Unvired Digital Enterprise Platform is now fully integrated with the Vault Project from Hashicorp to enhance the security

Unvired Digital Enterprise Platform is now fully integrated with the Vault Project from Hashicorp to enhance the security

Blog Security

The Unvired Digital Enterprise Platform (UDEP) encrypts all configuration and messages before persistence. Industry best practices are followed for the encryption. All data for a company is AES 256 encrypted (the same technology your bank uses to secure your transactions) and decrypted with a symmetric key. Each company has its own symmetric key so that data across companies can never be accessed under any circumstances. Further to secure the keys, they are stored in key files in a landscape that is physically separate from the servers running the UDEP. For e.g. in an AWS environment, they are stored in S/3. The passwords to these key files are stored separately after encrypting with a landscape key.

To further harden this, UDEP is now fully integrated with the VaultProject from Hashicorp. From the Hashicorp website: “Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.”

So how exactly does UDEP use Vault?

The passwords for the key files are now stored in Vault.  Each company has its own password stored in Vault. The access tokens for Vault are passed to UDEP via environment variables. These access tokens have tightly configured policies to ensure that the tokens can only access and perform the permitted operations.

Additionally, the auth tokens can be response wrapped. In this case, the real tokens are inserted in a “cubby hole” in Vault and a temporary one-time access token is instead configured for UDEP. UDEP unwraps the token and then uses the “real access token” to access the keys. In case the unwrap operation fails, this indicates that some other operator has intercepted the key and the system can be shut down immediately and the vault sealed to prevent any further compromise. This also ensures that the environment variables that are configured are practically useless for a hacker as they cannot be reused.

To prevent leakage of data in case a token is compromised, the tokens can also be configured to be renewable periodically. Issued tokens can be revoked and then access of keys via these tokens is not permitted.

Further UDEP also supports rotating keys used via Vault. Keys of all companies can be rotated and ensures that your data is as secure as required.

To summarize:

  1. Keys are stored in a separate Vault.
  2. Access is provided via response wrapped one time tokens.
  3. Access tokens can be periodic to facilitate revocation in case of a compromise.
  4. Keys can be rotated according to your security policy.
  5. Vault provides a detailed audit log that records all access operations for monitoring and verification.

So with the UDEP and Vault integration, all your configuration information and business data that is flowing through the UDEO is protected to the maximum. Stay safe.

Is the IAAS cloud really low cost?

Blog Technology Viewpoint

Host on the cloud, get a dedicated server or build your own? This is a common question that most entrepreneurs who are launching a service ask themselves. Seeking answers via the web probably leaves more questions than answers.

The reasons are simple, there are a plethora of articles that sing the praises (for many right reasons) of Infrastructure As A Service (IAAS) such as AWS, Google and other similar services. The ease with which you can launch servers on these clouds make it even more appealing. The fact that Netflix and other companies are using it gives the added assurance. Now head over to the wonderful calculator that all these services provide and crunch some numbers. You may either buy into it so completely that you are ready to launch your service or taken aback by actually how much it can cost. Lets face it, its not as cheap as its made out to be.

To better understand this problem, lets crunch some numbers with an example server. Suppose the server we need is equivalent to 4 Cores (or more), 32 GB RAM and about 200 GB hard disk space (Note that in most cases RAM is the overarching choice and CPU cores are not really configurable, notable new exception is Google). For simplicity I’am also not considering prepayment as no startup probaly wants to commit for more than a few months.

Cloud Servers (Instances):

AWS – Consider the m4.2xlarge at 32GB RAM and 8 cores. Linux instance is at $0.504 per hour or ~375$ per month. Add charges for storage and data transfer and approximate it to 400$ per month.
Google – Consider the n1-standard-8 at 30GB RAM and 8 cores. Linux instance is at $0.280 per hour lowest price with 100% usage or ~208$. Add charges for storage and data transfer and approximate to 230$ per month.

As you can notice there is already a significant difference between the two services. If you check other providers the price range will be similar.

Dedicated Servers:

Typically dedicated servers have always set you back by a significant sum and hence may not have been a choice. But a host of new providers has meant that hybrid offerings are available which has already reduced prices. Significantly Managed dedicated servers are way more expensive than unmanaged servers. The significant difference being in unmanaged only the hardware is supported by the provider, every other responsibility us yours (software, backup etc).

Rackspace – A 24GB prepackaged dedicated server with 6 cores will set you back by ~ 674$ per month. This is backed by Rackspace Fanatical Support of course.

