SAP White Paper Enterprise Mobility Protect Your Enterprise by Securing All Entry and Exit Points How Enterprise Mobility Management Addresses Modern-Day Security Challenges
Table of Contents 4 Points of Vulnerability 5 Maintain Security amid Device Proliferation 6 Defend at the App Level for Better End-Point Security 7 Lock Down Content for Risk-Free Enterprise Mobility 8 Secure Communication with Networks and Services 9 Speed Mobile Initiatives with Secure Enterprise Mobility Management 2 / 11
Along with new opportunities for transformation, enterprise mobility presents businesses with new concerns about security. It s critical for a modernday enterprise to understand the changing dynamics of mobile technology and what it can do to meet the needs of a mobile workforce while protecting its data. Find out how organizations can gain the freedom to be mobile and still meet their security requirements by getting insight into, and control of, potential points of vulnerability. 3 / 11
Points of Vulnerability Enterprises understand how network security works: defend the perimeter, protect the end points, monitor the network, and keep viruses off the hard drive. But the next chapter in the book on securing the enterprise mobile security is still being written. Even though it s young, mobile security has a history, and it s riddled with change. Initially, e-mail was the premier app, and business workers were addicted to their BlackBerry devices. Today, people have dozens of apps and all types of content they manage on Android, ios, and Windows phones and tablets. And accompanying the bring-yourown-device (BYOD) surge are mobile devices that can be personally or corporately owned. The mobile user is a different demographic too. While those in executive management and sales roles were at the mobile forefront, sophisticated, savvy mobile users can now be found in every business group and at all levels of responsibility. Everyone is eager to adopt new mobile apps and technologies in real time. The changing dynamics of mobile technology make securing the enterprise especially challenging. Users, devices, apps, content, and networks are always in flux. But instead of limiting users to mobile access through corporate-sanctioned devices or apps, enterprises need to embrace a flexible, adaptable mobile strategy that offers users the freedom they want. A mobile strategy that addresses security in the enterprise from end to end provides the control that organizations need, balanced with the scalability and flexibility required to support a changing business landscape. A holistic look at the modern enterprise reveals four entry and exit points that open every organization to risk: devices, apps, content, and communications. Each of these points needs to be locked down to ensure comprehensive, enterprise-wide security. Security starts with mobile device management that enables IT to centrally set and enforce device security and compliance policies. 4 / 11
Maintain Security amid Device Proliferation As pointed out in a summary from the Pew Internet & American Life Project, more than 91% of U.S. adults have a mobile phone, and most have more than one. 1 A 2012 report from ipass Inc. reveals that the average mobile worker, for example, carries 3.5 mobile devices. 2 These Android, Apple, and Windows smartphones and tablets move into and out of enterprises all day long. Manage and Secure Devices with MDM Securing mobile devices starts with mobile device management (MDM). With MDM, IT manages and secures mobile devices by preconfiguring a range of settings and enforcing security and compliance policies. Centralized device management gives IT access to rich analytics and reporting that can help the team better understand security threats and how to respond to them quickly and proactively. Lost or stolen devices pose multiple types of security threats to the enterprise. There s no way to prevent tablets and smartphones from getting into the wrong person s hands, but you can safeguard the data stored on the device. For example, remote wipe functionalities allow administrators to instantaneously erase any business data stored on a mobile device. Password protection is another safeguard that prevents unauthorized users from accessing business data stored on mobile devices. A password locks down apps and keeps out intruders. FOOTNOTES 1. Pew Internet & American Life Project, June 2013, http://pewinternet.org/commentary/2012/february/pew-internet-mobile.aspx. 2. ipass Inc., Understanding Mobility Trends and Mobile Usage Among Business Users, The ipass Global Mobile Workforce Report, March 2012, http://www.wballiance.com/wba/wp-content/uploads /downloads/2012/07/ipass_mobileworkforcereport_q1_2012.pdf. Additional security measures including overthe-air software distribution, Wi-Fi and virtual private network (VPN) settings, and certificate management are best managed at the device level. IT can safely distribute new mobile apps and update existing apps on each mobile device, stopping rogue apps and viruses from causing enterprise mayhem. Managing Wi-Fi settings, VPN settings, and certificates at the device level protects enterprises by