Data Security: What Steps Can You Take?

By June 20, 2019 Security,

We’ve talked extensively about Segregation of Access (SoAx) and how data security threats have evolved to include a range of application authentication attacks. These include sophisticated phishing campaigns, automated brute force password attacks and the targeting of legacy applications that were not designed or implemented with these modern threats in mind.  In addition, the increasing demand from users to extend application access, from both inside and outside the network, is opening up a variety of potential entry points for bad actors to exploit.

And it is frequently these legacy applications, such as ERP systems, that maintain an organization’s most sensitive data including user personal and financial information, corporate proprietary data and financial accounting records.

How is an organization that maintains these legacy applications supposed to combat these modern security threats?

It all comes down to data protection. And not only keeping bad actors away, but also limiting access to sensitive data for legitimate users that don’t need to access it – until they do.

Let’s talk about some capabilities that can help bolster the data security of your applications. Let’s talk about how Appsian’s ERP Security Platform can provide many of those capabilities.

And let’s talk about it in the form of a hypothetical business justification in which Acme Industrial Dynamite (yes, I’m a big Road Runner fan) recognizes the vulnerabilities in their legacy ERP applications and is evaluating solutions.

Challenge

Acme Industrial has been struggling with bringing their legacy ERP platform into alignment with both the current access threat landscape and the evolving compliance environment, where regulations like GDPR and the CCPA are expanding the need to support data privacy well beyond the historical breach notification responsibilities.

Acme has identified some key areas where supplementing built-in ERP security capabilities will be required to meet these evolving challenges. These key areas fall into the following capability sets and all should be evaluated:

Multi-Factor Authentication (MFA)

The traditional application security mechanism of requiring a user name and password to authenticate is dated and increasingly insecure. Why?

1. Phishing schemes have become very sophisticated. Most recent studies show that between 4%-10% of phishing targets will click on that fraudulent link and give up their credentials for the targeted application. Result: there is a better than decent chance that any given user login that relies on user name and password is coming from a bad actor. Data such as bank account numbers and PI for that user are now exposed. And if it is a high privileged user, data for multiple users is exposed and the integrity of business operations could be compromised.

2. Typical users are expected to maintain access to multiple applications in a corporate environment. Remembering user names and passwords for all of them can be onerous. So, post-it notes under the keyboard, or worse, simple-but-easy-to-remember passwords lead to insecure authentication controls.

3. With the increase in computing power capabilities and the sophistication of current hacking tools, brute force attacking user names and passwords has become an effective mechanism for bad actors to gain access to sensitive applications.

How does MFA mitigate these risks?

By requiring an additional layer of identity validation before allowing access to sensitive data and processes. With an effective MFA implementation at the application level, stolen credentials would limit what a bad actor could see or do.

Appsian’s MFA capabilities allow for a variety of use cases to match an organization’s definition of risky behavior. Whether it’s to protect sensitive data, such as bank account numbers or PII, at the field or navigation level, or to restrict access to privileged functionality, such as Query Manager, MFA can provide that additional level of identity validation.

Application Activity Logging

Legacy ERP logging typically focuses on system operations and can be very performance intensive. Because the application was designed in a time when internet access and exposure and data privacy were not a major concern, access management and logging capabilities were not built into the core functionality.

In the current threat and compliance environments, being able to track who has accessed sensitive data and processes is critical. And it is not just about breaches anymore. It’s also about being able to respond to audit requests that require you to show reports on who has accessed any given user’s sensitive data.

Appsian’s logging capabilities supplement PeopleSoft’s system logging by providing a wide range of additional transactional tokens that can be captured and provide a very granular and contextual capability to track and report on what users are doing in the system.

Data Masking

As described above, it is critical to implement a multi layered security approach to the accessing of sensitive data and processes. It is not just about keeping that data from bad actors, but also limiting access to legitimate users to only those individuals who need to see it, and only when they need to see it.

Data masking allows for the ability to redact sensitive data.

Appsian’s approach to data masking allows for that redaction to be very dynamic and customizable based on use case. It also expands static masking to include the ability provide selective hyper-link enabled masking to limit access to sensitive data or processes to only those individuals who make a conscious (and logged) decision to access it.

And like MFA, Appsian’s masking can be applied in a variety of use cases:

  • What can a user access or see if they, regardless of role, are coming in from outside the network versus inside?
  • Should a high privileged user be allowed to high privileged data or process access if they are coming in at midnight from an IP registered in China?
  • Should lower test and development environments, which depend on real data to be effective, be allowed access to the sensitive data fields in those environments?

The keys to maintaining an effective data protection strategy are:

  • Catalog and classify your sensitive data and process across all applications
  • Apply controls around that data and those processes to limit access to only those who need to see it.  And only when they need to see it.
  • Implement an effective logging strategy that provides granular access activity reporting and alerting.

Contact us to see how Appsian can help inventory and address your sensitive data exposure in ERP applications.

Want to see what Appsian can do for your ERP systems?

Request a Demo
Appsian

© 2019 Appsian. All rights reserved. | Privacy Policy