Change is a constant, but the rate of change is ever increasing. People start to work they live, especially the millennial generation have simply no other reference point. The lines between work-private are overlapping more and more. The morning Starbuck visit or train commute includes submitting PO's on smartphones, checking Twitter, approving some workflow request, look at the latest BI dashboard, and you are not even in the office yet.
SAP Fiori has positioned itself in this new environment with a better (easier) user experience app powered by SAP HANA. Technically SAP Fiori is designed to allow all on-the-fly access to all kinds of SAP systems.
This is very powerful and from a user perspective very effective and convenient. But clouds do have a silver lining.
With these new technologies, the connectivity and interoperability increases, and that imposes a few challenges you must be aware of (plus of course how you can deal with them)
- SAP Fiori is designed to bring "the app" to the user, on his device, where the challenge is device security. Think about VPN's, endpoint protection, virus scanning, etc.
- Devices are more often lost and stolen then traditional computing equipment. Encrypted data storage on devices is not a luxury.
- The app (through Fiori) coming via public, unprotected wi-fi provides a risk to network security. Man in the middle attacks are getting more common.
- Apps (in general) have a tendency to share more data than is actually needed but permitted because you clicked OK. And these type of apps doesn't stop at logging their own app usage, clicks, visits, photo's, files, etc.
The all of a sudden increased attack surface must be mitigated to prevent real negative financial, reputational and penal damages.
There are multiple types of attacks that cybercriminals can use to penetrate SAP’s defenses. One of the ways is MIME-type filter evasion.
SAP and MIME
When a user uses an SAP Fiori app to upload a file to a backend SAP system, the extension of the data is reflecting the file itself. So a pdf extension indicates a PDF file. And a .docx extension indicates a Microsoft Word file. So far we understand, no problem.
But what if that <whatever> file extension is actually an executable? Hidden and masked malicious files start entering the backend SAP Systems through these changed files (extensions).
Many (far too many) companies do not even THINK about such scenario's, or have the skills and manpower to even start thinking about such very critical yet real possibilities.
We do, and the simple reason is: so you don't have to.
You need to concentrate on enabling your business. Our job is to enable your business SAFELY.
Picture ©: GettyImages-861122838-metamorworks