ensuring that only authorized devices have access to corporate networks and specific apps. Security Insights with MDM Reporting Based on information from asset management, auditing, and compliance monitoring, MDM reports act as a source of unique insight that can help IT keep the enterprise safe from risk. Reports can help IT understand how hardware and software are distributed throughout the enterprise, so the team can respond quickly to known security threats or viruses. Visible, organized device, app, and user information also helps IT to keep track of devices during employee transitions and turnover, mergers, and acquisitions. Flexibility in MDM Deployment Organizations can opt for on-premise or cloudbased MDM. While both options provide robust security and give the IT team flexibility, MDM in the cloud offers a cost-effective alternative for IT departments with small staffs or limited resources. IT can secure the organization without committing internal resources to supporting and managing the growing mobile device and app population. 5 / 11
Defend at the App Level for Better End-Point Security The number of mobile apps available on corporate stores hosted by Apple, Google, SAP, and others is staggering and increasing daily. Most of today s apps are developed for the consumer, but the quantity and quality of both in-house and thirdparty enterprise apps is showing a fast and steady climb. These business apps enhance productivity, improve efficiencies, and deliver better business results. Fast, Reliable Security Through App Wrapping Because certifying, testing, encrypting, and sandboxing apps require significant time and resources, enterprises need a fast, reliable method for securing the mobile apps they develop internally or purchase from third parties. App wrapping has proved itself to be a ready, dependable method for securing the apps. App wrapping separates app security from the app development process and provides fine-grained usage and security policies in mobile apps. Companies with strict security requirements and those in highly regulated industries such as financial services, healthcare, retail, and government are realizing the advantages of app wrapping. App wrapping secures mobile apps easily and simply, enabling a company to speed mobile initiatives while complying with industry standards. A security strategy that includes app wrapping also adds flexibility in BYOD environments, and it speeds the development process for companies building business-to-business and business-toconsumer apps. How App Wrapping Works App wrapping considers applications as end points. It empowers the apps to be self-defending with the type of end-point defenses that were formerly reserved for PC end points. The apps have granular, app-level security including data encryption, authentication, and VPN functionalities in a matter of seconds. An app-specific VPN tunnel prevents rogue apps and malware from accessing enterprise networks, and both data at rest and data in motion are encrypted to keep confidential information private. Any app data accessed is protected, preventing intentional and unintentional data leakage. IT can add strict controls around where, how, and by whom data is accessed. Geofencing is a good example of controlling access to certain apps with an application-level policy. For example, access to medical records apps can be restricted to doctors working strictly within the confines of the hospital. Secure Distribution for Wrapped Apps Once apps are secured, enterprises can make them available through an internal app store or distribute them via MDM. Corporate app stores, while similar to the familiar Apple and Google stores, allow employees or the extended ecosystem of contractors, partners, or distributors to safely download business apps. This is possible because security policies are applied before the apps are downloaded to the devices. An app store also helps IT with central procurement, license reconciliation, application discovery, and updates that ensure consistency across the enterprise. 6 / 11
Lock Down Content for Risk-Free Enterprise Mobility Every day, employees move business files onto their mobile devices so they can work at home, on the road, or at client sites. The mobile workforce is a reality. In fact, a 2012 study by SkyDox revealed that 80% of employees say they need to access work documents Microsoft Word documents, spreadsheets, PDFs, videos, presentations, and more from outside the office. 