprise IT organizations will be under pressure to build mobile apps or sanction off-the-shelf, third-party apps that meet the requirements of enter-prise employees and business units.

According to Lopez Research, a leading enterprise-mobility research organization, firms will need security that can span multiple devices and het-erogeneous IT systems. IT departments will need comprehensive mobile security solutions that provide protection for the devices and their data and for data transmitted via the corporate net-work and externally. As device usage continues to grow and apps proliferate, IT leaders will need enterprise-mobility management solutions that meet these requirements and evolve to address future demand.

“2012 was the year that many companies decided to support BYOD. In 2013 over 44% of the com-panies Lopez Research interviewed in Q1/2013 were building or planned to build mobile apps over the next 12 months,” says Maribel Lopez, Principal Analyst, Lopez Research LLC.

BreAking The BoTTLeneck of MoBiLe APP DePLoyMenTFor most organizations, a scarcity of resources for mobile app development and the lack of mobile and general security expertise can prevent an adequate IT response to this challenge. Certifying that mobile apps meet baseline security require-ments is both time-consuming and expensive. The problem is compounded for third-party mobile apps – for which source code can be impossible to acquire and the level of built-in security is diffi-cult to discern.

Mobile security solutions must help break the bot-tleneck of mobile app deployment and help IT organizations scale to meet the mobile app chal-lenges that their organizations’ business leaders will place on them. The solutions must be audit-able and reliably repeatable in creating a security baseline for the many apps that they will need to deploy for employees, contractors, and customers.

The Mobile App Tsunami


5 / 8


A cASe for The APP AS The new enD PoinTIT organizations typically have responsibility for mobile device management and the security related to those devices. Usually, this involves a device-centric approach that, while effective in control-ling access to corporate resources from managed devices, often does not go deep enough to protect data for both managed and unmanaged devices. It also does not offer security both outside and inside the corporate firewall or protect devices that belong to nonemployees, such as partners or customers. IT governance and management of devices within the enterprise, while important, is not enough. IT departments must also be able to manage the apps and information that reside on the devices.

As fragmentation of mobile operating systems con-tinues, mobile apps are becoming the new security end point. The next challenge in mobile security is making apps self-defending by adding the type of end-point security that was formerly reserved for personal computers. Why not empower the mobile app with the ability to prevent data leaks and enable data-at-rest encryption? Why not pro-tect data in motion from the app, rather than the device? Given that all sensitive data reaches a mobile device via a mobile app, making the app the basis of a security architecture provides a com-pelling common denominator across mobile plat-forms – from which IT organizations can attack today’s mobile security issues.

Why not empower the mobile app with the ability to prevent data leaks and enable data-at-rest encryption?


6 / 8


Enterprise apps should be wrapped after develop-ment, so there is no code to write. IT administrators should be able to point and click to add new secu-rity features to any app and load the binary file of the app (.apk for Android and .ipa for Apple iOS) into a mobile-app protection server. There should be no need to access the original source code, no need for a software development kit (SDK), and no need for a separate agent on the device.

The self-defending app could then be made avail-able through any app catalog or private app store that the enterprise chooses. The solution should be totally transparent to end users, with no need for separate client-side software or agents. Some alternative technologies restrict end users to a tiny selection of unfamiliar apps or confine their apps in “walled” environments or virtual machines. But the ideal solution would protect corporate data without compromising the user experience. Newly secured apps would work as users expect.

The ideal mobile-security solution would offer a general-purpose platform that helps enterprises create self-defending apps in a unified way across iOS and Android devices. It would wrap security and usage policies around individual mobile apps and allow the enterprise to add multiple layers of protection to any app that needs more security. Such a solution would address the highest levels of security – including encryption certified under the Federal Information Processing Standard (FIPS) 140-2 and the Suite B algorithms of the National Security Agency – to protect both app data at rest and app data in motion.

