Implementing enterprise resource planning (ERP) systems has always been both mission-critical and notoriously difficult. They must align with business processes, but the organization distributes those processes across multiple departments. Legacy ERP systems, often considered a large one-time investment, lack the flexibility necessary to scale with your business. As your organization began its digital transformation journey, cloud-based ERP seemed to be a solution to many of these problems. However, every benefit comes with a cost. Modernizing legacy ERP systems for security and compliance creates new challenges, particularly with distributed workforces.
Why is Modernizing ERP a Mission-Critical Business Goal?
Whether you wanted to modernize your ERP or not, you likely found yourself rapidly adopting to remote access requirements in 2020. In response to COVID-driven stay-at-home orders, companies needed to accelerate their digital transformation strategies. This move included ERP systems.
However, as you look toward a post-pandemic business model, you might be considering maintaining a hybrid workforce. Thus, modernizing your ERP is a mission-critical business goal for several reasons, including:
- Ability to access from anywhere
- Built-in Customer Relationship Management (CRM)
- Lower capital expenditures with subscription models
- Reduced total cost of ownership
According to HubSpot’s 2020 ERP Report, 34% of respondents said they were moving away from legacy systems, and 86% selected SaaS deployment models. However, that same report noted that 27% of respondents remaining on-premises cited security breach risk as their reason.
ERP Security and Privacy Controls are Notoriously Difficult to Implement
When undergoing digital transformation, organizations often struggle trying to secure their ERP systems. Most companies need to take a hybrid approach that connects their legacy on-premise deployment to their new SaaS applications.
Organizations struggle trying to prioritize and mitigate risks for several reasons. However, three fundamental challenges exist:
- Data storage arrangements: Inability to control infrastructure increases data leakage and corporate espionage risks
- Authentication: Continued brute force attacks and credential theft increase data security and privacy risks
- Access controls: Complex identity and access relationships reduce the ability to control who accesses resources
Traditional on-premise ERP deployments used role-based access controls (RBAC) with static permissions lists. However, the inherently static nature means that these alone fail to protect data, particularly in remote or hybrid work environments.
For example, PeopleSoft’s security model assigns roles to user profiles. The user profile defines the data that the person can use. The permissions list is the set of pages the user can access and actions the user can take.
These controls protect data across on-premises deployments where the applications and users sit inside the organization’s network. Since remote access to on-premise ERP is dynamic, these legacy controls increase security and privacy risks when implemented for modernized ERP projects.
5 Strategies for Setting Security and Privacy Controls for a Hybrid ERP Deployment
Companies adopt digital transformation to leverage speed and agility, enabling them to scale operations. At the same time, they still need to maintain their on-premise systems. To protect information, organizations need dynamic and scalable access controls that align with their systems and business goals.
1. Identify Assets and Assess Risk
For effective access controls, the first step is to identify all data that you store, process, and transmit. Second, you need to assess the data’s criticality and risk level. Finally, you need to identify users who access information and assess the risk they post to the organization.
As part of this, you should consider:
- Standard users
- Privileged users
- Users’ payment processing authority level
- Financial information
- Personally identifiable information
- Sensitive corporate information
Once you assess user and data risk, you can create a plan that helps you migrate the information securely. When setting controls, you should limit access according to the principle of least privilege and create fine-grained access privileges.
2. Normalize Data Access Across Integrated Applications
With SaaS applications, organizations no longer need to commit to a single platform. They can pick and choose the applications that best meet their needs, which can mean integrating multiple vendors.
As you build out your application stack, you need to maintain appropriate access controls. This can be difficult when vendors define access rights differently. Many organizations worry that normalizing access data requires an expensive, labor-intensive overhaul of their Identity and Access Management programs.
However, if you focus on visibility instead of connectivity, you can leverage automated tools that help you see into user access. Tracking user access in a single location, despite disparate access definitions, enables you to protect data security and privacy even across different application vendors like SAP and PeopleSoft.
3. Use Context
A primary benefit of hybrid on-premise and cloud ERP systems is the ability for people to work wherever they want. However, that same flexibility drives many of the security and privacy risks companies face.
