With 2020 nearly three months behind us and the rollout of COVID-19 vaccines picking up speed, organizations are looking hopefully to 2021 and beyond. Optimism aside, a hard truth about 2021 is that remote work and ERP access are here to stay. Organizations must put a mission-critical emphasis on ERP data privacy, security, and access governance policies. Here are some key strategies to consider as you strive to improve your ERP data privacy and compliance in 2021 and beyond.
ERP Data Privacy Starts with Knowing Your Data
The obvious first step to any kind of ERP data privacy is knowing exactly what data you have. Think of it this way: you can’t protect what you don’t know. This data inventory, if you will, should align with the basic data privacy guidelines set out by regulations like GDPR, CCPA, SOX, and a growing number of others. Companies should have an understanding of what sort of personal data is collected, how that data is accessed, where and how it is stored, what is it used for, if it is shared with another organization or group, and how long is it kept before being disposed of.
Apply Dynamic Access Governance Policies for ERP Data Access
Now that you’ve identified and categorized your data, it’s time to establish who has access to it, when they can access it, from where, on what device, and how often. The problem is that legacy ERP applications like SAP (ECC and S/4HANA), Oracle PeopleSoft, and Oracle EBS use static role-based access controls (RBAC) to govern access. These roles have reached their limitations in a dynamic workplace because static roles do not leverage contextual attributes.
To create a more dynamic and robust cybersecurity and data privacy program, you can enable dynamic access controls (often called ABAC) to support your RBAC controls by incorporating additional contexts, such as geolocation, time of day, and transaction type. Combining ABAC and RBAC, you can establish rules that grant access to ERP applications and transactions only if the person meets certain contextual criteria. When defining risk through the lens of the context of a user’s access, dynamically enforcing governance is a crucial data privacy objective and investment.
Leverage Dynamic Controls to Enforce Policies
Once dynamic governance policies are in place, organizations can enforce those policies by leveraging dynamic technology. Specifically, here’s how Appsian can help you gain control and visibility of data access and usage without sacrificing productivity.
Avoid Unnecessary Data Exposure with Dynamic Data Masking
An essential requirement of data privacy is ensuring that users accessing ERP applications, either in an authorized or unauthorized manner, do not have needless access to valuable data through various pages, reports, or queries. Appsian can reduce the exposure of sensitive data with dynamic data masking for sensitive fields. You can also leverage click-to-view functionality to protect against unnecessary exposure while logging intentional access to sensitive information.
Add Stepped-Up Multi-Factor Authentication at the Transaction Level
Adding multi-factor authentication at the transaction level, as well as at the perimeter, ensures that users are not only authorized to access and view the data but perform the actual transaction based on their current context of access. This should be applied to highly sensitive transactions like editing a direct deposit account number, accessing compensation data, or running a report containing employee PII.
Strengthen Data Loss Prevention
Data exfiltration, whether malicious or accidental, typically originates from employees’ legitimate access to ERP applications and can be hard to prevent or detect with existing security capabilities. Using context-aware data loss prevention policies, Appsian can prevent users from executing transactions that download ERP data in high-risk scenarios, such as: after business hours, from untrusted locations, networks, or devices.
Enhance Visibility into ERP Data Access and Usage
Compliance mandates such as GDPR, CCPA, SOX, and others require organizations to maintain data access and usage details. Unfortunately, user behavior can be a mystery when relying on native ERP logging features to understand the “what, who, where, why, and how” around data access and usage. It’s a manual, time-consuming task. But not anymore.
Appsian360 provides granular, real-time visibility into user activity logging and analytics, delivering actionable insights to automate compliance audits. It allows organizations to continuously monitor data access and usage and proactively alerts security teams to anomalous activity, allowing them to quickly respond with full forensic information.
See for Yourself How Appsian Can Help Improve Your ERP Data Privacy & Compliance
Appsian can help companies ensure that their ERP data privacy, security, and access governance policies are aligned with today’s regulations and scalable to comply with future mandates. Contact us for a demonstration today.
2020 brought about a reckoning for organizations that were slow to adopt strong data privacy and data loss prevention strategies. As users went remote, the networks and devices used to access SAP financial data became a liability – and organizations were sent scrambling for solutions to their newfound dynamic access demands.
Out-of-the-Box SAP Data Protection is Not Enough
In order to prevent data exfiltration and general over-exposure of enterprise data, the use of SAP data masking has grown in popularity. Unfortunately, customers have no out-of-the-box solutions for SAP data masking. In fact, the entire SAP security model hinges on static, role-based controls that offer little to actually protect the data inside the transactions that the access controls are designed to govern. In many cases, a user who has access to a transaction has access to a wide range of data within that transaction that simply isn’t necessary – providing opportunities for misuse.
