We’ve talked extensively about Segregation of Access (SoAx) and how data security threats have evolved to include a range of application authentication attacks. These include sophisticated phishing campaigns, automated brute force password attacks and the targeting of legacy applications that were not designed or implemented with these modern threats in mind. In addition, the increasing demand from users to extend application access, from both inside and outside the network, is opening up a variety of potential entry points for bad actors to exploit.
And it is frequently these legacy applications, such as ERP systems, that maintain an organization’s most sensitive data including user personal and financial information, corporate proprietary data and financial accounting records.
How is an organization that maintains these legacy applications supposed to combat these modern security threats?
It all comes down to data protection. And not only keeping bad actors away, but also limiting access to sensitive data for legitimate users that don’t need to access it – until they do.
Let’s talk about some capabilities that can help bolster the data security of your applications. Let’s talk about how Appsian’s ERP Security Platform can provide many of those capabilities.
And let’s talk about it in the form of a hypothetical business justification in which Acme Industrial Dynamite (yes, I’m a big Road Runner fan) recognizes the vulnerabilities in their legacy ERP applications and is evaluating solutions.
Acme Industrial has been struggling with bringing their legacy ERP platform into alignment with both the current access threat landscape and the evolving compliance environment, where regulations like GDPR and the CCPA are expanding the need to support data privacy well beyond the historical breach notification responsibilities.
Acme has identified some key areas where supplementing built-in ERP security capabilities will be required to meet these evolving challenges. These key areas fall into the following capability sets and all should be evaluated:
Multi-Factor Authentication (MFA)
The traditional application security mechanism of requiring a user name and password to authenticate is dated and increasingly insecure. Why?
1. Phishing schemes have become very sophisticated. Most recent studies show that between 4%-10% of phishing targets will click on that fraudulent link and give up their credentials for the targeted application. Result: there is a better than decent chance that any given user login that relies on user name and password is coming from a bad actor. Data such as bank account numbers and PI for that user are now exposed. And if it is a high privileged user, data for multiple users is exposed and the integrity of business operations could be compromised.
2. Typical users are expected to maintain access to multiple applications in a corporate environment. Remembering user names and passwords for all of them can be onerous. So, post-it notes under the keyboard, or worse, simple-but-easy-to-remember passwords lead to insecure authentication controls.
3. With the increase in computing power capabilities and the sophistication of current hacking tools, brute force attacking user names and passwords has become an effective mechanism for bad actors to gain access to sensitive applications.
How does MFA mitigate these risks?
By requiring an additional layer of identity validation before allowing access to sensitive data and processes. With an effective MFA implementation at the application level, stolen credentials would limit what a bad actor could see or do.
Appsian’s MFA capabilities allow for a variety of use cases to match an organization’s definition of risky behavior. Whether it’s to protect sensitive data, such as bank account numbers or PII, at the field or navigation level, or to restrict access to privileged functionality, such as Query Manager, MFA can provide that additional level of identity validation.
Application Activity Logging
Legacy ERP logging typically focuses on system operations and can be very performance intensive. Because the application was designed in a time when internet access and exposure and data privacy were not a major concern, access management and logging capabilities were not built into the core functionality.
In the current threat and compliance environments, being able to track who has accessed sensitive data and processes is critical. And it is not just about breaches anymore. It’s also about being able to respond to audit requests that require you to show reports on who has accessed any given user’s sensitive data.
Appsian’s logging capabilities supplement PeopleSoft’s system logging by providing a wide range of additional transactional tokens that can be captured and provide a very granular and contextual capability to track and report on what users are doing in the system.
As described above, it is critical to implement a multi layered security approach to the accessing of sensitive data and processes. It is not just about keeping that data from bad actors, but also limiting access to legitimate users to only those individuals who need to see it, and only when they need to see it.
Data masking allows for the ability to redact sensitive data.
Appsian’s approach to data masking allows for that redaction to be very dynamic and customizable based on use case. It also expands static masking to include the ability provide selective hyper-link enabled masking to limit access to sensitive data or processes to only those individuals who make a conscious (and logged) decision to access it.
And like MFA, Appsian’s masking can be applied in a variety of use cases:
The keys to maintaining an effective data protection strategy are:
Contact us to see how Appsian can help inventory and address your sensitive data exposure in ERP applications.