You need to do more than back up and restore SAP CRM manufacturing, service (non-financial), and healthcare data to safeguard it. Likewise, you need to do more than implement data retention policies when archiving SAP CRM data. To help protect your SAP CRM applications and business processes from potential attacks, you need a defense-in-depth model. This includes SAP CRM integration with BlackBerry devices for people who are rarely in the office — such as mobile developers, sales representatives, field service employees, and top managers. On-the-go SAP CRM users with BlackBerry devices are part of the larger picture of people who link to SAP systems other ways, such as through handhelds, netbooks, and the Web.

Defense in depth is a strategy based on creating multiple layers of defense for one or more SAP CRM applications or systems. Defending an application with multiple layers can prevent a single point of failure or noncompliance with data-retention policies. If one layer of defense is found to be inadequate, one or more other layers of defense will take over to better protect the applications and data. Each layer is used to prevent or minimize the exploitation of vulnerabilities — people, technology, and operations — of the SAP CRM applications or systems. With defense in depth, hackers find it harder to penetrate all defenses to compromise the security of the network, SAP CRM systems, and BlackBerry devices. Before you begin reading this article, you may want to refer to the sidebar “Glossary of Terms” at the end of the article for more information about the security terms I use.

SAP CRM and the BlackBerry

A short time ago, on-the-go people used SAP Mobile Sales and Service, which featured asynchronous connectivity. This practice of accessing SAP CRM with a mobile device evolved into other ways to connect to smartphones and mobile devices, including the BlackBerry Sales Client for SAP CRM V1.1, which allows the integration of SAP CRM via XML-based databases with BlackBerry software applications such as email, address books, calendar entries, tasks, and memo lists. It pushes leads to your BlackBerry device so you can take immediate action on customer needs and complaints — and even monitor the status of projects.

The BlackBerry Enterprise Server administrator should download and install the BlackBerry Sales Client for SAP CRM V1.0 — BlackBerry device users should not download or install this. The administrator needs to configure the BlackBerry Enterprise Server to upload BlackBerry Runtime for SAP and the BlackBerry SAP CRM sales module to the BlackBerry device.

This client application uses the same level of security as other BlackBerry device software applications. The data that is sent between the BlackBerry Enterprise Server and the BlackBerry devices is encrypted with triple Data Encryption Standard (DES) or Advanced Encryption Standard (AES), which converts human-readable data into an unreadable format and therefore makes data more secure during transit. You need a BlackBerry Bold 9000 (OS 4.6) or BlackBerry Curve 8900 (OS 4.6.1) to communicate with BlackBerry Enterprise Server v4.1.6 for Microsoft Exchange or IBM Lotus Domino. Ensure you are connected to SAP CRM 2007 SP04 or SAP CRM 7.0 SP03 or higher and are running on SAP NetWeaver 7.1 SP07 or higher with Mobile Gateway 1.0 SP01 or higher.

The Problem: A Single Layer of Defense

In this section, I’ll give you examples of why a single layer of defense is inadequate to counter threats that a hacker could launch. I start with the example of firewalls as a single layer of defense. Then I give three examples of remote use of the BlackBerry devices connected to a remote server protected by firewalls, and one example of submitting a new BlackBerry to the server.

Example 1: Corporate and Secondary Firewalls

Say a company has set up a corporate firewall to keep intruders out. It enforces access control on network traffic, selectively allowing external entities (e.g., BlackBerry device users) to access the information the firewall protects. It also defends networks against external or internal denial of service attacks. However, what happens if a hacker manages to penetrate this firewall? The hacker could gain malicious control of the server, break the encryption key to get the data, and send tainted attachments to BlackBerry devices.

To avoid this, the company puts up a secondary firewall around the application to protect itself from hackers who could get inside the corporate firewall. Other types of firewalls to consider include packet filtering, proxy firewalls, and stateful (i.e., capable of maintaining the status of a process or transaction) firewalls.

Packet filtering firewalls use an access control list at the network’s layer. A proxy firewall acts as a middleman between the two parties and decides whether or not to allow the communication. A stateful firewall uses a table (or database) of states to keep track of the process of the firewall’s communication with outgoing and incoming traffic. It can identify unauthorized and forged communications. This is in contrast to a stateless firewall that is not aware of traffic patterns or data flows, although it can restrict or block packets based on source and destination addresses.

