At the SAPinsider 2020 virtual conference experience, one of our product demo attendees asked how Appsian works with SAP GRC Access Control. We get this question a lot as SAP security and system professionals explore adding attribute-based access controls (ABAC) to the native SAP role-based access controls (RBAC) to streamline and strengthen access policy management and enforcement. Sometimes there is confusion about whether ABAC is enhancing or replacing their RBAC. Let’s take a quick look at how Appsian’s ABAC works with and enhances SAP GRC Access Control.
What is SAP GRC Access Control
Organizations use SAP Governance, Risk, and Compliance (SAP GRC) to manage regulations and compliance and remove any risk in managing critical operations. One of the SAP GRC modules that helps organizations meet data security and authorization standards is SAP GRC Access Control. This module ensures that the right access is given to the right people with RBAC. It uses templates and workflow-driven access requests and approvals to streamline the process of managing and validating user access and provisioning. Without SAP GRC, for comparison, a person is creating all the roles from scratch and assigning privileges to them.
Appsian Enhances SAP GRC with Attribute-Based Access Controls
Appsian combines the SAP GRC role-based access controls with an attribute-based access control solution that delivers an ABAC + RBAC hybrid approach. This enhanced approach enables granular control and visibility that delivers a wide range of business benefits and lets you deploy data-centric security policies that leverage the context of access to reduce risk.
Appsian overcomes the limitations of traditional RBAC, allowing you to fully align SAP security policies with the objectives of your business and streamline audits and compliance.
As you can see in this illustration, ABAC begins the moment users start to access data and transactions. Where RBAC assigns access based specific roles, ABAC considers the context of access (who, what, where, when, and how) before allowing access to transactions or data. Customers can set up additional rules that allow conditional access, for example, masking specific data fields or limiting the number of transactions after a particular time of day) or entirely denying access based on factors such as an unknown IP address.
Real-Time Analytics for SAP Security & Risk Management
With Appsian360, our real-time analytics and reporting tool, Appsian can enhance the SAP GRC reporting capabilities with direct, real-time visibility into transaction usage, violations, and compliance risk. Additionally, customers can:
- Monitor transaction usage, master data changes, and SoD violations
- View actual SoD violations with user, data, and transaction correlation
- Segment reports by user/data attributes
- Drill down into end-user usage events
Appsian360 provides analytical reports to drill down into end-user usage events to capture business risks and anomalies, and usage events that tie back to compliance risks.
The ABAC + RBAC Hybrid Approach to SAP GRC Access Control
By combining data-centric security capabilities with attribute-based policies, Appsian extends and enhances the existing SAP GRC internal access controls and improves the reporting and auditing capabilities.
Contact us today and schedule a demo to see how Appsian can help you enforce access controls beyond the standard RBAC model of SAP.
We are in the midst of a perfect storm of ERP security calamity: the greatest work from home experiment colliding with historic levels of employee churn and unemployment. Hackers are exploiting the situation by launching phishing, spear-phishing, and other social engineering attacks at remote workers to gain access to privileged user accounts and email passwords.
The increased threat surface and hacker activity mandate that companies deploy a strong security posture at the identity perimeter, using tools such as virtual private networks (VPN) and adaptable multi-factor authentication (MFA). However, limiting security to user access and authentication can leave organizations at risk of malicious activity when, not if, a privileged user account is compromised.
Unfortunately, today’s legacy on-premise SAP and PeopleSoft systems simply do not provide organizations the granular visibility and context of user access and data usage they need in real-time to make proactive and strategic decisions. This lack of visibility and reliance on static controls to ensure your most critical data isn’t compromised means that many organizations are flying blind.
Monitoring Privileged User Activity Must Be Part of a Strong Security Posture
The issue with traditional ERP logging and analytics is that it focuses on troubleshooting errors and scanning for broad system vulnerabilities. They were not designed for understanding user behavior, data access, and usage. In addition to ensuring a strict authentication process, companies need to layer in the ability to monitor privileged user activity continuously.
Using a layered-defense approach, organizations can proactively mitigate many of the risks associated with the increased interest in corporate networks and user accounts. A strict authentication process on its own is no longer acceptable. Actively monitoring privileged account activity is a critical way of identifying that an external threat has entered the network, compromised an account, and is ultimately engaged in fraud or theft.