Adding context to your access permissions is another way to secure data. After setting your role-based controls, you should consider adding context such as time of day, geographic location, and IP address. With these attribute-based access controls (ABAC), you can more granularly define how users interact with data, making it easier to detect anomalies.
4. Enable Step-Up Multi-factor Authentication
ABAC also enables you to use step-up multi-factor authentication (MFA). Step-up authentication is a process where users need to re-authenticate into an ERP application when they attempt a privileged function or transaction. ABAC enables you to trigger step-up MFA when your system detects an abnormal attribute, often one associated with credential theft.
For example, one of your users always logs in from California, USA. If the user tries to access the ERP’s payment module from Ontario, Canada, the system will notice that this is an outlier, an abnormal attribute for this user. The system can require re-authentication, additional proof that the person is who they say they are. If this is a cybercriminal leveraging stolen credentials, then the step-up authentication acts as an additional security and privacy control, preventing unauthorized access.
5. Continuously Monitor Behavior Around Data Access and Usage
Modernizing your ERP security and privacy controls also includes continuously monitoring for anomalous and suspicious activity. Gaining a granular view into data access and use is a way to proactively mitigate risks that can arise in a remote workforce accessing ERP solutions.
Continuously monitoring access can help you gain insight into employee productivity, cybersecurity risks, and insider fraud. Tracking when and how employees use data gives you a way to set baselines for “normal” activity—any deviations from this warrant further investigation.
For example, a user consistently accesses your ERP between 8 am and 5 pm from a location in the United States. If the user suddenly accesses the system at 2 am, the anomalous activity could indicate fraud. Even if you’re using step-up MFA to prevent that activity, you still need to investigate the event. While it may be someone with insomnia, it can also be an employee trying to steal information or money.
Appsian Enables ERP Security and Compliance for Your Digital Transformation
Modernizing your legacy ERP application doesn’t mean you have to “sacrifice” the same granular levels of control and visibility as a cloud application to enforce data security, privacy, or compliance policies. Taking a proactive approach to ERP security and data privacy during your company’s digital transformation can mitigate risks before they turn into realities.
Appsian has been enhancing on-premise ERP environments for more than ten years, and we’d love the opportunity to learn more about your digital transformation project so we can help you manage your ERP data security and compliance needs. Contact us today.
With 2020 nearly three months behind us and the rollout of COVID-19 vaccines picking up speed, organizations are looking hopefully to 2021 and beyond. Optimism aside, a hard truth about 2021 is that remote work and ERP access are here to stay. Organizations must put a mission-critical emphasis on ERP data privacy, security, and access governance policies. Here are some key strategies to consider as you strive to improve your ERP data privacy and compliance in 2021 and beyond.
ERP Data Privacy Starts with Knowing Your Data
The obvious first step to any kind of ERP data privacy is knowing exactly what data you have. Think of it this way: you can’t protect what you don’t know. This data inventory, if you will, should align with the basic data privacy guidelines set out by regulations like GDPR, CCPA, SOX, and a growing number of others. Companies should have an understanding of what sort of personal data is collected, how that data is accessed, where and how it is stored, what is it used for, if it is shared with another organization or group, and how long is it kept before being disposed of.
Apply Dynamic Access Governance Policies for ERP Data Access
Now that you’ve identified and categorized your data, it’s time to establish who has access to it, when they can access it, from where, on what device, and how often. The problem is that legacy ERP applications like SAP (ECC and S/4HANA), Oracle PeopleSoft, and Oracle EBS use static role-based access controls (RBAC) to govern access. These roles have reached their limitations in a dynamic workplace because static roles do not leverage contextual attributes.
To create a more dynamic and robust cybersecurity and data privacy program, you can enable dynamic access controls (often called ABAC) to support your RBAC controls by incorporating additional contexts, such as geolocation, time of day, and transaction type. Combining ABAC and RBAC, you can establish rules that grant access to ERP applications and transactions only if the person meets certain contextual criteria. When defining risk through the lens of the context of a user’s access, dynamically enforcing governance is a crucial data privacy objective and investment.
