×
Security

ERP User Activity Monitoring: Here are the (5) Most Important Details to Capture

By Michael Cunningham • May 12, 2020

Analytics have always been necessary for informing ERP data security policies. This has never been more relevant than today, in this everybody-works-from-home environment where function leaders are scrambling to attain oversight and accountability. With whole departments spending 8 hours a day in business applications like PeopleSoft and SAP, establishing strong ERP user activity monitoring strategies is mission-critical. We also touched on this topic a few weeks ago, but now that organizations are adopting visibility solutions, the question becomes – what are the most important details to capture?

Always Capture the Who, Where, When, What, and How 

Remember the good old days of February 2020 when articles touted the growing trend of working from home and that remote access to your ERP system and making transactions available on the internet will one day become the “new normal?” Ah, good times.  

Then COVID-19 happened, and remote work went from growing trend to hard-core reality in a matter of days. System administrators scrambled to collaborate with managers to create new or updated work-from-home polices that determine who, what, where, when, and how workers can access ERP data – and what transactions they’re allowed to perform. Good times, indeed. 

Let’s break down these different details… 

1. Who – Details of the User Accessing the Data 

Even if your user authentication strategies are strong (ex. leveraging multi-factor authentication), you’re still going to have security concerns – especially with high privileged user accounts. Narrowing your visibility efforts on high privilege user activity allows you to focus on the accounts that can cause the most damage (if corrupted or misused.) For example, your organization may be global (with ERP access coming from multiple countries) but your high privilege users may primarily reside near your domestic HQ. High privilege access coming from outside this IP range may be an early sign of unauthorized activity.

2. What – Details of the Data Being Accessed 

What are those Tier 1, highly sensitive data fields you want to closely watch? I’m talking about C-suite salary information, social security numbers, bank account information, etc. Application level logging falls short in showing exactly what a user accessed. However, these details are ultimately the most important. If you do not have visibility into exactly what a user accessed, then you are missing a significant part of the data security puzzle. In many instances, field level logging can show you how much “over access” users may have. After all, least privilege is a best practice – especially in remote environments.

3. Where – Location Where the User is Accessing the Data 

As mentioned above, location can be a leading indicator of unauthorized activity. This strategy can be expanded, especially if you’re operating in a vertical that typically doesn’t require global access (ex. higher education, healthcare, state & local government, etc.) Whether it is a sudden influx of authentication requests from China or one-off access from a European country, having location data is an essential component of ERP user activity monitoring.

4. When –Time of Day When User is Accessing Data 

Thanks to stay-at-home orders, normal 8 to 5 work hours don’t apply when users must (potentially) deal with kids or other distractions. Simply enacting policies that restrict certain transactions from being executed outside of business hours is a quick way organizations can enhance oversight – but how can you really enforce it at scale? Either way, monitoring after hours activity, while not an obvious indicator of a problem, is a solid baseline. Especially if most ERP processing activities are being executed by hourly employees.

5. How – Type of Device Accessing Data 

One of the difficult aspects of rapidly deploying remote ERP access is getting an inventory of all the devices they’ll use. Corporate-managed vs personal devices have a large impact on how you want sensitive business data accessed. Even if every employee has a company-issued device, you’re bound to see unauthorized devices (mobile phone, tablet, personal workstation or laptop, etc.) accessing your system. Knowing exactly what these devices are accessing (or possibly downloading) is extremely important for data loss prevention.

Real-Time User Activity Monitoring Leads to More Informed ERP Data Security Decisions 

Using the Appsian Analytics Console, you get a 360-degree view of what is happening around your ERP data. From there, you can map out a targeted incident response before damages become catastrophic and influence your ERP data security policies.

Some additional examples of ERP data security measures you can deploy include: 

  1. Enabling adaptive authentication policies that deploy additional authentication challenges based on the context of access 
  2. Restricting the availability of specific transactions (partial or full) when access is coming from unwanted geographic locations 
  3. Masking any data field (partial or full) 

Appsian enables organizations to enhance their level of control and visibility over business data. To ease the anxiety of allowing remote ERP access, Appsian can help you make the rapid changes (avg. go-live in 2 weeks) necessary to manage and mitigate risk.

Request a demonstration of the Appsian Analytics Console today.  

Stay Updated

Request a Demo