ERP security had traditionally focused on vulnerability testing for ERP applications, whether hosted on-premise or in the cloud. Given the sensitive nature of ERP transactions, frequently checking applications, databases, and servers for vulnerabilities through routine assessments had long been considered best practice. It makes sense that application vulnerabilities are considered a top threat vector because ERP applications were long touted for their highly customizable nature. Customizable because every organization’s business requirements are different – which means security settings and access controls need to be highly customizable.
All of this customization was in-service to governing user access to the application – a real “outside looking in” approach. But if you’re constantly looking “out” for threats, how do you protect against the ones that are already “in?”
While you might be checking for conflicts in your configuration settings, ensuring you’re up-to-date on vendor patches, and executing manual audits every once in a while, you should ask yourself, “am I actually protecting my ERP data?” Sure, preventing intrusions is passively protecting ERP data. But at the end of the day, if you spend your time hardening the walls of your fortress, you’re really only protecting the perimeter of your fortress – not what’s inside. Cybercriminals have identified this disconnect and now spend their time exploiting user credentials to infiltrate systems to steal and manipulate data. Cybercriminals have adjusted. Now it’s time organizations do the same with their ERP applications, and ultimately – their ERP data.
Information security professionals have long been adept at protecting enterprise data and not just network and application perimeters. The abundance of cloud applications has allowed access controls and visibility to go to the next level. Concepts like zero trust and least privilege all require information security policies that are not reliant on arbitrary roles and privileges but on inspecting who a user is, where they are coming from, on what device, and any other attribute. Just because they are allowed access to a network or application does not grant them privileges to data.
If this is where the information security conversation is going, why is ERP security still focused on the perimeter? Shouldn’t the focus be on ERP data security?
Many would say that ERP security remains a perimeter conversation because such a large part of the ERP market uses on-premise applications. This dates back to the inception of ERP when the appeal was mostly around customizing your business transactions to your processes. This would be accurate – but as business became more complex, organizations became more entwined with their legacy applications. However, that doesn’t mean that on-premise applications (and ERP applications only hosted in the cloud) must remain isolated from a unified “ERP Data Security” conversation.
Here Are a Few Recommendations for Beginning an ERP Data Security Conversation:
To help organizations manage, and more importantly, mitigate the risk of remote access to financial applications like SAP ECC, S/4HANA, & E-Business Suite, Appsian has developed Attribute-Based Access Controls that organizations can use to grant, modify, or restrict access to data. Governance policies can be dynamically enforced based on the context of user access – or attributes of user access.
To gain visibility and insight into how data is being accessed and used, Appsian developed Appsian360. Appsian360 represents a powerful combination of comprehensive user activity logging and analytics – all designed to detect and alert to anomalous behavior. Whether it’s access from a foreign country, the same user frequently downloading certain reports, or specific PO or account numbers receiving frequent access, Appsian360 is designed to give ERP customers the data level visibility needed to automate critical security, compliance, and audit functions.
Just because your organization is using a legacy ERP application does not mean that you cannot employ the same granular levels of control and visibility as a cloud application. Appsian has been enhancing on-premise ERP environments for over 10 years, and we’d love the opportunity to learn more about your ERP data security objectives. Contact us today!
"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"
Trusted by hundreds of leading brands