Granular Privileged User Activity to Monitor
Organizations can set fine-grained access controls all day long. For example, organizations may be able to apply time-based ABAC for standard users, since the general human resources employee likely works during daytime hours, and you have visibility into which user accessed an application. Unfortunately, if you do not have a granular-level view into precisely what a user accessed, then you are missing a significant part of the data security puzzle.
I’m sure you can think of a list of all Tier 1, highly sensitive data fields you want to watch closely. A shortlist includes C-suite salary information, social security numbers, bank account information, national ID number, passport number, visa permit number, driver’s license number, etc.
Continuously monitoring privileged user activity and behavior at the granular level provides valuable visibility into how users engage with data and what they do with their access. For example, application-level logging can’t track or show you if a hacker or malicious insider changes employee direct deposit information to route that week’s payroll run into an offshore account. Only field-level logging can show you how much “over access” users may have or if they are engaged in irregular activity.
With this information, organizations can review whether a certain activity was necessary and document the findings. By tracking the activity back to the user, the organization proves governance and proactively protects data.
Appsian360: Monitor ERP Activity for High Privilege Users
Using Appsian360 to monitor privileged user activity, you get a 360-degree view of what is happening around your ERP data as well as full visibility into exactly how your ERP data is being accessed – by whom, from where, on what, and why. From there, you can map out a targeted incident response before damages become catastrophic.
Your organization needs to be in a constant and vigilant state of security when it comes to monitoring privileged user account activity, especially in these times of excessive employee churn and remote access. Unfortunately, doing so in your ERP system is a manual process that needs to be addressed frequently.
Request a demo of Appsian360 to see for yourself how your organization can actively monitor privileged user activity and mitigate the risks associated with a compromised account or malicious insider.
You spend countless hours, not to mention considerable money, to secure your SAP and Oracle ERP data. One day, you discover that cybercriminals have exposed a vulnerability using an application misconfiguration. This has become increasingly common as criminals seek methods to covertly infiltrate applications to gain access to thousands of employee records.
This situation happened to Microsoft in December 2019 and didn’t generate the kind of headlines usually associated with data breaches. This was simply a human error. But these kinds of human errors and misconfigurations are one way that hackers can gain a foothold into your SAP or PeopleSoft ERP system. Now the question is, how are you going to protect your data after an attacker side-stepped your perimeter defenses?
Misconfiguration is the Fastest Growing Security Risk
According to the 2020 Verizon Data Breach Investigations Report, misconfiguration errors (failing to implement all security controls) are up 4.9% from last year’s report and are the fastest-growing risk to web applications. It’s easy to apply this kind of risk to legacy ERP systems because SAP and PeopleSoft environments often consist of millions of lines of custom code and custom-built components communicating with each other and to external systems through various APIs and interfaces bolted together over time.
On top of that, you’re dealing with an abundance of changes to roles, configurations, access controls, and compliance protocols to accommodate new business processes and evolving data privacy policies. If companies are not analyzing and monitoring the underlying security implications of all these changes and movement, they’re bound to face a similar situation as Microsoft with a backdoor left unlocked for any hacker to stroll through.
Finally, don’t forget that many organizations simply do not stay current with system updates and security patches. According to the Data Breach Investigations Report, only half of the vulnerabilities are patched within three months after discovery, leaving companies exposed to attacks against known exploits.
The Multi-Layered ERP Data Security Approach
The growing complexity of SAP and PeopleSoft environments make securing ERP data an enormous challenge. To prevent inadvertent exposures from misconfiguration, Greg Wendt, executive director of Appsian, suggests that companies “must adopt a multi-layered security approach with dynamic security tools that can monitor user access in real-time, providing transparency over what data is accessed and by whom.”
This multi-layered approach includes masking sensitive data, verifying identity via multi-factor authentication (MFA), and enhanced logging and analytics. Appsian adds layers of security WITHIN your ERP system to help ensure your data is still protected when a hacker strolls past your perimeter defenses, thanks to a misconfiguration.