Leverage Dynamic Controls to Enforce Policies
Once dynamic governance policies are in place, organizations can enforce those policies by leveraging dynamic technology. Specifically, here’s how Appsian can help you gain control and visibility of data access and usage without sacrificing productivity.
Avoid Unnecessary Data Exposure with Dynamic Data Masking
An essential requirement of data privacy is ensuring that users accessing ERP applications, either in an authorized or unauthorized manner, do not have needless access to valuable data through various pages, reports, or queries. Appsian can reduce the exposure of sensitive data with dynamic data masking for sensitive fields. You can also leverage click-to-view functionality to protect against unnecessary exposure while logging intentional access to sensitive information.
Add Stepped-Up Multi-Factor Authentication at the Transaction Level
Adding multi-factor authentication at the transaction level, as well as at the perimeter, ensures that users are not only authorized to access and view the data but perform the actual transaction based on their current context of access. This should be applied to highly sensitive transactions like editing a direct deposit account number, accessing compensation data, or running a report containing employee PII.
Strengthen Data Loss Prevention
Data exfiltration, whether malicious or accidental, typically originates from employees’ legitimate access to ERP applications and can be hard to prevent or detect with existing security capabilities. Using context-aware data loss prevention policies, Appsian can prevent users from executing transactions that download ERP data in high-risk scenarios, such as: after business hours, from untrusted locations, networks, or devices.
Enhance Visibility into ERP Data Access and Usage
Compliance mandates such as GDPR, CCPA, SOX, and others require organizations to maintain data access and usage details. Unfortunately, user behavior can be a mystery when relying on native ERP logging features to understand the “what, who, where, why, and how” around data access and usage. It’s a manual, time-consuming task. But not anymore.
Appsian360 provides granular, real-time visibility into user activity logging and analytics, delivering actionable insights to automate compliance audits. It allows organizations to continuously monitor data access and usage and proactively alerts security teams to anomalous activity, allowing them to quickly respond with full forensic information.
See for Yourself How Appsian Can Help Improve Your ERP Data Privacy & Compliance
Appsian can help companies ensure that their ERP data privacy, security, and access governance policies are aligned with today’s regulations and scalable to comply with future mandates. Contact us for a demonstration today.
While nearly everyone was focusing on the results of the 2020 Presidential race, California voters passed Proposition 24, the California Privacy Rights Act (CPRA) (full text here). You might be wondering if this is a new privacy law that will replace the 2018 California Consumer Privacy Act (CCPA), which went into effect earlier this year. The CPRA provides additional context to the CCPA and attempts to close some of the loopholes and ambiguity found in the original. The CPRA gives additional rights to consumers and places additional obligations on businesses.
While some of the CPRA changes will take effect immediately, most will not become enforceable until July 1, 2023, and apply only to personal information collected after January 1, 2022. Like the run-up to the launch of CCPA, companies will have time to prepare for the new requirements.
A Quick Summary of the California Privacy Rights Act
In scope, the CPRA retains the same basic structure as the CCPA. It includes establishing a dedicated enforcement agency for consumers, tripling fines against companies that violate kids’ data privacy, and making it harder to weaken privacy laws in the future.
A couple of the more notable additions in the CPRA are that the law expands the right to opt-out of sharing of information and establishes new rights to limit how businesses use “sensitive personal information,” a new term defined broadly to include, among other things: information about health conditions, genetic data, race and ethnicity, sexual orientation, precise geolocation, and more.
ERP applications already store an abundance of personally identifiable information, such as Social Security numbers, driver’s licenses, or passport numbers. This new data classification adds to the effort of identifying and classifying information necessary to remain in compliance.
The CPRA Signals Organizations Must Get Serious About Enhancing Data Access and Usage Visibility – Especially for Legacy ERP Applications
The CCPA and CPRA require organizations to implement appropriate security measures around personal data privacy and satisfy consumer requests to opt-out of “sharing” and “selling” of their information. That means businesses must know what personal data they collect and how that data is accessed and used. However, companies using PeopleSoft, SAP ECC, S/4HANA, and Oracle E-Business Suite are likely facing significant compliance challenges due to inherent limitations that plague legacy ERP systems. Traditional ERP application logs do not produce the required level of granularity into how data is accessed.