However, even a set of firewalls (any types) as a single layer of defense is inadequate, because the hacker can try to find flaws to penetrate. BlackBerry devices receive tainted data as a result. SAP CRM servers could be compromised, resulting in noncompliance with data retention policies.

Example 2: Remote Identity Protection

Identity is protected on BlackBerry devices that regularly receive security patches and fixes from BlackBerry administrators. Last year, a company’s BlackBerry administrator detected malicious PDF attachments targeting BlackBerry device users on the server.

If the user opened one of these attachments, a hacker could steal the user’s identity to install malicious software on the server that runs your organization’s BlackBerry network. In this case, the administrator sent users notifications to disable the PDF attachment option on their devices and then sent anti-identity-theft patches to prevent users from opening malicious PDF attachments.

Identity protection as a single layer of defense does not prevent an adversary from attacking the systems and applications in other ways. A skilled hacker can bypass this layer and gain malicious control of SAP CRM and BlackBerry servers. He could also access SAP CRM applications that developers are working on.

Example 3: Remote Wipeout

You must back up data on your BlackBerry device on a daily basis to a backup BlackBerry or PC. If you lose your device, you must wipe out the data and applications remotely. If you do not wipe them out after losing your device, a hacker might be able to guess your password and look at sensitive SAP CRM data and restricted developers’ applications in progress.

You can use a backup BlackBerry or PC to contact the BlackBerry administrator and request that the administrator wipe out the data and applications on the lost BlackBerry. The administrator, in turn, sends the Erase Data and Disable Handheld IT command to the lost BlackBerry from the BlackBerry Manager on the server.

The administrator then uses the Remote Wipe Reset to Factory Defaults IT policy rule. This makes the lost device return to factory default settings after receiving the Erase Data and Disable Handheld IT command wirelessly. The factory default settings overwrite BlackBerry device’s internal memory and, if content protection is turned on, perform a memory scrub. When you get your BlackBerry back, you are able to restore data and applications to your device. You must change the device configurations to make it more difficult for hackers to guess.

The types of data that the BlackBerry device permanently deletes when it reverts to its factory default settings include user data, the corporate PIN-to-PIN encryption key, the master encryption key, smart card binding information, and password history. Also deleted are the stored BlackBerry MDS device policy, a record of the time elapsed since the BlackBerry was last turned on, the stored IT policy, and application data. You then need to reset they encryption key and passwords.

Remote wipeout as a single layer of defense is also inadequate. In December 2009, BlackBerry customers throughout North America were without email and Internet services for more than eight hours after a widespread outage, despite security policies built into the devices. Consider the consequences when the user loses his BlackBerry device and the hacker finds it during the outage. He could use BlackBerry integration with any ISP that supports POP3 or IMAP to gain access to SAP CRM servers.

Example 4: Mobile Physical Security

You need to protect your device from permanent loss. You could consider a third-party application (e.g., Roblock) that does not require BlackBerry Enterprise Server for remote wipe. It allows you to send an email to your lost device that states how to return the device. The content of the email is displayed on the screen. You can remotely set to lock, alarm, call back, and recover contacts. If your device is GPS-enabled, it can email you a map indicating where your device may be located. You can also remotely set SMS or email notification on when the Subscriber Identity Module (SIM) card has changed back to factory settings. Note that before you download a third-party application, you should ensure it is on the BlackBerry administrator’s approved third-party application list.

If you cannot contact the BlackBerry administrator or do not have the proper third-party application, you can go to your phone provider’s Web site and request that they temporarily suspend service for the lost BlackBerry. When you get your BlackBerry back, you can resume service and wipe out the data and applications if they are tainted or comprised. You then restore them from your backup BlackBerry or PC. Always ensure you have backed up your data and applications and set up a password that is difficult to guess.

Unfortunately, mobile physical security as a single layer of defense is inadequate. If the person who finds the BlackBerry decides not to return it to its owner or authorized user, he or she can use it to gain access to SAP CRM servers.

Example 5: Mobile Cleansing

There is another reason why you may want to wipe out your BlackBerry: perhaps you’ve switched jobs and need to submit your BlackBerry to your new IT department (particularly a new SAP server with connections to the BlackBerry Enterprise Server so they can set it up for its SAP CRM network). You don’t want your new company to have access to your previous employer’s sensitive data.

