In the years I’ve been architecting and assessing organizational information security approaches; the typical focus of any effort was on the perimeter protection offered up by network infrastructure. Primarily on the firewalls that typically separate the organization’s internal network and applications from the wild, wild west that is the Internet. The goal was to ensure that those firewalls were hardened doors that only allowed very specific traffic through. And that traffic was typically limited to requests going out of the organization door to allow employee access to websites and other publicly available resources.
Aside from supporting those outgoing connections, very little, if any traffic was allowed in through the door. Digital attacks on the organization were usually focused on breaking through that door via exploiting vulnerabilities or mis-configurations in the firewall. With a focused point of entry to defend, security people got really good at locking down firewalls.
Things have changed.
Mobile devices and applications. 5g cellular networks. User expectations.
“I want my games, my videos and my music available to me 24-7, wherever I am. And, oh yeah, I also want to be able to manage my life and job from my phone or tablet.”
How do companies support these expectations?
They start making plans to poke holes in that firewall door to allow access to applications that were previously not accessible from outside the network. Let’s focus on those applications that typically allow a user to manage their life and job.
Let’s focus on legacy ERP applications. These are the systems that companies have used for years to manage employees and the associated personal data required to support their employment and job responsibilities. ERP systems were designed to operate in an assumed secure environment where access was limited, and exposure to the wild, wild west (the Internet) was never envisioned.
The challenge becomes clear. How do organizations allow users to access a legacy ERP system from outside the network? Technically it’s relatively easy. Open a few network ports, create a mobile friendly user interface, expose a few web services and voila, your in-house application is now accessible from everywhere. Along with the data that it manages and maintains.
So, it’s not about technically enabling the access. It’s about securely controlling the access. Because that hardened network door is now evolving into a swinging screen door that has a great big “come on in” sign.
It’s not just about protecting the perimeter any more. Because that wall, or door (or whatever you want to call it), is not the barrier it used to be. Actually, identity is the new perimeter. Because being able to get into those applications is no longer dependent on me being in the corporate network. That internal access, being behind that hardened door, was always a somewhat controlled environment. Compare that to today. Now I can get in from anywhere and it’s solely about who I am – or at least who I claim to be.
So, how do we secure these legacy ERP systems that were never designed to provide the access control security required to support exposure to the wild, wild west?
How do we limit the exposure of sensitive data to bad actors that might access those systems via stolen credentials obtained via phishing campaigns or post-it notes left in a university’s shared computer lab? And in the evolving compliance environment, where GDPR and U.S state driven regulations are now requiring organizations to be able to report who has seen a user’s sensitive data, how can we get that data from those legacy systems in a timely manner? And finally, with the current focus on data privacy, how do we limit the visibility of sensitive data, even for legitimate users, to only those users that need to see it to do their job?
The key is to establish good policies and practices around Segregation of Access (SoAx). Segregation of Access essentially involves protecting sensitive data. Not only from malicious bad actors, but also limiting access to that data to only the people that actually need to see it. And another key component is logging that access to sensitive data to ensure traceability in case of an incident or a compliance request.
How much sensitive data is exposed when a typical manager accesses an employee record in an ERP system? Pretty much everything related to that employee. Does the manager really need to see social security numbers, dates of birth, etc.? Probably not. So, why not reduce your risk exposure by masking that data?
How about high privileged users? Should they have the same access capabilities if they are coming into the system from outside the network versus inside? Probably not. That is the definition of a risky transaction, because it could involve compromised credentials for a high-powered account.
Anyone accessing an application from the wild, wild west is, by definition, a high-risk user. And controls should be implemented to establish additional layers of identity validation (via multi-factor authentication, etc.) for those types of risky transactions.
SoAx needs to become a part of any organization’s security posture.
What constitutes an effective SoAx approach? It involves an effective use of dynamic data masking based on the conditions from which a user may be entering the system (role, location, etc) and the use of additional layers of identity validation for those specific areas of the system where sensitive data is exposed.
How do you start? We can help. Please contact us to see how Appsian can help control and report on ERP data access and help secure your sensitive data.
Want to learn more about SoAx? Join us for a webinar on Thursday, March 28th at 1 PM cst.