Dynamic Data Masking provides contextual masking policies that adapt to the context of access. That means when a hacker attempts to access sensitive data fields but doesn’t match key attributes such as user ID, privilege, device, location, or IP address, they will encounter full, partial, click-to-view masking or complete redaction of the data field.
Adaptive MFA ensures that contextual attributes (ex. device, network, location) are the determining factor for deploying MFA challenges. For example, customers can require an MFA challenge when a user account is accessing the system from a remote IP address or after business hours.
Enhanced Logging and Analytics with Appsian360 allow you to monitor your networks for suspicious activity and provide detailed insights regarding how, when, and by whom transactions and data fields are being accessed. This visibility is particularly important for identifying users with high-privilege access who are accessing pages they shouldn’t be. The enhanced logging can trace all the pages a user accessed during a session, helping to identify a potential intrusion. This kind of real-time data access and usage visibility was previously unavailable to SAP and Oracle ERP customers.
Eyes and Ears on the Entire ERP Data Ecosystem at All Times
“The enterprise must learn to have eyes and ears on their entire data ecosystem at all times,” said Wendt. Microsoft’s recent data breach due to misconfiguration highlights the importance of a security strategy that continuously looks for misconfigurations and compliance violations. Next, they should establish a multi-layered security approach to prevent unauthorized data access, along with enabling organizations with the ability to identify access trends that may be indicative of incorrect access controls.
Misconfigurations are, unfortunately, a common error and should be treated with the same sense of urgency and level of effort by security professionals as their network perimeter. After all, not all attacks are external.
Contact us today to learn how the Appsian Security Platform and Appsian360 can help you establish a multi-layered security solution.
Organizations using traditional, on-premise ERP applications like SAP ECC and Oracle PeopleSoft are facing a rapidly changing reality around the collection, storage, and usage of data. Aside from the growing number of compliance regulations they need to follow, such as GDRP, CCPA, and others, they face critical visibility gaps related (explicitly) to understanding ERP data access & usage. Especially at a fine-grained level.
This lack of visibility is exacerbated by organizations enabling remote and mobile access to their users, exposing them to a myriad of data security and compliance threats like hacking (phishing), along with fraud and theft from internal users. All of which result in the loss of millions of dollars each year.
Fortunately, ERP applications that were once considered a “black box” can now be enhanced with the most sophisticated logging and analytics technology available on the market. Introducing Appsian360, the first and only data access and usage analytics platform for SAP and PeopleSoft.
Why Context of User Access and Data Usage Matters
Far too often, user behavior is a mystery, resulting in security, fraud, theft, and business policy violations. Specifically, a lack of detailed insights regarding how, when, and by whom transactions and data fields are being accessed.
As they exist today, legacy on-premise SAP and PeopleSoft systems simply do not provide organizations the granular visibility and context of user access and data usage they need in real-time to make proactive and strategic decisions.
“For years, organizations have been operating with limited visibility, and current threats to ERP data have made this status quo completely intolerable,” said Piyush Pandey, CEO of Appsian. “Appsian360 is about knowing who is doing what – at a very granular level.”
With Appsian360, security and compliance leaders can drill into specific data access and know exactly who is doing what, where, and why. With that level of in-depth, contextual information, any red flag incidents can undergo a rapid response plan.
“The beauty of Appsian360 is it’s a comprehensive solution that provides actionable insights,” added Pandey. “We know that forensic investigations and time to mitigation costs organizations countless amounts of money – and we’re pleased that Appsian360 can alleviate much of this burden.”
Appsian360 for SAP and PeopleSoft
Appsian360 installs into your ERP web server and does not require any additional customizations. There are zero noticeable effects on application performance. Here’s a high-level look at what Appsian360 can do for you.
Detect Security Threats in Real-Time: Appsian360 proactively alerts you to security threats like hacking, phishing, misuse of privileged accounts, and many more. You can quickly receive the information required to fully enable forensic investigations.
Uncover Hidden Business Risks: Appsian360 helps you detect and respond to fraud, theft, and errors by employees and third parties (vendors, consultants, etc.). Companies can maintain a complete view of sensitive business transactions, and what (specific) users are doing.