Packet.net – Packet offers dedicated bare-metal hardware in a cloud-like fashion. Type 1 server with 4 Cores and 32GB RAM (with 2x120GB SSD drives) is at $0.4 per hour or 297.6$ per month. There are no other charges as everything is included in this.

OVH – A major European provider with a NA presence in Canada and data center. A 32GB / 4 Core dedicated server (unmanaged) costs 79$ a month (no setup fee)

Hetzner.de – German data center, 32GB 4 Cores is priced at 39 Euros or ~43$ per month with a 79 Euro / ~87$ setup fee (one time)

As can be seen, the range is again wide not considering a huge number of smaller providers. Depending on whether some of the administrative tasks can be managed in-house or not, choice of provider can be made. Point to note though is that dedicated servers can actually be cheaper than cloud.

So before deciding, it is important to decide based on these (There could be many more significant ones I’m missing, add to the comments)

1. Elastic Scaling – Are your users going to grow that dramatically that you need the elastic capability of that nature? Less than 1% of all web apps need this kind of scaling, rest are happy with more deterministic scaling. (Cloud v/s dedicated)
2. Redundancy – Sometimes cost of 2 dedicated servers is still cheaper than 1 cloud instance. So even HA is not an issue with dedicated, but multi-region availability etc can also determine the choice.
3. Time – The longer you are willing to commit the cheaper some of the cloud services will be.
4. Legal or Security related – If customers don’t prefer shared multi-tenant instances, then you may have to go dedicated.

Net-net: Cloud services such as AWS are not the only choice. Even dedicated servers can be bought a month on month with significant cost and performance gain. You actually have more choice than what is sometimes made out to be!

UI Toolkit on the wall, who is the prettiest of them all?

Blog Technology Viewpoint

Today most enterprises want to build and deploy awesome mobile apps on multiple devices for their employees and customers. But when it comes to UI technology most are stumped. If I were to pick the most common question that we encounter in discussions with customers it would be, How do I build apps for all devices? (this is typically iOS and Android). Follow ups to that are: What UI should I choose? How can I build once and run anywhere? What skills should we ramp up on? The list is endless.

First up the UI choice needs to lend itself to your need and not the other way round. At Unvired our normal approach is to find out what that need is and then recommend the technology solution.

I want to deploy native apps with fantastic user experience, fast performance, hardware integration and so on.

If your need falls in this category you are typically looking to build native applications using the vendor’s prescribed technology. These are:

  • iOS – Objective C (more recently Swift) using the XCode IDE from Apple
  • Android – Java using the Eclipse IDE or the Android Studio
  • Windows – C#/.Net using the Visual Studio IDE

All platforms come with their own set of challenges based on the OS version to support. This is more under control with Apple where you are usaully covered if you support the latest version and the one lower (for e.g. iOS 8.x and 7.x). Its more complicated with Android given the disparate devices and OS distribution and you should opt for the OS version with the most installed base for e.g Kitkat or 4.4. You are also well served if you use the standard APIs and do not depend on any vendor/device dependent APIs from Samsung, Sony etc.

I want to build apps once and deploy them on multiple devices. 

This is the trickier questions as there are a few choices. This usually needs further qualification on what skills the company has or alternatively what they would prefer in addition to the end application’s requirements.

Web technology, hybrid apps that do not require any major hardware integration etc.

The most obvious choice in this case is to build hybrid HTML5/JavaScript apps using the Apache Cordova/Phonegap (http://cordova.apache.org/) plugin. This allows to build, host and deploy hybrid (native like) apps that render the UI in a webview with standard HTML5 look and feel. The advantage is that the technologies used are typical web technologies like HTML5, JavaScript and CSS and web developers will be able to code them. Some understanding of the mobile paradigm is definitely necessary. The plethora of CSS/JavaScript frameworks can be utilized to build some real cool apps. However performance can be an issue with lag on some devices, transitions not being smooth, low touch sensitivity etc. This technology is evolving and will only improve further.

Native apps that can be deployed on any device

Xamarin (http://xamarin.com) is your best choice here (at least for now, more on that later). Mobile applications can be developed in C#/.Net and deployed on iOS, Android and Windows tablets. The code compiles into native applications and hence offer a native user experience. The User interface can be developed once for multiple devices using Xamarin Forms or alternatively separate UI for Android and iOS devices can be developed with common business logic.

A new kid on the block here is Telerik NativeScript (http://www.telerik.com/nativescript) with an imminent release in April/May 2015. Telerik is positioning NativeScript as a JavaScript framework that can be used to develop mobile applications that are finally packaged as native applications. So these applications will not render in a webview on the device but will render as native applications. This is new technology under development and needs validation / adoption.