How Appsian360 Enables CCPA/CPRA Compliance
Successful organizations will invest in technologies that monitor user behavior around data access and usage. This is where Appsian360 becomes an essential tool for compliance, as it expands native ERP logging capabilities to capture contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information that is paramount for compliance reporting.
More Data Privacy Acts Likely on the Horizon
With the CPRA, Californians will likely have the most robust online privacy rights in the world. And it probably won’t be the last. The original passage of the CCPA incentivized other states to draft their own privacy bills. There’s been activity at the federal level as well. So, while the pandemic rightfully slowed down state and federal activity, there’s a good chance we’ll see additional privacy bills in 2021.
There’s no better time than the present to press forward with your compliance efforts, whether it’s for CCPA, GDPA, and now CRPA. Contact us to learn how Appsian can fast track your CCPA and CRPA compliance efforts by enhancing your visibility into data access and usage.
Every organization using SAP ERP applications faces the unique challenge of maintaining a strong security posture while enabling productive business processes. Throw in the uncertainty of today’s rapidly changing environment, and you can bet that IT professionals and business stakeholders are facing misalignment between IT controls and business rules and objectives.
To discover how organizations are evolving their security and risk management practices, Appsian commissioned a survey of nearly 200 senior stakeholders using SAP applications through an independent market research firm. We compiled the results of our survey into the SAP Security Report: Executive Perspective on SAP Business Risk Management.
We found that this rapid state of change in today’s environment has brought about a new normal for acceptable risk in SAP – but not by choice. While some organizations are adopting new processes and technology to address risk, legacy strategies are holding back many in their path towards efficiently managing ERP data risks.
We also uncovered four key takeaways from the respondents:
1. Business Process Risks Are Slipping Through the Cracks
Executive confidence is wavering in an organization’s ability to detect business risks from fraud, theft, and human error. While concern is generally high, a lack of consistent visibility into these business processes highlights a gap that many have yet to address.
2. IT Leaders Are Concerned About Excessive User Privileges
Excessive user privileges continue to be a top concern of leadership – and for good reason. Users have the keys to your kingdom, and with this, pose a heightened risk if their accounts are compromised or if they engage in malicious activity.
3. Misalignment is Hurting Confidence in SAP Security
Tight alignment between SAP security controls and business goals and objectives is paramount to secure, compliant, and efficient business processes. However, many respondents signal that the two are not aligned effectively.
4. Limited Visibility & Complex Controls Are Hindering Progress
Organizations are facing the limitations of their existing technology and processes. Solving this will require a new approach to overcome complexities in controls and limited visibility into their business-critical applications.
Want to gain a better understanding of how organizations are evolving their ERP security and risk management practices? Curious about the kinds of risks organizations are most concerned about, and how they view and prioritize user and system visibility, access control, oversight, and accountability?
Download your free copy of the SAP Security Report today and take a deeper dive into these findings.
Time is almost up for companies scrambling to get their data privacy strategies in compliance with the California Consumer Protection Act (CCPA). Beginning as early as July 1, 2020, the California Attorney General’s office can start enforcing the CCPA and handing out penalties of up to $2,500 per violation or up to $7,500 per intentional violation.
So, when exactly, will the CCPA become law? On June 1, 2020, the California AG took the final step before the regulations become enforceable by submitting the final text of the CCPA Regulations to the California Office of Administrative Law (the “OAL”). The OAL has 30 working days–plus an additional 60 calendar days related to the COVID-19 pandemic–to review the submission and approve it to become an enforceable law. Doing the math, the California AG can begin enforcing violations as early as July 1 or as late as September 1, 2020.
Strategies for Improving ERP CCPA Compliance
Companies using PeopleSoft, SAP ECC, S/4HANA and Oracle EBS are likely facing additional compliance challenges due to inherent limitations built into these legacy ERP systems. Let’s look at a couple of tactics for enhancing your ERP systems to improve compliance with CCPA and establishing the capabilities to prepare for the uncertainty around data privacy.
