In most of new SAP implementations, mobile devices are very common user interfaces.
In addition to SAP GUI, SAP Portal , Corporate non-sap Portal , the business users are demanding access to applications via their mobile devices.
Project implementations with mobile features need extra care for security. Mobile testing can be done with simulators, but security cannot be tested fully via simulators.
The end to end authorization testing for mobile devices is critical as most of processing will be done with few touches on mobile screens or iGadgets or smart gadgets on new mobile O/S(iOS (iPhone/iPad), BlackBerry, Android and Windows Phone). And also, these devices are not easily traceable in case of loss of device or theft of device or unauthorized use of device and fraudulent data exchange from mobile client to server.
When we consider SAP audit for blackberry or iphone or smart phones , Auditors pay more attention on internal controls as the business is addicting to the comfort, convenience of the these advanced gadgets.
The preventive measures via internal controls like periodic physical inventory checking of blackberries or cell phones, keeping multiple wireless carriers, data protection by e-mail encryptions, Badge Access logs(Successful & Unsuccessful entries),returning devices promptly in case of separated employees, separation of duties for purchasing authority and administration authority, a process of deactivating the mobile device on the same day of employee separation from company, Mobile asset management (order processing, stock processing with mobile devices) etc.,MI administrator can lock the user as per the scheduled release of employee or can lock any time as per the urgency.
SAP Sybase Unwired Platform uses SOA web based services for securing the access to mobile devices and the back end data.It enforces enterprise-class security and mobility management via Afaria administrative console.
In case of preventive controls at the application level, Single Sign On , Delegation of authorization , two factor authentication, web service security (SOA based authentication) are few of the controls. Mobile devices for HCM Clock-In/Clock-Out Entries, Leave Request/Travel Request, Info type 1959 shall be used for SAP Mobile defense and security, the regualr synchronization of user data between SAP MI server and SAP back-end system(the deleted users should loose access immediately),locking the user in MI server by administrator etc.,
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol. In case of Retail applications, the RFC technical users shall be configured with the minimum required authorizations.
In coming months, the mobile applications shall be used for critical business processes and a separate security vulnerabilty testing shall be included in project quality assurance/control process.