BeST-in-cLASS SecuriTy for MoBiLe APPSThe ideal solution would also help enterprises imple-ment other security policies. For example, an enter-prise could prevent copying and pasting information from any app, which is essential for preventing the loss of enterprise data. It could establish an app-specific, virtual-private-network (VPN) connection with its own security settings to create a private, encrypted, and authenticated tunnel back to a spe-cific enterprise resource – either in the cloud or at the data center.

The Power of Self-Defending Apps

The ideal solution would protect corporate data without compromising the user expe-rience. Newly secured apps would work as users expect.


7 / 8


The solution’s policy-wrapping engine should also support a flexible assortment of policies for individu-al apps and provide for the addition of future poli-cies. An IT administrator should be able to select which policies make the most sense for a specific app and user and have the solution automatically wrap those policies into the app. An enterprise could thus have multiple versions of the same app wrapped with different policies for each type of user.

The SAP® MoBiLe APP ProTecTion SoLuTion By MocAnAThe SAP® Mobile App Protection solution by Mocana provides such support – along with many security and usage policy features that protect sen-sitive data from malware and other malicious apps.

features for App-Level Data Loss PreventionWith SAP Mobile App Protection, you can:

• Encrypt data at rest stored by a specific app, without encrypting the entire device

• Prevent malware and rogue apps from accessing data

• Prevent sensitive enterprise data leakage by prohibiting unauthorized copying and pasting from specific apps

• Help ensure transfer of attachments, or files transfer, between secured, wrapped apps (Android only)

App-Level VPn for Data-in-Motion encryptionYou can also use SAP Mobile App Protection to: • Prevent rogue apps and malware from accessing or performing reconnaissance on enterprise networks

• Gain insight into the performance and usage of an app and detect suspicious usage patterns

• Leverage telemetric logging of usage metrics, login attempts, and data usage

• Use certificate-based authentication with enterprise VPN gateways for straightforward sign-on abilities

• Enable tight security and usage policies

App-Level Access controlIn addition, SAP Mobile App Protection makes it possible to:

• Authenticate users before granting access to specific apps

• Recover app passwords on app lockout due to failed authentication attempts

• Discard and disallow retrieval of data in response to failed authentication attempts

SAP Mobile App Protection solves your security requirements in the most flexible and least intrusive way.


8 / 8

App-Level usage controlOther features help you:

• Disable a specific app when the device is compromised by jailbreaking or rooting

• Customize the user agreement screen to set the frequency for which user agreements have to be signed or re-signed

• Set an expiration date on an app to create time-limited access for employees or contractors

Secure Mobile BrowserA secure, built-in Web browser, specifically developed for use within the extended enterprise, enables organizations to:

• Securely send sensitive intranet data, Web apps, and portals to virtually any iOS or Android mobile device

• Eliminate the need to build custom, secure mobile apps to tie in to various back-end systems and databases

SuMMAryWith SAP Mobile App Protection, you can imple-ment robust security features in your existing apps without hiring security experts or writing new code. Unlike other app-security approaches that force enterprises to make suboptimal compromises, SAP Mobile App Protection solves your security require-ments in the most flexible and least intrusive way. Use it to help your organization:

• Eliminate barriers to massive and rapidly scaling mobile app deployments

• Apply enterprise-grade app security in a timely manner to meet specific business objectives

• Preserve the end-user experience on both iOS and Android mobile devices

• Create self-defending apps in a matter of seconds, without source code or SDK integration

• Eliminate enrollment and management of personal devices in BYOD environments

• Integrate with existing mobile device management or enterprise app stores

LeArn Morefor additional information about SAP Mobile App Protection, contact your SAP representative or visit us online at www.sap.com/mobile-app-protection.

CMP26003 (13/08) © 2013 SAP AG or an SAP affiliate company. All rights reserved.

http://www.sap.com/mobile-app-protection

© 2013 SAP AG or an SAP affi liate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifi cations may vary.

These materials are provided by SAP AG and its affi liated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

securing mobile apps in a byod world

Technology