The line between Mobility, Productivity and DataPrivacy: SAP MDM (Afaria); Making Sense of it all
As Mobility (smartphones & Tablets) continue to gain recognition as De facto productivity tool for the new generation workforce, and a projected increase in adoption of mobility /mobile apps growing on an exponential rise at 80% at the cost of “FREE” to the user, it is only normal to expect that mobile devices become the Achilles heel of our cyber security program.
Whilst mobile devices have brought about tremendous ease to doing business from a productivity perspective, it has also significantly increased the chances of Security/Data confidentiality breach owing to vulnerabilities, build and/or design of the apps running on them. No doubt, “free” Apps often pose the largest threats so far; as most of them are based on ad servers which are constantly communicating with your device. But to think it through, nothing can really be free, the earlier we come to terms to agree with ourselves that “free” apps equates to the user of the app being the product all along” the better it is for us all
“The biggest risk to you and your company’s privacy is your Smartphone”
One may expect that paid mobile solutions / mobile platforms come void of vulnerabilities, but alas! this is far from being correct. SAP Mobility solution (MDM/Afaria) ranks as leader in the Gartner Magic Quadrant, and with SAP’s “mobile first” strategy with over 130 million SAP mobile users globally, there is no doubt that SAP Mobility has come to stay as a validated solution for Mobile Application Development Platforms (MADP) especially in SAP run environments. Whilst this is not part of the “free categories”, like any other solution, it is clearly not void of vulnerabilities. This means that users of SAP MDM could be prone to one or two if not numerous exploits and to keep safe, necessary precautions ought to be taken. Precautions like making sure that platforms do not give room for unnecessary external interactions from the user’s device.
To briefly shift from enterprise mobile platforms, yet remain on cyber-security relationships in connection to mobile, the video below shares deep insight to what could go wrong or go right within your organization
Between 2014 – 2015 alone, over 36 zero-day exploits on SAP mobility has been found by security researchers and reported to SAP. For organizations that have not undertaken necessary patch updates, the attack surface just increases on a terrible disadvantage curve. Whilst I do not want to appear as a conspiracy theorist (especially to the blissfully unaware that may read this article), we must realize that there are infact ongoing independent research into development of productivity apps whose intent are to serve as Social Engineering pipe with inherent purpose of hacking into business critical applications like SAP and Oracle.
It is very important to picture the connection here: As in the case of “free” apps, in so far as the downloaded app can access private or corporate data like photos or emails, that same data is also accessible by the ad network that support the app. By extension, when hackers get successful with penetrating the ad network’s security defenses (which is now a regular occurrence in our new world), they will also have access to the data on your device and can go further take control of your entire network through trusts relations given to the mobile device by MDM. Now, imagine if the attack was targeted at senior executives mobile device (as will happen in an advanced persistent threat) !
This month, at the Hack Halted conference on September 17, researchers on SAP Mobility will be discussing and showing a major hack titled: One SMS to hack a company (Cut the Crap Show me the Hack – SAP Afaria), a major vulnerability although recently patched by SAP on her Mobility platform – Afaria, yet, statistics reveal many organizations remain exposed nonetheless.
In conclusion: Beyond securing communication channels and putting in place BYOD policies, Organizations need to take the walk a step further by thinking like the hackers and begin to deploy tools that can help them detect cyber security gaps on their SAP or Oracle landscape. Whilst we may not always be able to read all terms and conditions on apps, we can atleast reduce our security attack surfaces by implementing validated Vulnerability Assessment tools to help us find flaws in our configuration or build of SAP Mobile and Oracle platform in our enterprise.
Kindly note that whilst this article contains references to the products of SAP SE in Germany and in several other countries all over the world, SAP SE may not be held responsible for the proper use of mis-use of the contents
To know more about detecting and mitigating cyber risks on SAP mobile platforms or Oracle landscapes in Africa, please write to firstname.lastname@example.org for pointers.
Video credits: Business Insider