Monitor Employee Productivity: Appsian360 helps you maintain oversight as users process and execute business transactions. You can use these insights to ensure efficient staffing and identify potential bottlenecks in critical HR, payroll, and finance activities.
Understand Data Access & Usage with More Clarity Than Ever Before
Organizations can no longer rely on having a lot of data. They need to start triangulating and developing context around the data they’re getting and how it’s being used. Appsian360 provides real-time data access and usage visibility previously unavailable to SAP and Oracle ERP customers.
To see how data security and compliance threats that were once considered “the price of doing business” are no match for the watchful eye of Appsian360, join us for a virtual demonstration on Thursday, August 13. You can register here: https://www.appsian.com/visibilty-using-appsian360/.
Contact us today for a personalized demo and find out how Appsian360 can fill critical visibility gaps for your organization.
Thanks to TV commercials for identity protection services, you’re forgiven for thinking that that dark web is primarily a place where criminals and hackers buy and sell personal information such as credit cards, usernames and passwords, and social security numbers (and other PII). Lately, however, the dark web has seen a flurry of activity for offers to purchase corporate network access, according to a recent “Access for Sale” report from Positive Technologies.
Criminals Are Becoming More Interested in Corporate Network Access
Just a year ago, according to the report, cybercriminals were focused more on trading in access to the servers of private individuals for as little as $20. During the second half of 2019, Interest has since picked up in the sale of access to corporate networks. In Q1 2020, the number of postings advertising access to these networks increased by 69 percent from the previous quarter. Prices have also increased: the average cost of privileged access to a single local network is now in the $5,000 range. Additionally, hackers are offering a commission of up to 30 percent of the potential profit from a hack of a company’s infrastructure.
It’s bad enough that your threat surface has increased due to so many employees working from home, now you have a posse of hackers roaming the dark web looking for bounties to collect. We have a few suggestions to help you keep your ERP data safe even if hackers manage to gain access to your corporate network.
Adopt Attribute-Based Access Controls (ABAC) to Strengthen ERP Data Security
Companies using ERP systems are already leveraging role-based access controls. These controls, which align data access privileges and job function resources, provide a baseline for data governance. With the rapid expansion to a remote workforce earlier this year, organizations needed to create more detailed and more dynamic access controls—policies to determine who, what, where, when, and how workers can access ERP data and what transactions they’re allowed to perform.
With attribute-based access controls (ABAC), a company can incorporate additional context such as geolocation, time of day, and IP address to both ensure the appropriate user is accessing the resources and prevent users from having more access than they need. For example, if the organization knows that an employee should be working from Connecticut, ABAC can prevent access to resources, mask highly sensitive data, or prevent a transaction entirely if the user’s location is suddenly California – or a foreign country.
These granular, data-centric access privileges can help an organization ensure that users–internal or malicious–do not get too much access to important ERP data – limiting the potential negative effects of a network intrusion by hackers.
ABAC Should be Coupled with User Activity Monitoring
Let’s revisit how ABAC helps organizations establish roles and permissions to determine who, what, where, when, and how workers can access ERP data and what transactions they’re allowed to perform. It’s important that you don’t set these controls and “forget” them. You want to make sure what you’ve established is working and to watch for any anomalies that reveal unusual or unwelcome activity.
Most organizations are already performing some kind of monitoring of user access – but it has to extend beyond manual audits of instances of logging in and logging out of applications and what pages were displayed. Understanding data access, usage, and transactions performed is now a key requirement when maintaining visibility over business data and enforcing security policies.
Here are five details we recommend monitoring (more details here):
- Who – Details of the User Accessing the Data
- What – Details of the Data Being Accessed
- Where – Location Where the User is Accessing the Data
- When –Time of Day When User is Accessing Data
- How – Type of Device Accessing Data
Data is only as useful as the insights it provides. Using an analytics platform that includes granular access details, rapid aggregation, and visualization of user access data is a crucial requirement for data security.
You know that hackers are already looking for any and all security lapses on your perimeter to gain access to your corporate network. The “Access for Sale” report serves as an important reminder that hackers are willing to do anything to gain an advantage, and organizations must deploy a variety of ERP data security protocols in addition to the standard role-based access controls.
