Security

An Unwired Platform deployment introduces a multilayer approach to corporate security designed for mobility.

This approach ensures that:

Internal and external device users can securely connect to enterprise information systems.
Every network link that transfers corporate information and every location that stores enterprise data guarantees confidentiality.

Unwired Platform security features cover:

Component Security – Unwired Platform consists of multiple components that are installed on internal networks, primarily on the corporate LAN and the demilitarized zone (DMZ). Each component requires specific administration tasks to secure it.
Communication Security – Secure Unwired Platform component communications to prevent packet sniffing or data tampering. Different combinations of components communicate with different protocols and different ports.
End-to-end data encryption support is based on Transport Layer Security (TLS) and Secure Sockets Layer (SSL), which secures client/server communication using digital certificates and public-key cryptography.
Authentication and Access Security – Authentication and access control is a core feature supported by all application types to control access to enterprise digital assets.

Security applies to components of the runtime landscape. See Security for additional detail for the following.

Server Security – The Unwired Server provides data services to device clients by interacting with the data tier on behalf of the client. The data tier is installed with the server tier components to the internal corporate LAN. Communications with device clients are routed through the an open port on the internal firewall to the Relay Server.
Each runtime service uses its own communication port (secured and unsecured). Security for this tier secures both the server components that provide these services and service communications.
Data Tier Security – The data tier consists of multiple databases that need protection. Each database contains sensitive enterprise data. This level of security involves securing the data infrastructure, then securing the databases by managing DBA passwords, granting DBA permissions, as well as encrypting data and logs.
DMZ Security – DMZ security involves controlling internet traffic to private networks. Key to this control is a proxy server, Relay Server or a third-party proxy server, which resides between inner and outer firewalls.
Device Security – Multiple mechanisms can be combined to fully secure devices. In addition to using the built-in security features of both the device or Unwired Platform, Sybase recommends that you also use Afaria so security features can be remotely initiated as required.
Key Unwired Platform security features for devices include the encryption of data, the implementation of login screens, and the use of DataVault to store sensitive data.

Application security is based mainly on the mapping of a mobile business object (MBO) package to a security configuration. A security configuration defines the authentication, authorization, attribution, and auditing security provider for an application package's access control and activities. For example, for an application, an administrator may create a security configuration that points to the LDAP server for authentication and authorization, and does not associate any provider for attribution and auditing.

Single sign-on (SSO) security providers provide an alternative to user name and password authentication. These security providers add support for token and certificate-based authentication, such as X.509 certificates. SSO enables mobile device application users to enter credentials only once to gain access to all resources, including servers, packages, and data sources related to that application.

Unwired Platform supports Afaria device management and security functionality. Client applications can generate certificate requests which in turn are passed through Afaria to the corporate PKI system for CA signature. If Afaria is not deployed, the process for generating and provisioning client certificates follows the standard corporate certificate request and renewal process. Afaria device management and security functionality includes features such as remote device locking, remote data cleanup, data fading (a feature that enables the IT administrator to lock, wipe, or reset a device that has not communicated with the corporate network or Afaria server after a predetermined number of days), and password expiration management. Even without Afaria, the Unwired Server administrator can lock or unlock devices from accessing applications deployed to the server.
EIS Security – Secure interactions with EIS data sources. If you are using DCN, those notifications can be communicated to Unwired Server securely.

See Security for additional information.

The Sybase Unwired Platform Common Security Infrastructure (CSI) provides an extensible model for integrating with existing security infrastructure. CSI login modules conform with Java JAAS enables Sybase Unwired Platform to integrate with LDAP, Microsoft AD, SiteMinder, etc. For additional information about developing a custom authentication or authorization provider, see Security API in Developer Guide: Unwired Server Runtime.