To make matters more complicated, if an organization were to undergo a large-scale SAP data masking project, the sheer amount of custom development would prove to be a significant hurdle and nearly impossible to scale effectively.
Appsian Offers a Centralized, Scalable Alternative
To offer SAP ERP customers a scalable data masking solution, the Appsian Security Platform (ASP) features dynamic data masking capabilities that enable fine-grained control over which sensitive data fields customers can mask for any specified user and in the context of any situation. By implementing a full or partial mask to a data record, ASP minimizes the risk of a data breach and fulfills encryption and anonymization mandates imposed or implied by regulatory bodies.
Unlike most off-the-shelf masking solutions, Appsian uses a single ruleset to define and mask data across the entire application:
- Centralize SAP data masking enforcement with a single ruleset
- Deploy dynamic policies that account for risk contexts such as location, IP address, time, data sensitivity, and more
- Protect sensitive data in production and non-production environments
- Implement masking without requiring additional customizations to SAP
- Filter out sensitive data at the presentation layer, resulting in no additional maintenance requirements for updates
Why Appsian is the Essential Dynamic SAP Data Masking Solution
Simply put, when you are trying to protect data without overly-restricting access, then there is no alternative to leveraging a dynamic SAP data masking solution. Because the context of access plays such a critical role in defining risk, being able to apply full or partial masks based on context is the only real way to balance data protection and productivity.
In addition, Appsian uses a “one to many” approach for creating policy-based data masking rules. This enables customers to quickly scale SAP data masking without extensive development effort at implementation or reconfiguration efforts for policy updates.
Example Use Cases for Dynamic SAP Data Masking
- Mask PII of Customers in SAP CRM Based on their residency
GDPR Compliance – Ex: Mask PII Data if Customers’ Address is in the EU
- Mask & Lock Bank Account Fields After Hours
Fraud & Theft – Ex: Insider Changing Data at Night Before Pay-Run
- Obscure Data Fields in Transactions that are Unnecessary for a Role
Data Minimization – Ex: Customer Support Seeing Financial Spend, Pricing Info
- Prevent Remote Access of Unpublished Financial Information
Risk Mitigation – Ex: Mask Data when Access Occurs After Hours or Remote
Get a Demo of Appsian’s Dynamic SAP Data Masking and See for Yourself!
As business processes become more complicated, your ability to protect data must evolve as well. Fortunately, Appsian offers the fastest, most cost-effective approach for SAP data masking. Contact us today and get a demo! And find out how you can be applying dynamic data masking rules within only 4-6 weeks!
A GreyHeller customer – one of the largest financial services firms in the US – licensed and implemented our ERP Firewall layered security platform specifically to put in place detailed logging and analysis to prevent the same type of breach suffered by Anthem Healthcare in 2015. Anthem settled that breach for $115 million.
On July 31, 2017 it was reported that Anthem suffered another breach. This breach involved a malicious insider – one of the hardest situations to track down.
If you as a PeopleSoft customer are concerned about your PeopleSoft sensitive data being exfiltrated, our ERP Firewall software solution can help.
• Multi-Factor Authentication to prevent a phished employee’s credentials being used to use Query to download sensitive data
• Data Masking to redact sensitive data
You can prevent cyber criminals from stealing your PeopleSoft sensitive data.
How does it work and how easy is ERP Firewall to implement?
ERP Firewall plugs into your PeopleSoft webserver and is delivered with a pre-configured set of the most commonly used rules (based on implementing ERP Firewall for nearly 100 customers). Our highly automated install process takes a couple of hours after which you will be invoking MFA, masking data and logging transactions at a highly granular level. Many of our customers actually go-live within 30-days of installation.
A layered approach is critical to protect your PeopleSoft system against multiple threat vectors. Deploying a series of security barriers requires the bad guys to defeat all of them to breach the PeopleSoft system. A layered approached significantly reduces an organization’s daily risk, and their possible breach costs.
At minimum, a layered approach to protecting PeopleSoft should include:
- Multi-factor authentication
- Data Masking
- Location Based Security
The first tier of any secure system is the userid and password. When a user successfully passes a challenge on his/her credentials, the system provides access to functionality based on his/her identity.
Although adopting best practices in password management is critical, it is not sufficient to prevent breaches.
- Social engineering in the form of spear-phishing and phishing campaigns can be utilized to gain access to your credentials.
- Encryption keys that protect credentials can be cracked, allowing access to password databases or generation of authentication tokens.
- Key loggers and other techniques can be utilized to capture traffic from the browser to the server
In today’s environment, trusting a simple userid and password will not keep your systems safe by themselves. Other security layers must be implemented.
Multi-factor authentication (sometimes called Two-factor authentication) is a secondary challenge that users must pass to confirm their identity. In most circumstances, the additional factor is something that the end-user must have in his/her possession so that compromised data such as a password or security question is insufficient to gain access to sensitive data and functions.