Appsian has helped hundreds of organizations that leverage legacy ERP applications like PeopleSoft and SAP ECC strengthen their data security posture with ABAC and user-activity monitoring.
Request a demonstration of the Appsian Security Platform today. Learn how Appsian can help you manage the risks of the dark web in little as 30 days!
Remote workforces are nothing new to most organizations. According to Buffer’s 2019 State of Remote Work report, 44% of respondents noted that at least part of their team was “full-time remote,” and 31% said that everyone on the team works remotely. Further, at the time of the report, 30% of respondents said that their entire company worked remotely. However, the COVID-19 pandemic accelerated the work-from-home model. By March 31, 2020, the percent of users working remotely had increased 15 percentage points since the start of the COVID-19 outbreak. With that in mind, organizations are assessing how they can maintain granular levels of control and visibility when ERP data is being accessed remotely.
Adopting Contextual Controls to Protect ERP Data
Most organizations already leverage role-based access controls. These controls, which align data access privileges and job function resources, provide a baseline for data governance. However, they often lead to excessive levels of data access and, in turn, produce additional risks. Contextual controls enable an organization to dynamically control access to data during varying contexts of access, often aligning to least privilege best practices. Migrations to cloud applications are largely due to contextual controls being a business requirement, simply because the interconnected applications required a more dynamic approach.
With the move to a remote workforce, organizations need to create more detailed and more dynamic access controls. With attribute-based access controls (ABAC), a company can incorporate additional context such as geolocation, time of day, and IP address to both ensure the appropriate user is accessing the resources and prevent users from having more access than they need. For example, if the organization knows that an employee should be working from Connecticut, ABAC can prevent access to resources if the user’s location is suddenly California – or a foreign country.
Contextual controls provide both the prevention of access policy violations, along with alignment between business requirements and security protocols. Because the organization can limit access according to the principle of least privilege, it reduces the risk of data leakage and financial fraud. Meanwhile, by creating more granular, data-centric access privileges, an organization can ensure that users do not get too much or not enough access – limiting the potential negative effects of restricting access excessively.
User Activity Monitoring for ERP Data Security and Managing Productivity
Monitoring user access to resources and tracking how users interact with data provides an additional benefit for many organizations as their workforces move towards a remote model. Most organizations recognize the benefit of monitoring user access – but not just instances of logging in and logging out of applications. Understanding data access and usage is now a key requirement when maintaining visibility over business data. Organizations are turning to analytics platforms that both include granular access details, along with a visualization element (for example, SIEM). Data is only as useful as the insights it provides, and rapid aggregation and visualization of user access data is a crucial requirement for data security.
Using “Virtual” Work Hours
Looking at a common security use case, many organizations leverage “virtual” work hours to detect anomalies. For example, an employee usually works between the hours of 8 AM and 6 PM but monitoring and alerting to activity around sensitive data at 3 AM, for instance, can be indicative of unauthorized behavior. This uncharacteristic behavior may be an anomaly, but the organization needs to monitor the user activity more closely. If the user denies accessing the information at 3 AM, then the organization needs to focus its monitoring and have the employee change their password. If the organization detects additional unusual activity, then it may need to review the employee’s activities or investigate a potential data breach.
Monitoring User Productivity
From a workforce management perspective, organizations can leverage these insights to review employee productivity. Two use cases present themselves. First, many organizations have contracts that stipulate late payments incur a late fee. If the organization knows that employees should be processing payments ten days prior to the payment date, then they can leverage these reports to ensure that employees meet their timelines, even from a remote location. Additionally, by tracking resource usage data, organizations can monitor whether workforce members are appropriately prioritizing their workdays. If the employees are only accessing a business application at the end of the month, then they are likely waiting until the last minute to input payment information. Preventing these potential revenue losses or rush projects in other areas by speaking with the employee enables the organization to stay on top of its financials.
Enabling Visibility for Business Applications Has Never Been More Critical
Creating trust within and across distributed workforces ensures productivity. However, continued status update meetings across multiple time zones decrease workforce member efficiency. Organizations already monitor user access to their systems, networks, and applications. As part of a robust security posture, organizations should apply protections at the new perimeter – user identity. Rather than micromanaging employees via emails or chats, managers can gain valuable insight into how users are accessing resources and prioritizing work schedules by reviewing data and resource usage.