You can clean out your device in two ways: incorrect password entry and manual wipe. If you enter an incorrect password into your BlackBerry 10 consecutive times, the BlackBerry is programmed to wipe itself out as a security precaution. To manually wipe your entire BlackBerry, go to the main screen, click Options, and then click Security Options. When you get to General Settings, click the trackball on the Password field and then select Wipe Handheld.

Mobile cleansing as a single layer of defense is also inadequate. The server does not confirm that the previous employer’s data or hidden processes and programs have been wiped out.

The Solution: Multiple Layers of Defense

A better solution for preventing attacks is to use the defense-in-depth model, which offers multiple layers of defense between an adversary and his target — whether it be an SAP CRM system or a  BlackBerry device linked up to the SAP CRM system. Here are two examples of layered defenses:

• To protect the SAP CRM infrastructure from an active attack (e.g., denial of service), the first line of defense is to defend the enclave boundaries via firewall and VPN. The second line of defense is to defend the computing environment (e.g., servers and software).
• To protect SAP CRM data from an inside attack, the first line of defense is to employ physical and personnel security. The second line of defense is to set up authenticated access controls and audits.

Other types of defenses include intrusion detection, virus scanning, demilitarized zones, packet filters, routers, switches, proxy services, and biometrics. Combining the strategies I have described can create multiple lines of defense. For example, you could set up corporate and secondary firewalls as the first line of defense, and then set up remote identity protection, remote wipeout, and mobile physical security as the second line of defense. Remote identity protection applies when a firewall fails to protect identity against, for example, malicious PDF email attachments. Remote wipeout and mobile physical security are necessary if you lose your BlackBerry device. Mobile cleansing is another second line of defense that can wipe out your previous employer’s data when you’ve switched jobs.

Risk Management

The idea behind defense in depth is to manage risk with diverse defensive strategies — so if one layer of defenses turns out to be inadequate, another layer of defenses takes over partially or entirely. You can include additional layers of defense to better protect the SAP CRM infrastructure. This makes it harder for a hacker to compromise the security of the network, SAP CRM, and BlackBerry devices. An administrator can set up logs and email notification on the status of, for example, the first two lines of defenses. If there is a security breach in the first line of defense, the email should trigger an alarm to get the administrator’s attention so he or she can repair or replace it.

Network Boundaries

In addition to multiple layers of defense, you should define network boundaries (enclaves) that are used to protect end systems against attacks. BlackBerry devices connected to the BlackBerry Enterprise Server are comprised of one network boundary if the server is part of the SAP CRM infrastructure. If BlackBerry devices are not connected to the BlackBerry Enterprise Server but are connected to an external network serving as a gateway to the SAP CRM infrastructure, then they are not part of infrastructure enclaves.

For example, a BlackBerry device user may need to travel transparently through five network enclaves, each with multiple layers of defense, before he reaches a point in the fifth network enclave. This is where he will need to supply login information after an internal firewall approves his entry into the enclave with VPN. If the system accepts the login information, he either gains access to the SAP CRM server or his request for access shows up on an administrator’s console or Web browser.

Threat Levels

Defense in depth should reflect the threat level at a certain point in time. When the threat level changes, BlackBerry and SAP CRM administrators can change the security posture of an enclave and isolate the remaining enclaves from the rest of the SAP CRM infrastructure. For instance, when the threat level increases, it indicates that the infrastructure is at higher risk. The administrators may decide to isolate an enclave from the rest of the infrastructure while maintaining communication within the enclave and restricting SAP NetWeaver within that enclave. This includes temporary denial of requests by BlackBerry users to access the SAP CRM systems until the BlackBerry administrators upload patches to the devices. 

The information that determines threat levels for the network infrastructure should come from the continuous collection and analysis of intrusions and other security events in each network enclave. These threat levels should be displayed on the administrator’s Web browser home page or SAP workstations and on the SAP client’s home page on BlackBerry devices. This way, you can alert users to changes in threat levels to reflect the changes in security posture of the networks, SAP CRM systems, and the BlackBerry Enterprise Server.

Support Infrastructure

You need to defend the support infrastructure that the networks, SAP CRM system, and security mechanisms depend on from hackers and other threats. This is done by implementing multiple layers of defenses I discussed earlier in this article. The support infrastructure includes the Public Key Infrastructure (PKI), directory services, automatic encryption, and user authentication services. If a hacker successfully attacks a portion of or the entire support infrastructure, he can more easily reach the SAP CRM systems and BlackBerry devices.