1: Enhance Visibility into User Activity
The CCPA requires organizations to implement appropriate security measures around personal data and satisfy data subject access requests (DSARs). That means businesses must know what personal data they store and the user activity going on around it. However, traditional ERP systems do not provide the required level of granularity.
To achieve detailed visibility around data usage, organizations need to expand their native logging capabilities by adopting a strategy that focuses on data access and usage. Meaning, organizations must capture contextual details like date of access, UserID, IP address, device, location of access, actions performed, etc.
This is information that is critical for compliance reporting and understanding how data is being used within your organization.
2: High Privilege Access Should be the Highest Priority for Strengthening DLP
When it comes to ERP systems, the static rules that govern access can be limiting because roles and privileges are user-centric, not data-centric. User-centric roles say a person (or group in most cases) can view something under any circumstances, while data-centric means the nature of the data defines the access. This gets organizations in trouble time and time again from a DLP perspective because high privilege users always have the ability to see more data than they actually need (to do their job.) This makes non-compliance with CCPA almost inevitable. Overexposure of data is your biggest enemy and governing access by static rules (aka ‘all or nothing access rules’) creates an enormous liability.
Implementing data-centric policies (typically through attribute-based access controls) ensures that a user can only access data deemed necessary and job-related. This is because the data itself is governing access – not a user role. For example, access to certain high-risk transactions can be restricted based on a user’s location – or access can be granted, but with masked data fields. With every variation of context, attribute-based access controls can pivot and adjust accordingly. By reducing the threat surface, companies can reduce the risk of data leakage and mitigate compromised access damages.
3: Use Real-Time Analytics and Data Visualization (SEIM) to Expedite Incident Response Time
Integrated and real-time analytics displayed on dashboards were always a “nice-to-have” feature for security teams; however, keeping CCPA deadlines of breach identification and reporting in mind, data visualization has become a must-have feature. These advanced dashboards equip security professionals with real-time snapshots of data usage. The drill-down capabilities allow for enhanced data discovery and exploration to expedite breach detection and response, helping organizations stay compliant with CCPA and other existing and upcoming regulations.
Ready or Not, CCPA Enforcement Has Arrived
If you’ve not wrapping up your CCPA compliance efforts by now, there’s no better time than the present to start (or continue down that road). Appsian can help you fast track your compliance efforts by enhancing your visibly and applying a data-centric ERP compliance framework.
The last thing any company wants is to discover that they’re out of CCPA compliance only when there’s a breach of the regulation.
Contact us to learn how Appsian can help you address your end-to-end security and compliance needs.
Data privacy regulations are rapidly reshaping the way companies monitor, manage, and even define the data they collect and store. Prior to new privacy regulations put in place by the European Union and the state of California, the data lifecycle focused solely on collection and dissemination. This meant that the enterprise would collect as much information as possible then store it in a way that maximized accessibility, particularly with the rise of mobile. Cybersecurity, when it was discussed, focused on establishing defensive perimeters to mitigate external threats.
However, since GDPR was implemented in 2018 and reinforced by CCPA in 2019, companies have been required to reconsider how that information lives in their organization and identify who has access to it in order to meet basic compliance standards. Security teams that can adapt to the new requirements are critical to tackling the ballooning costs in compliance, particularly as other states and countries look to pass their own privacy regulations.
The CCPA and GDPR have elevated customer data security to become a key priority across multiple departments. Since both laws are in the early stages of implementation and interpretation by enforcement agencies, legal departments have become an essential ally in compliance. In the case of the GDPR, the right to be forgotten has been contested by search giant Google in several high-profile court cases, adding greater nuance and detail to how the law impacts data management. Human resources is also a valuable partner in compliance management as they are best positioned to engage employees on new security protocols and assist in the successful deployment of new technology to ensure that workflow is not disrupted.
Legacy infrastructure increases compliance costs
The CCPA alone is expected to cost enterprises $55 billion in initial compliance costs, with additional costs to be expected in maintenance fees, with IBM’s 2019 Cost of a Data Breach Report states that the average total cost of a data breach increased to an average of $3.92 million in 2019, though in the United States the average cost per breach rose to $8.9 million. Much of that cost is driven by the recovery process, which involves understanding how the system was breached, what information was affected and bringing systems back online. For many organizations, understanding the scope of damage is difficult because current security systems aren’t designed for data visibility or access management, both of which enable security teams to track who has accessed what data and when.
