ERP Data Security Assessments: Then and Now

By April 12, 2019 Security,

This is a long one and gets techie in areas, but bear with me.  There’s a moral to the story.

As regular readers of this blog know, I frequently talk about my experiences performing security assessments.   These assessments typically cover an organization’s network infrastructure and application portfolio, and are driven by both regulatory requirements (SOX, PCI, HIPAA, etc) and internal requirements arising from governance, risk and compliance policies.

The scope and approach to these assessments has changed over the years, especially for legacy ERP systems.

In the olden days, when cellular devices were “dumb” and flip phones were cool, organizational networks were fairly insular and protected by a battery of network firewalls.  Key business applications were installed and accessible from inside those walls.  And only from inside.

Access to many of these applications was only permitted via what used to be called “thick clients”.  These were dedicated client applications installed on a user’s desktop whose sole purpose was to facilitate point-to-point interactions with a given server-based application platform.

These thick clients, which allowed managed access to the ERP keys to the kingdom, were typically only installed on the select few users needed to use and administer the platform.  HR applications, for example, were only accessible to data entry clerks and select approvers of HR related transactions.  Financial platforms were even more limited as to who was permitted to install and use the thick client required for access.

In this environment, security assessments (aside from policy reviews, etc) focused on a few key tactical areas:

  • Penetration testing against the network walls that were protecting the applications. Penetration testing is the attempted hacking of a network or an application by trying to maliciously connect to any ports that are “open” (or listening) to enable connectivity to that network or application.  Kind of a technical intro to how digital platforms communicate. For those interested in learning more, there are a ton of resources that can be googled to learn more about penetration testing and network communication protocols.
  • Penetration testing against the application port(s) that would be open to support the connectivity of the dedicated thick client.
  • Segregation of Duty driven audits of the organization’s databases that typically supported the ERP and other applications. We’ve talked extensively about the Segregation of Duty concept in previous blog posts. It’s basically an assessment of users, roles and permissions for any given application.
  • And if the organization wanted to be comprehensive, they would supply us with a copy of the thick client to enable a manual exercise around brute force user account testing against the ERP application to try and find easily guessed account ids and passwords.  This was rarely a focus point of the assessment because most companies operated under the belief that their ERP systems, accessible only from inside the network and only via a thick client that few people had installed, were pretty secure black boxes.

The primary takeaways from most of those assessments were 1) companies got really good at securing those single-point-of-entry firewalls that protected the network, and 2) those ERP thick client access applications were deployed to only those employees who needed them. 

What has changed since these “olden” days?

Well, we now have “smart” cellular and wireless devices.  And flip phones are nostalgic, but definitely not as fun as they used to be. 

These smart devices have led to the new connected world we live in.  We play games on our devices.  We watch movies on our devices.  And we can do it from pretty much anywhere.

So, why wouldn’t we also want to manage our work life on our devices?

Remember those thick clients people used to access ERP platforms?  Well, with an expanding user base wanting to access those platforms via the various mobile devices they may be carrying, thick clients just don’t make much sense anymore.  Imagine an ERP company trying to develop and maintain dedicated client applications that replicate desktop functionality for all the different device types (iOS, Android, Windows, etc.).

Adding to the challenge, imagine trying to control and support who would be able to download and use those ERP client applications.

So, how to support that expanded and mobile user base?  You make use of what is already available – a web browser.

By adapting ERP platforms to utilize a web browser to deliver functionality, those systems were now accessible to anyone running Chrome, Safari, IE or any of the multitude of browsers available.  Usability challenges aside, it did open the door for ERP systems to be available to that evolving mobile workforce.

But it also opened the door for anyone with a web browser to try and get access to those ERP systems.  And as web browsers are frequently used to access various back end applications, there is an entire black market for scripting tools that can automate login attempts. 

Makes it real easy for bad actors to hammer a system trying to guess legitimate account-password combinations.

So, those once insular, black box ERP applications are now accessible by the masses, good actors and bad.  And as they frequently manage a wealth of sensitive data about a company, its employees and its customers, they are a prime target for compromise.

Security assessments now have to pay attention to these systems. 

And with the evolving compliance regulations that provide users with the right to demand to know who has viewed their private data, internal auditors will also be getting involved to assess the organization’s ability to meet those demands.

The moral to the story I promised?

Protect your sensitive data.  And limit access to that data to only those who need to see it when they need to see it

And log those access activities, because, as these new regulations evolve, those auditors will be knocking on the door soon.

Appsian can help with protecting sensitive data and provide controls that can limit access to data to the select users that need to see it. We also provide robust logging capabilities to make it easier to respond to compliance requests and investigate incidents.

Shoot us an email at info@appsian.com to learn more.

Want to see what Appsian can do for your ERP systems?

Request a Demo
Appsian

© 2019 Appsian. All rights reserved. | Privacy Policy