In an unprecedented time, companies need to find ways to enable their levels of control and visibility over business data. Whether a business application is on-premise or in the cloud, enhancing these solutions should be a mission-critical objective.
Risks against an organization are prevalent in a remote environment, whether those risks are security-related or employee-related by fraud, theft, and error. The keys to maintaining ERP data security ultimately lie in your ability to provide oversight for your data, and the time to act is now.
This article was originally published on Global Trade.
On April 19, 2020, Oracle announced on its PeopleSoft Support blog that the company is extending support for the ERP application through 2031. As stated on the blog, Oracle remains “committed to a rolling ten years of support for PeopleSoft. We will review and plan to extend support again next year, and the year after that, so that you have a decade of committed support and can plan your enterprise software investments accordingly.”
This news should give PeopleSoft customers a sense of certainty that investing in the long-term success of their PeopleSoft applications is mission-critical. Thanks to COVID-19, organizations may be concerned about their short-term financial stability. Add in the newfound uncertainly of continuing large-scale IT projects in this climate (like a cloud ERP migration) – organizations have now found themselves looking for ways to reap maximum benefits with the lowest degree of overhead and project completion time.
Three “Home Improvement” PeopleSoft Data Security Projects
With large-scale projects on hold, it’s a good time to invest in smaller-scale projects that focus on what is truly mission-critical today (and for the near future) – PeopleSoft data security. You’re already working hard to secure data while users are accessing remotely and while bandaids may be in place right now, organizations must consider strategies that scale long-term.
Here are three smaller “home improvement” projects that strengthen your PeopleSoft data security posture:
Integrate your SAML Identity Provider (IdP) for Single Sign-On (SSO)
When you count the hours spent managing passwords (80% of help desk calls) or tackling SSO projects using customizations and home-grown solutions, you find that removing the complexity of PeopleSoft password management is an ROI positive project. Add in the lost productivity of users not being able to access business transactions (because they’re waiting for their password to be reset), then the ROI increases. The bottom line, a SAML-configured Single Sign-On for PeopleSoft will make everybody happy. A SAML SSO provides the combination of security and productivity that organizations are striving for. And, given the alarming uptick in phishing attacks – user credentials have become an obvious liability.
Strengthen IAM with Adaptive Multi-Factor Authentication (MFA)
When you’re buying new appliances for a remodeling project, you buy a washer and dryer in pairs. Yes, you can wash and dry your clothes using one or the other, but using both is a better option. Same with applying an adaptive multi-factor authentication (MFA) with your SSO as an effective method for verifying identity. Adaptive MFA ensures that contextual attributes (ex. device, network, location) are the determining factor for deploying MFA challenges. The context of access varies in mobile and work-from-home environments, and your level of control should do the same. This is essential if your users are accessing remotely, as managing authentication (especially for high privilege users) can be challenging.
It is also recommended to expand the use of MFA and apply step-up challenges on transactions that may be considered ‘highly sensitive.’
Real-Time Visibility for User Activity Monitoring and Transaction Logging
Just like a rug can tie a room together, real-time visibility via user activity monitoring and transaction logging can be the perfect complement to your PeopleSoft data security fixer upper. There are a lot of sensitive transactions being executed outside of the office these days, and monitoring user activity gives you a better sense of how your data is being accessed and used.
Invest in Today and Plan for Tomorrow
Now is a good time to take Oracle’s lead in their extension of PeopleSoft support – and alleviate a lot of the complexity around PeopleSoft data security, identity, and access management. Securing remote access with SSO and adaptive MFA today provides significant PeopleSoft ROI – along with applying a strong data security framework that can scale with a myriad of workforce and landscape changes.
Best yet, you can complete these projects in only two to four weeks, and we guarantee you won’t be cleaning up any sawdust when you’re done.
Request a demonstration of the Appsian Security Platform today.