Although Multi-factor solutions are not impervious to attack (such as the process for provisioning the end-user), requiring a match of the identity of the userid/password and the second factor dramatically reduces the risk that a users’ session is compromised.
PeopleSoft contains extremely sensitive data and processes: social security numbers, bank accounts, addresses as well as confidential corporate data. Masking sensitive data by default provides an additional layer of security, protecting organizations from data loss (or data leakage).
When cybercriminals gain access to an account, their top priority is accessing private sensitive data and bank account information. Data masking puts additional control over how this information is disclosed or maintained. When utilized in combination with multi-factor authentication, an organization can still provide access to that data when needed by an end-user in a secure manner.
Location Based Security / Least Privileged Access
External threats, by definition, originate from outside the organization’s network. Many attack vectors like spear phishing or PS_TOKEN leverage Internet access to gain access to compromised systems. However, as organizations provide remote access to their PeopleSoft systems for applicants, integration with cloud products, working at home, and supplier self service, Internet access is increasingly required.
Should high privileged users really have the same access in untrusted locations as sitting in their office chair? Of course not! Restricting certain functions based on location requires the access to occur from a known location in combination with all other protections.
All the security layers or measures mean very little without knowing what actions users perform within your system. Incident response requires knowing who did what, when they did it and from where, and what data did they access. Malicious insiders, accidental errors and outside hacktivists require detailed logging of system access. Logging must be designed into the security solution from the beginning; there are no recreating events without this valuable data trail.
Layering security approaches provides essential protection from the attacks of today and tomorrow. A Layered approach including all of the steps above greatly increases your chances of thwarting cybercriminals. For your most sensitive processes, a cybercriminal would have to defeat all layers. For example:
- He/she would need to gain the end-user’s userid and password
- He/she would need to gain physical possession of the end-user’s multi-factor token
- He/she would need to unmask sensitive data
- He/she would need to connect from a trusted location
Finally, the cybercriminal would not be able to prevent logging from occurring, which means that they would have a limited window in which to exploit the breach as an organization’s incident response processes kick in.
There is no magic “silver bullet” when it comes to cybersecurity, only well thought-out and implemented pro-active plans will set your organization up for success. Layered security measures are instrumental to your organizations future.
While some organizations believe hacks come from only external sources, these companies may be missing an even larger threat: internal, privileged users. According to the study, titled Ponemon Institute’s Survey on Data Security Breaches, sixty-nine percent of companies reporting serious data leaks responded that their data security breaches were the result of either malicious employee activities or non-malicious employee error. While some attacks can be unintentional, to protect your organization from internal aggravators, there are a couple of steps your business can take.
Start by defining the policy
High-privileged users by definition have access to the most sensitive information within the organization. Their access is coveted by both external hackers and malicious internal users. Safeguarding your company requires an in-depth look at current security policies and how they could be improved. There should be guidelines put in place detailing what access each member receives, as well as strict account management practices. This can include requiring privileged users to change their passwords biweekly or bimonthly to ensure important data is always secured or implementing a least privilege arrangement. This practice gives users the bare minimum for their positions’ needs when it comes to access.
In addition, your company could eradicate “all powerful” accounts that allow entitled users access to almost all information in a business’s system. Instead, delegate access to particular data to different people, using a specific identification password or username that can be tied to that person. Certain actions within the system would then be accessible by only people who have been granted that permission. Multifactor authentication would limit and verify which privileged users are able to complete specific behaviors within the system.
Multifactor authentication can prevent malicious insiders from hacking into secure data.
Add extra security measures
Users with great power, also comes great responsibility. Our security survey results show greater than 80% of respondents expect high-privileged users to utilize increased security measures such as multi-factor authentication. Privileged users with particular leverage should still have to meet and pass certain security requirements for access to data and functions. To keep company information as secure as possible, it is important to increase protection by implementing specific protocols, including data masking.
Data masking is a smart backup for multifactor authentication. If a user is able to make it through one level of security but cannot view other data, the system hides secure information. Only the most basic, non-harmful data is visible. Continued failed login attempts at every level of authentication would result in increased masking of secure materials.
Log employee actions
The phone rings, the caller accuses someone of changing their data because their paycheck was not deposited into their account – now the response has to begin. It’s vital to monitor users’ conduct within the system at every level. Specifics are necessary to audit people’s access as well as perform incident response. High-privileged users impact and influence on company data must be tracked within the overall data security solution. Although this security measure is difficult to complete, it can be done with the correct logging software. With a firewall that includes analysis of a user’s record and behaviors within the portal, companies can have a better idea of what secure information is misused.