So now that you know them all, what’s your choice?

Unvired Apps can now be built with Xamarin!

Unvired Apps can now be built with Xamarin!

Blog Technology

Here is some real exciting news.  Unvired has so far been supporting development of Native applications using the SDK and tool sets provided by the device/OS vendors and Hybrid/HTML5 applications using the Cordova mechanism.  Many of our customers and propects have expressed the need to build Native applications in a simple manner with the benefits of Build-Once-Run-Anywhere.  To fulfil that need we decided to support developing Unvired Enterprise applications using the widely popular Xamarin Studio.

We are delighted to announce the availability of the Unvired Xamarin component that brings the power of connecting to enterprise systems such as SAP, Sharepoint, Oracle among others using the simplicity of the Unvired Mobile Platform to the Xamarin Studio.  The Unvired Xamarin component can be accessed on the Xamarin component store.

So how does this benefit you?

As an Enterprise – There is now a simple, proven way to nowconnect apps to your enterprise systems such as SAP using the scalable Unvired Mobile Platform.  Applications can be developed once and deployed on multiple devices!

As a Developer – Use the familiar C# / .Net technologies to harness the power of the Unvired Mobile Platform and build awesome user experiences with Xamarin.  Building those many micro-apps that your manager wanted is now real easy!

As a User– You can now get to use awesome apps from your company on all devices, never be left out again!

Want to get started right away?

Login to Xamarin Studio and download the Unvired Xamarin Component.  Follow the example and the included getting started guide.  To build more complex applications with SAP etc we are in the process of publishing some more samples to our GitHub repository, watch this space or follow us on Twitter @unvired to get updates.

Unvired Mobile Platform now on H2 database

Unvired Mobile Platform now on H2 database

Blog Technology

Exciting update for Unvired Mobile Platform (UMP) development.   UMP now supports the H2 embedded database.  (What is H2?)

First up, H2 is a pure Java embedded database with the performance and capabilities of larger server based database systems.  UMP has been supporting MySQL, MS SQL and Oracle so far and has now added full support for H2.  So what, you ask?

1. Easier and less cumbersome Trials and POCs

One of the hallmarks of UMP has been simple free trials and self experience via POCs before the enterprise makes the buy decision.  This just became easier with the H2 support.  Unzip the preconfigured trial UMP archive,  start the UMP service and you are up and running.  An on-premise trial should now take a maximum of 1 hour for you to self provision!

2. Easy evangelizing of UMP in your organization

As a mobile architect or developer are you excited about UMP and want to try building some apps before evangelizing it within your organization.  You can now simply extract the UMP archive and run it with one click on your laptops or Mac’s and start development.  No licenses from IT required!

3. Easy development and test/quality servers

One of the constraints an Enterprise has always faced is the time and resource constraints in setting up hardware or provisioning Virtual Machines in their data centres.  For a traditional DB server such as MS SQL or Oracle additional license/hardware/DBA resources were required and led to approvals and delays.  Now with support for H2, the UMP service just needs to be started and automatically an H2 database will be created/used without any additional licenses or hardware requirement.

4. Single cloud instance sufficient for UMP

If you are provisioning instances in AWS or similar cloud services, a single instance is sufficient to unleash the full power of UMP.

Interested in trying any of the above?  Drop us an email and we will be happy to oblige.  Contact us.

Shellshock security update

Blog Security Technology

From Wikipedia:

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

Details: : http://en.wikipedia.org/wiki/Shellshock_(software_bug)

And: https://shellshocker.net/

And: http://blog.cloudflare.com/inside-shellshock/ for some understanding on how hackers are exploiting the bug

UMP and Shellshock:

Shellshock affects running the Bash shell.  UMP is currently supported on Linux and Unix systems which typically run the Bash shell.  While UMP is not directly affected, the bug exposes the underlying system to attacks and its critical that the system is patched.  Please contact your OS provider to get the required patches and update them immediately.


The bug exposes the underlying system to attacks and its critical that the system is patched.  Please contact your OS provider to get the required patches and update them immediately.


Heartbleed security update

Heartbleed security update

Blog Security Technology

From Heartbleed.com:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Details: : http://heartbleed.com/

And: http://en.wikipedia.org/wiki/Heartbleed

UMP and Heartbleed:

UMP is currently supported on SAP NetWeaver and on Redhat JBoss.  Both SAP and JBoss are not affected by the Heartbleed bug.  SAP customers can read more here: https://service.sap.com/~sapidb/011000358700000308332014E/ (SAP Login required) and JBoss customers can check this: https://access.redhat.com/solutions/785113 and http://anil-identity.blogspot.in/2014/04/jbosswildflyas-openssl-heartbleed.html?m=1


As such UMP is not affected by the Heartbleed.  Additionally the public UMP sites can be tested against Heartbleed online tests such as http://safeweb.norton.com/heartbleed. Nevertheless in order to overcome any rare scenarios also, Unvired aligns with the general advise to change passwords used on affected websites.


