SAP Combines MDM with NAC to Solve its Own Mobile Security Challenges

SAP explains its multi-pronged BYOD security strategy
SAP explains its multi-pronged BYOD security strategy

MDM systems can help IT security managers secure the sensitive corporate data that is frequently stored on those devices, but MDM systems by themselves fall short of a full security approach. That’s because they’re blind to unmanaged devices on the network, often only register settings on the mobile endpoint itself, and are often operated as a separate IT management silo – usually concerned with smartphones and tablets, not the broader set of network devices. So, SAP set out to do something about that for its own internal operations, with a security integration with the ForeScout CounterACT network security platform. It worked so well, the IT giant went on to test NAC and MDM interoperability to expand visibility and control.

For more effective endpoint and mobile security, it’s clear that IT security managers need a unified approach for consistent policy management, access control, compliance monitoring and reporting across all network tiers and endpoint devices. In the combined solution, ForeScout network access control (NAC) provides network visibility and control for IT managers; and SAP provides a way to implement and enforce mobile device policies. The combination in total provides unified visibility and reporting for all mobile endpoint devices, including PCs, smartphones, tablets and laptops, for better managing of appropriate access to corporate resources, data and applications.

The genesis of the solution was SAP’s own unwieldy device landscape, which was crying out for this kind of solution, particularly since the company has fully embraced mobility from the beginning of the connected device era – its initial purchase of tens of thousands of iPads was one of Apple’s first big enterprise purchase orders.

“The goal was that we sell mobile solutions, so every employee should be mobile themselves,” said SAP Afaria product manager Don Coop, in an interview with Infosecurity. “But then we got into the BYOD era, and the realization that there’s a lot more to it than just determining whether to let a device on the network.”

SAP's IT group had “a clear use case for putting these things together and had done that integration for themselves first,” he added. “We’re a big global IT company with about 50,000 to 60,000 employees and all of them have mobile devices. So our own IT wanted a centralized place where they could make sure that every device is accounted for on the network. That means mobile phones, but also Linux and Windows machines, Macs, IP phones, printers, the projectors in the conference rooms an our switches. All of that needs to be accounted for, which is challenging at the best of times. Also, we’re a multivendor company that has grown through acquisitions so there’s added complexity there, plus, there are different rules for governance and risk per geography. CounterACT brought all of these pieces together.”

Another key benefit for SAP given such a large user base was that the solution is clientless, reducing overhead for IT. “Putting software on all of these devices was a non-starter,” Coop said.

SAP also has very strict compliance requirements because it does business with regulated industries, so anything it uses must be shown to be secure and within regulatory parameters. “To prevent unknown access and make sure we’re security-compliant in handling our customers’ information, we have to make sure that for every device that connects to the network, we have a process for quarantine and a remediation process – this does that,” Coop explained.

While it has its own unique mobile challenges, SAP realized that the core of the product integration (NAC and MDM) would be widely applicable to others – and it decided to make it an official part of its MDM ecosystem stragegy, working alongside ForeScout and others, noted Chris Hazelton, research director for mobile and wireless at 451 Research, in an interview. Hazelton said that there is certainly pent-up demand. 451 Research shows that only 59% of IT decision-makers have any kind of mobile policy strategy, while another 25% are in the process of establishing one. That leaves 14% that don’t have a policy at all.

And of those with a policy or developing one, when asked if there’s anyone specifically responsible for mobile strategy, only 53% said yes. The rest have no one that guides and grows the mobile arena. “We’ve been seeing an era of austerity in IT going back to 2007, and more often than not when they actually are investing, they’re not investing in mobile,” he added. “This combination lowers some of the barriers.”

So far, response has been positive for the solution. “What I’m hearing from customers is that managing network access works with a mobile device management system to add a lot of value, and it’s very straightforward and simple,” Coop said. “Our industries are converging to make CIOs sleep a little better, basically. Security is top of mind for Fortune 2000 companies and it keeps coming up and gets extended to more and more methods of access and more and more devices. This is a straightforward solution that solves worries about how employees are, say, accessing email, which is the app for every company.”

The integration can be used to solve several common mobile security challenges. For instance, IT departments can use CounterACT to see and detect all unmanaged, corporate and personal mobile devices, such as iPads, iPhones and Androids and other devices attempting to connect to the corporate network via Wi-Fi or over-the-air – thus providing better control over BYOD environments and security policies. It can also trigger SAP Afaria to profile-check managed devices in order to detect jailbroken, rooted and non-compliant handhelds and to restrict access until the device adheres to policy.

Corporate IT can also use the combined product approach to readily apply security policy based on user, role and device in order to automatically limit access, manage as guest or enroll in SAP Afaria MDM; and can fortify a range of user, device, application and data policies though network-enforced controls, such as password strength, configuration, application use, encryption and data protection. And, compliance rules engines at the device and network level support on-demand and automated responses such as reconfigure, remote wipe and network reassignment.

“Organizations are looking for an integrated approach to manage and secure the invasion of employee-liable devices connecting to corporate networks, particularly at a time when BYOD is so prevalent,” said Hazelton. “We see strong synergy between network access control (NAC) and MDM in their capabilities to provide visibility into devices regardless of ownership – corporate or personal. The pairing of NAC with MDM technologies offers organizations the means to easily identify who and what type of device is connecting to the enterprise, to automatically enroll and monitor roles-based controls for any device and user, and to secure the growing movement of corporate data across smartphones and tablets.”

What’s hot on Infosecurity Magazine?