Data visibility is a particularly acute challenge in ERP systems because they contain highly sensitive business data, such as financial information, intellectual property or insurance details. Since ERP systems hold so much valuable data, they’re often the last piece of the digital infrastructure to be updated. This results in security gaps when patches are missed, or new security features are added to a legacy system. The “black box” of ERP systems can cause delays in damage assessments, resulting in the risk of hefty fines as the GDPR requires affected customers to be notified within 30 days of when information is compromised.
Organizations lack tools to comply with “right to know”
Compliance costs have largely been driven by the wave of “right to know” and “right to be forgotten” requests from their users. The right to know establishes the right of the consumer to know exactly what data a company has collected on them, and to download that data. For the enterprise, this requires being able to identify, organize and share all information pertaining to every single user, breaking the black box paradigm that existed before GDPR. Recent research shows that each request is estimated to cost approximately $1,400, quickly adding to compliance costs.
The right to be forgotten allows consumers to request that any data related to them be deleted from an organizations’ database. Though the rule is less broadly applicable than the right to know, organizations should be careful of potential violations in their third-party partners or even of careless practices by employees.
For GDPR and CCPA compliance, outdated and disparate infrastructure also adds major challenges, especially when adhering to the response time limits set out by GDPR. The law requires that organizations respond to right to know requests within 30 days. Yet a global survey of 103 companies worldwide across various industries found that 58% of respondents were unable to meet data access and portability requests within the one-month time limit. One of the main barriers to timely right to know requests was the lack of consolidated, transparent data structures that made finding all relevant information on each individual a costly and long process.
When organizations don’t understand where collected data is or who can access it, compiling a right to know report is next to impossible. Without any means of tracking access within their internal databases, most enterprises have no idea if the personal information of any user has been accessed, copied or stored in multiple places, forcing compliance teams to track down each piece individually and risking fines when request response takes longer than 30 days. Not only does this heighten the likelihood of compliance violations, but also contributes to the rise of insider security threats, particularly in highly sensitive fields like healthcare and finance.
As a result, security and compliance teams have begun joining forces to better understand the lifecycle of business data in the enterprise and how it can be effectively secured.
Regulations align with industry trends
In many ways, the new regulatory pressures brought by the CCPA and GDPR align with emerging trends in cybersecurity. Insider threats are one of the fastest growing trends in data breaches, accounting for 34% of attacks in 2019. Security features that enable granular tracking of user behavior in real-time addresses ensures access management can be done accurately while also adhering to privacy standards set forth by the GDPR and CCPA. As a result, organizations improve both security and compliance because they can be better prepared to respond to insider threats, minimize direct damage caused by a breach as well as void penalties incurred by compromising customer data. With greater means to identify and differentiate users, security teams are also able to increase access controls as well as better understand who has modified data and when.
The GDPR and CCPA have had a significant impact on the public expectation for privacy and security. While security measures like multi-factor authentication (MFA) and complex passwords have existed for years, consumers and developers frequently opposed requiring them due to concerns over adding too much friction to the user experience. With cybersecurity concerns entering the mainstream, many consumers are actively seeking out additional ways to protect and manage their personal data. For the enterprise, this has increased employee’s receptiveness to new security features such as MFA to internal systems. Particularly with complex ERP systems, system administrators can unify the heightened expectations for security created by the GDPR and CCPA to reduce the costs of compliance.
Advanced security tools can address challenges experienced across all departments by supporting secure migrations, enabling better data visibility in new systems, and reducing the long-term costs of compliance. As the security discussion evolves to when not if a hack takes place it is essential to have a holistic program in place to understand what actions will be taken when data is compromised. By hiding their head in the sand, the unprepared enterprise not only risks more damaging attacks but also larger fines. The right security tools can lay the foundation for a program that effectively fulfills the multidisciplinary role of security and engages all necessary experts to protect data and minimize compliance costs.
This article was originally published by CPO Magazine.