With remote workplaces being put to the test, organizations are looking to quickly scale their security practices. Unfortunately, many are learning the hard way. They find themselves at the intersection of using conventional security technology like a virtual private network (VPN) to secure data residing in traditional, on-premise ERP applications like PeopleSoft and SAP ECC. This can be a toxic combination that may leave you feeling secure, but it should be noted that your data remains at risk.
A VPN is Not Data Security
Plain and simple – a VPN is a connection point. While it may shrink your threat surface, there are still many risk factors to consider. For instance: where is a user coming from? What data are they trying to access? What device are they using? Is that device actually being used by the right person? What PeopleSoft data are they trying to extract onto their personal device? And so on, and so one…
Once a VPN authenticates a user, a myriad of risk factors remain. This is where a VPN ends and data security should begin. However, most organizations are simply not prepared to mitigate the risks that come once a user has passed a VPN. Here are a few examples:
Federating High Privilege Users
High privilege users should face the most scrutiny. Ideally, a high privilege user should authenticate through Active Directory or whatever identity provider an organization is using. They should then receive federated privileges to PeopleSoft based on the contextual attributes of their access (ex. are they accessing from a foreign country?) Federating high privilege access is a fundamental way to ensure a user is provided with the appropriate level of privilege. However, a VPN cannot do this. In fact, authenticating to PeopleSoft using a SAML identity provider (like Active Directory) can be challenging unto itself (see this blog for more info.)
If the point of a VPN is securing remote access, then why not consider the contextual attributes that come with said access? After all, the remoteness is what is considered the risk. In this scenario, a VPN is merely acting as a thin authentication layer, on top of PeopleSoft’s typical username and password model. What if a user opts to make their VPN password the same as their PeopleSoft password? This is what hackers anticipate and sadly, they are usually correct.
Malicious Insiders Tend to be High Privilege Users
This is a touchy subject but should be acknowledged. While no one wants to assume the worst in their employees, the fact remains that the more access you have, the more damage you can do. Given the right motivation – bad things can happen. This is the most compelling case for data security because the highest stakes surround high privilege users. A/P, A/R, Finance, Supply Chain, Payroll – all these functions deal with money. Having the ability to lock down and limit access to data and transactions will have a tremendous impact on an organization’s ability to mitigate financial losses from fraud, theft, and espionage. And because of COVID-19, all of these functions are now being executed remotely. The potential for damage is exponentially greater than before.
Ask yourself – should payroll queries be run and exported onto a personal device? Should wires be sent outside of normal business hours? Should a vendor be created when access is coming from a foreign country? I believe the answer you’re looking for is… NOOOOOOO!!!
Integrating dynamic, risk aware controls on sensitive financial transactions (and data fields) mitigates much of this risk. In addition, transaction logging and analytics prove to be extremely beneficial, as many organizations would prefer not to hamstring their employees with restrictions. However, they would prefer to gain better visibility in case an anomaly is detected.
A VPN Can Be Costly, Unscalable, and Leave You in The Lurch
Like any addition to your architecture, downtime can occur. VPN vendors can experience enterprise-wide outages – causing major disruption. In addition, with organizations moving toward a 100% remote access, VPNs can be prone to kicking people off after a period of time. Adjusting to remote work environments is frustrating enough, but if access is limited or hindered, and you don’t have the benefit of a readily available help desk – your users will become agitated. With so many senior leaders focused on business continuity, having additional hoops for your employees to jump through is counter to productivity.
And then there is the cost factor – which will certainly balloon with the increased number of users. We understand that costs will vary, but the ROI of 100% of your employees requiring a VPN to log into PeopleSoft is not positive. And as we established above, if the point of a VPN is increasing data security/maintaining integrity of financial transactions – then the ROI is even further from positive.
How Appsian Provides ERP Data Security for PeopleSoft and SAP Applications
Appsian believes user authentication is important, but it’s only one part of an ERP data security posture. This is why we developed the Appsian Security Platform for PeopleSoft. Enhancing an organizations ability to authenticate users is most effective when its: integrated with your existing identity management strategy and risk aware. This is where Appsian provides far greater value than a VPN. We enable seamless, secure access to PeopleSoft (specifically) via Single Sign-On (integrated with a SAML IdP), along with adaptive Multi-Factor Authentication. These solutions combine to provide a much better user experience and a vastly superior value if protecting PeopleSoft from bad actors is the primary intention of your VPN.