On-Premise trial of Unvired Mobile Platform in 15 minutes flat

Blog Technology

Unvired Mobile Platform trials were primarily available via the Unvired Mobile Cloud. We ar enow offering on-premise evaluations of the Unvired platform also starting immediately. Read on to get the details.

We have now simplified On-premise evaluation and you can have your own trial instance of UMP running within your landscape in 15 minutes flat. The process is extremely simple. Apply for an on-premise trial and receive a virtual image and trial provisioning guide along with the trial license.

The UMO virtual image can be run within Oracle Virtual Box (http://virtualbox.org). If you have a commercial license of VMWare Player (http://www.vmware.com/products/player/) the virtual image can be used within that also. Once the virtual image is imported and started, the entire process of viewing the data on your mobile devices should not take more than 15 minutes.

Sounds too good to be true? Submit your request for a free on-premise trial here: http://unvired.com/mobile-platform/try-buy/cloud-trial-registration/ and test drive the best mobile platform for enterprises.

Top 5 Lessons from Mobilizing SAP on the cloud

Blog Technology Viewpoint

Working with SAP customers on the cloud has been a rich learning and myth busting experience in many ways. Contrary to popular belief, a number of SAP customers do have a strong affinity for deploying solutions via the cloud. So what are the insights from our first set of cloud customers on the Unvired Mobile Cloud?

1. Cloud is relevant and top of the mind for SAP customers
Many of them already use other solutions such as Salesforce, Workday, Successfactors, etc. and integrate these SAAS / cloud solutions to their SAP systems in a number of ways. A cloud based delivery of the Unvired Mobile platform struck a chord with many of the CIO/CTO and IT heads that we spoke to. It is also a known fact that on-premise or hosted data centers running the dedicated SAP instances need to co-exist with the cloud based platforms / solutions. A flexible approach to cloud deployment without disrupting existing landscapes is what customers want.

2. Security
Data security is of paramount importance to all customers SAP or otherwise. Business data is being unlocked and the safe guarding of that data while it is put to innovative usages needs to be the bedrock of any cloud platform. The heads of IT recognize that email on mobile is already putting sensitive data on the device and data from business systems like SAP is not new but only enhancing the amount of data on the device. Also MDM solutions complement the security needs of the Mobile platforms.

Security in the mobile context can be: Data on the cloud, data in transit and data on the device. The Unvired Mobile Cloud platform does not replicate the data from customer systems to the cloud. Data is held on the cloud in encrypted form only for as long as it is required to be delivered safely to the device. Data in transit is secured via standard HTTPS/SSL and data on the device is stored in encrypted databases.

3. Time to deploy, rapid change
Companies want to deploy mobile solutions rapidly and don’t want to wait. Reasons are many but the primary one is that deployments on mobile are in response (or to preempt) to business demands (like approvals on the Go, sales order creation etc) and are time sensitive. In many cases, deploying the solution a few months later means reduced business relevance. So solutions need to be rapidly deployed and be adaptable to rapid changes requested by business users.

4. ROI matters, no more POCs
Good old fashioned ROI still matters. Customers are hesitant to make huge investments into POCs with limited production relevance. Customers want quick and free trials with their own SAP systems and mobile devices eliminating the POCs. After the trial, customers are more interested in iterative roll out of mobile processes and investing in shorter bursts as and when required. Customers want to see bang for the buck quickly as unlike investments in SAP and other systems wherein the investment is depreciated over 10 to 15 years, mobile investments are for much shorter periods of 2 to 3 years. BYOD phenomenon, short device life and mobile manufacturer / telco driven periodic device refresh have driven the shorter shelf life in the mobile investments.

5. Pay as you go / scale as you go
This was by far a must have that many customers pointed out. Rarely do customers go for a big bang deployment of mobile users. Additional deployments requiring purchasing of (expensive) additional users are a dampener for larger mobile adoption. Also significant churn in employees’ headcount due to challenging business circumstances means customers want to not just buy additional users but also return users. This new trend / requirement of return of users can be satisfied in a fair manner only by a true cloud solution with transparent pricing.

Note: This blog also appeared as a guest blog on Enterprise Mobile Strategies.