HANA Cloud Platform Security makes Amazon Echo enterprise ready
Hi all HCP enthusiasts and tech geeks, how are you doing? Hope you all are rocking the technology world!
We, as part of regional HCP team at Singapore, were experimenting with HANA Cloud Platform and we leveraged HCP’s world class interoperability to integrate with other technology vendors.
Our team has built a ‘technology demonstrator’ to integrate health API’s from leading fitness wearable vendors. After homogenization of the data, we have added gamification concepts and a HTML5 dashboards for users. This had been a key showcase where we can use HCP as data aggregator and presentation and analytics layer. This was also a perfect example of how personal devices can be integrated for an enterprise use. We call this internal program FitSAP and it has been adopted as a part of corporate wellness program. More on this later.
After the success of HCP based prototype as data consumer, we wanted to showcase the security and UX capabilities of SAP HCP. Meanwhile for an inspiration we found cool integration between SAP HANA and Amazon Echo – during teched2015 and in this blog Amazon Alexa and SAP HANA
Cool Apps should not make a breach in Enterprise Security
I have also seen several cool demo and PoC’s involving HCP and Amazon Echo. All of them are great as concepts, but they are not ‘enterprise ready’. Once you have linked your amazon account with HCP/SAP/any enterprise account, anybody can impersonate the user to extract enterprise information from Amazon echo. This security loophole is a major roadblock for Amazon Echo to be used as the next-generation UX centerpiece. This security vulnerability has been highlighted in other scenarios- follow this YouTube videos to make yourself aware. Compromising Connected Home Security with Amazon Echo and the Insteon ISY-994i – YouTube
To counter this limitation of Amazon Echo in enterprise context, a security framework has been developed by us. This framework manages the lifecycle of every interaction from Amazon to our SAP service providers. This security framework is called (for this blog) ‘SecureHCPListener4Alexa’ and it has been built using the toolsets given by HCP. SecureHCPListener4Alexa introduces 2 Factor authentication on top of usual OAuth based security model.
Account Linking: Basics of Amazon to HCP integration
Amazon Alexa skill (a set of voice intents, to be read out by Amazon Echo) was created in the amazon development site. On this Alexa skill we deployed utterances required for our use case.
Next step was to link Amazon account (US based). The process can be found at Linking an Alexa User with a User in Your System – Amazon Apps &amp; Services Developer Portal
To link Amazon and HCP account we needed to provide OAuth token from HCP to Amazon. This is a user specific action as it authorizes user’s Amazon account to access protected by user’s HCP account. Configured OAuth Provider in HCP and provided necessary endpoints of OAuth in the Amazon Skill settings. The OAuth endpoints and client configurations can be done in HCP Cockpit aat OAuth tab. As you know the UI and token endpoints are authenticated by Cloud Identity. Hence the Account linking procedure is also secured.
If you do not know where to get OAuth token in HCP, go to the OAuth tab in HCP cockpit. For your benefit I am addning the OAuth settings screenshots.
During account linking process, Alexa app will invoke the OAuth token UI which looks something similar to this. It is possible for the end-user to delete a token once it is generated.
After the OAuth token has been acquired by Amazon Alexa service every inbound request from Amazon Alexa to HCP endpoint will contain this OAuth token. OAuth tokens are user specific and authorizes Amazon Alexa to invoke HCP services on behalf of the user’s HCP account. As OAuth generation UI is itself authenticated by the Cloud Identity, the one-time OAuth token generation process is also very secure.
The User interaction of the Account linking process has been captured in back of our ‘enterprise’ napkin-
Introducing Cloud Identity based 2FA: Enterprise readiness of Amazon Echo
Once the account has been linked, Amazon Echo notifies the user about the success of the ‘account linking’. This is a critical step for any Amazon Echo <- -> HCP interaction. It has to be completed in any demo of Aamazon Echo with HCP.
OAuth token exchange between HCP and Amazon Alexa services is the authentication mechanism used by all HCP+Amazon demo. We believe this is not secure enough as Amazon cannot distinguish between the voice of a ‘true’ user and impersonator.
So to make voice base interaction through Amazon Echo ‘Enterprise Ready’ we implemented two factor authentication (2FA) in our ‘SecureHCPListener4Alexa’.
After the successful account linking, users can trigger HCP by uttering Ask HCP. But SecureHCPListener4Alexa monitors the lifecycle of user’s session. If the user is initiating a session for first time or after specified duration of idle time, the service prompts the user, through Amazon Echo, to provide an One Time Password (tOTP) . We have built a HTML5 app to deliver the OTP to user. As this app is also protected by SAP Cloud Identity, hence users need to be authenticated to access the user dependent t-OTP generator via mobile or desktop.
The interaction between Users, Amazon Echo, HCP and Mobile app is described in the following interaction diagram.
As you can see, we are security paranoid people. Hence we did not just stop here. Not only do we validate the t-OTP in SecureHCPListener4Alexa, we also check if the user has provided wrong OTP for few successive time. In case of successive wrong OTP, the service can block the user for certain time periods.
There are also provision for users to ‘logout’ from HCP services via Amazon Echo. In that case SecureHCPListener4Alexa invalidates existing session and prompts the user for OTP during next session.
We have made a good guy, bad guy doodle for you to understand that.
When the valid user returns he can restart a valid and authenticated session using the OTP app in mobile.
For an impersonator, without the secure mobile device logging in will be impossible.
Once users are authenticated, the SecureHCPListener4Alexa service allows users to consume enterprise data from multiple data providers. The data providers can on-premise or cloud based system. HCP supports both SAP and non-SAP data providers.
For your reference, you can use the following architecture to build similar services –
With this scalable and extendable application architecture we could ‘securely’ access various on-prem and cloud based business systems (e.g. CRM, HCP based FitSAP etc.)
Hope this helps you and you will keep this in mind when you build your voice based UX on enterprise systems.
Acknowledgements: Developers who put their hearts behind this demonstration are: Gunter Gliem Jonathan Kuch
Fantastic post, this was missing since last TechEd!