Lastly, visibility is key. With sensitive transactions being executed outside of the office having a better sense of how your data is being accessed and used is critically important. Using transaction logging and real-time analytics, Appsian provides PeopleSoft customers with unparalleled levels of visibility. Thus, allowing you to keep a watchful eye on your data at all times.
When approaching how you can enable secure, remote access – its best to identify what are the key objectives and invest in the technology that best suits those needs. Are you concerned that the data inside your ERP applications could be breached or exfiltrated? Are you concerned that financial transactions could be corrupted? If the answer is yes, then data security – and not solely a VPN are the answer.
At the end of the day, COVID-19 has forced organizations into unprecedented challenges. With an unstable market and unpredictable year(s) ahead, it’s important to focus security efforts on internal data and processes – as these being corrupted will result in losses that can make recovery significantly harder.
I was recently speaking with a customer who expressed a common concern. Because of COVID-19, their entire finance team was forced to work remotely and they were concerned about the risks of executing critical financial transactions. Purchasing, payroll, expenses, everything… all being done from unknown locations and on devices they couldn’t regulate.
From Convenient to Mandatory
It got me thinking, prior to COVID-19 the objectives for enabling remote access to PeopleSoft had mostly been out of a desire for productivity and convenience. For years, Appsian has been working with forward-thinking organizations who identified remote access had significant value. Post COVID-19, organizations are in ‘survival mode’ and have no choice but to open access to their most sensitive financial transactions – and hope for the best. The potential for ‘adding insult to injury’ (ie financial losses) in a remote environment is enormous, and like any rapid pivot, requires a strong strategy to be successful.
You Don’t Know What You Don’t Know
During our conversation, it became clear that their situation posed far more questions than answers. For instance, ‘confidentiality around salary has never been more important’ (I assume they’ve required some employees to take salary reductions) ‘how can I know who viewed salary information, or perhaps downloaded queries?’ ‘how can I be sure unauthorized vendors are not being created?’ ‘how can I be sure payroll is being issued correctly?’ ‘how can I be sure sensitive information isn’t downloaded to someone’s home computer?’ It became clear they were flying blind – and starting to panic.
Traditional ERP Visibility Come Up Short
None of the questions above were able to be answered in this customer’s current environment. It’s common knowledge that traditional ERP logging and analytics focus on troubleshooting errors and scanning for broad system vulnerabilities. They were not designed for understanding user behavior, data access, and usage. If the task is to ensure that data is not being accessed maliciously, exfiltrated, or business processes are not being exploited – ERP visibility comes up short.
This customer initially partnered with Appsian for Single Sign-On and Multi-Factor Authentication – both of which, they were happy to have! However, their attention had turned from intrusion prevention to incident response and risk management. While they had the capability to ensure user authentication was strong, they lacked the ability to understand what activity was taking place. And more importantly, if trends in user behavior were indicative of malicious activity.
How ERP Analytics Prevent ‘Adding Insult to Injury’
This is where ERP Analytics becomes essential. When ERP access is both remote and ubiquitous, the ability to detect and respond to malicious activity is greatly reduced.
Using the Appsian Analytics platform, customers are fully enabled to understand exactly how their ERP data is being accessed – by whom, from where, on what and why. With this information in hand, organizations are fully enabled to detect unauthorized activity and formulate a rapid response before damages become catastrophic.
Analytics Provide Peace-of-Mind
Needless to say, it feels good to provide true value to a customer. It’s not everyday that a customer comes to you, concerned that their business is in trouble (from a market perspective) and they are also concerned additional financial losses will follow (from a business process perspective.) This is where having available data and granular oversight will provide peace-of-mind. During unpredictable times, having as much information at your disposal is critical. This is especially true when sensitive financial processes are taking place outside of your office – essentially your direct control and watchful eye.
The Next Step…
If a lack of visibility is a concern, we’d love to talk. In a brief 30 minute session, we can outline how deep our Analytics can go, common use cases that are pre-configured in the platform, and how they can align to your unique business processes.