3 But employees often use insecure, consumerbased file transfer tools, e-mail, or itunes to access their files. These options are easy but unsafe. Confidential information is often exposed to the public on insecure servers. This includes business data, such as financial insider information or product road maps that can potentially be used to harm companies. Enterprises need a safe, reliable platform for moving and tracking content on mobile devices. Security Through Mobile Content Management An enterprise-ready mobile content management (MCM) platform provides security through authentication controls, password locks, remote wipe, certification, encryption, usage reports, and rights-controlled sharing. Employees can sync files easily between desktop, laptop, tablet, and smartphone, so they can work remotely or share files with customers, coworkers, and partners. To speed deployment, enterprises should con sider implementing an MCM platform that integrates easily with existing content management systems, such as Microsoft SharePoint. Integration with lightweight directory access protocol (LDAP) and Microsoft Active Directory helps ensure that the MCM platform works well with other businesscritical infrastructures and allows consistent security policies across users, groups, and the enterprise. As enterprise collaboration becomes increasingly important, the MCM platform can make file sharing seamless and safe. Group management features support reliable file sharing, and policy enforcement prevents files from being shared with nonauthorized users. Users can limit access to confidential documents by preventing them from being printed or e-mailed. Users can also set an expiration date to prevent old, out-of-date data from staying in circulation. An enterprise-ready mobile content management platform helps ensure the security of valuable content employees move daily across mobile devices. FOOTNOTE 3. SkyDox, Workforce Mobilization: What Your IT Department Should Know, 2012, http://www.skydox.com/workforce -mobilization-what-your-it-department-should-know. 7 / 11
Secure Communication with Networks and Services Mobile communications depend on the enterprise s wireless network and mobile carriers networks. Any added controls an enterprise can put into place will make it more secure. By understanding mobile usage and adding usage policies that prevent international service fees, enterprises can also safeguard budgets and better manage costs. Employees, partners, customers, and guests log in to the wireless network throughout the day. To maintain security, enterprises can prevent rogue devices from joining the network or accessing e-mail by controlling the wireless connections at the device level. They can also manage the certificates needed to connect to the network. Enterprises need to lock down four vulnerable entry and exit points that open them to security risks: devices, apps, content, and communication. 8 / 11
Speed Mobile Initiatives with Secure Enterprise Mobility Management Enterprises are relying on point solutions to address mobile security, but that s not enough to fully protect an organization. Point solutions merely patch a gap, leaving holes that leak business data or let in hackers, rogues, and viruses. Enterprises need a broad, end-to-end approach that secures the organization at four vulnerable mobile points: devices, apps, content, and communications. Often, IT has little insight into the types of devices on the network, the apps loaded on those devices, the content accessed, or communication activity. It s a mystery that can quickly turn dangerous if left unsolved. When IT controls the vulnerable points and has insight into the devices, apps, content, and communication activity, organizations gain the freedom to be mobile and still meet their security requirements. Enterprise mobility management casts such a wide, powerful net that enterprises may soon boast mobile security that outperforms their LAN and WAN security. Best Practices for Enterprise Mobile Security Plan for end-to-end security rather than point solutions Defend the enterprise at all entry and exit points: devices, apps, content, and communications Provide IT with the control it needs and users with the mobile access they want Rely on flexible security solutions that support on-premise, cloud, and hybrid solutions Be prepared for mobile initiatives to expand by choosing scalable solutions that support additional apps, back-end systems, users, and mobile devices 9 / 11
Enterprise Mobility Management Security Features Devices Remote wipe Password enforcement Over-the-air software distribution Wi-Fi settings and virtual private network (VPN) settings Certificate management Asset management Auditing and compliance monitoring Apps Granular app-level security including per-app VPN Federal Information Processing Standard, or FIPS, publication 140-2 compliance Encryption of data at rest and data in motion Application discovery and private app store Secure software updates for applications Content File access, file sharing, file sync, and time-sensitive file distribution Password lock, remote wipe, encryption, data loss prevention, and certifications Lightweight directory access protocol (LDAP) and Microsoft Active Directory integration, group management, and policy enforcement Communications Billing cost management Wi-Fi connectivity management Mobile VPN security Systems management Network access management Learn more For information about enterprise mobility management and security, call your SAP sales representative or visit us on the Web at www.sap.com/mobile/emm. 10 / 11
Defend the enterprise at all entry and exit points: devices, apps, content, and communications. 11 / 11 CMP26927 (13/08)
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ( SAP Group ) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.