High-privileged users can wreak just as much havoc on a system as external hackers. In fact, 25 percent of respondents said a malicious insider was the cause of a company breach in the past year, according to Forrester Research. To avoid system intrusions, whether vengeful or not, it’s vital for your company to have a security policy in place to monitor users. Multifactor authentication, data masking and logging analysis are all beneficial tools to protect your organization’s critical information.
Want to sort cybercrime fact from fiction? Do you think you know the difference? Test your knowledge. In this OHUG sponsored webinar, GreyHeller will set the record straight about cybersecurity myths using data from its Annual Cybersecurity Survey, the Sans Survey and live audience polling.
This engaging and interactive webinar session will test your internal and external threat knowledge and give you the tools necessary to assess your organizations’ PeopleSoft security. All participants will be given a copy of GreyHeller’s Confidential Threat Assessment Matrix which identifies the internal, external and data threat vectors the bad guys have used to compromise HCM data.
The session will include information on:
- Data Masking
- Data Leakage
- Multi-Factor Authentication
- Location Based Security
- Self Service Use
- High Privilege Access
- Logging/Analysis & Forensic Investigation
We will conclude with real world case studies of how PeopleSoft customers are protecting their HCM data from cybercrime.
4/22 Protecting PeopleSoft for Self Service
Time: 11am PST / 2pm EST
Description: Your employees are demanding better access to their pay, benefits, time and labor. Oracle is delivering Fluid UI self service transactions to extend the usability on mobile devices. How do you provide access while mitigating security risks — without compromising usability? This demo-intensive session will describe techniques for providing and controlling access to PeopleSoft from untrusted locations, techniques for mitigating the impacts of phishing attacks and compromised credentials; and for analyzing system access.
4/29 Protecting PeopleSoft for High Privilege Access
Time: 11am PST / 2pm EST
Description: According to a Kroll Advisory report, 70% of all cyber cases involving theft were perpetrated by company insiders. How do you ensure that your high privilege users can perform the tasks needed while mitigating security risks – without compromising productivity?
This demo-intensive session will describe techniques for reducing or eliminating data leakage, controlling administrative access based on differentiated levels of trust, controlling access to information for high profile employees, and analyzing administrative use.
5/6 GreyHeller + Modo Labs: Mobilizing and Modernizing PeopleSoft HCM and Financials
Time:11am PST / 2pm EST
Description: Learn how leading commercial entities are using PeopleMobile® to breathe new life into their current PeopleSoft application by providing a modern, easy to use experience to their employees and managers.
In this demo-intensive session, we will show how you can deploy any PeopleSoft page in a
modern-responsive manner that will plug-and-play into native applications and portals with minimal effort. We will demonstrate key use cases in recruiting, absence management, benefits, payroll, time and labor, performance management, manager self service, and workflow. We will also demonstrate how the Kurogo™ Server allows PeopleSoft content to be embedded into a native application to deploy rich native applications that can combine maps, geo-location attributes, push notifications, and micro-applications without writing code.
5/13 GreyHeller + Modo Labs: Mobilization for Higher Education
Time: 11am PST / 2pm EST
Description: Learn how leading higher education institutions are using PeopleMobile® and the Kurogo™ Server to provide a modern, easy to use mobile/responsive experience to their students, faculty and employees.
In this demo-intensive session, we will show you how you can deploy any PeopleSoft page into a native application to provide rich native applications that can combine maps, geo-location attributes, push notifications, and micro-applications without writing code. We will cover a wide variety Student/Faculty and HCM use cases as well as the following:
- Creating a new module – new student orientation
- Leveraging data from LMS, maps, bus tracking, computer lab usage (and more) into apps
- Student Self-Service
- Employee Self-Service
- Andrew and Larry will deep dive on the Kurogo™ Mobile Campus and PeopleMobile® integration and answer questions from the audience.
Data Masking could have helped prevent recent, high-profile destructive cyber attacks.
By scrambling or removing sensitive data from production and non-production systems, Data Masking can prevent compromised privileged user account information from being used to gain access to sensitive data such as Social Security Numbers.
Greg Wendt, GreyHeller’s Executive Director of Security Solutions and Services, said “I’m consistently amazed that more organizations haven’t implemented Data Masking or Two-Factor Authentication.”
Cyber criminals using compromised privileged user account information to access databases would not be able to actually see the data had it been masked. Further, combining Two-Factor Authentication with Data Masking would impose even tighter security on that sensitive data, ensuring that access only occurs once the Two-Factor Authentication challenge was successfully passed, often with an SMS message or secure ID token.According to Mr. Wendt, “privileged user access is a huge threat vector that can be properly managed with masking and Two-Factor Authentication.”
Privileged users are often defined as systems and database administrators in the information technology department who maintain systems and databases that contain sensitive information.
GreyHeller’s software product – ERP Firewall – contains powerful Data Masking and Two-Factor Authentication capabilities and is used by major commercial and higher education institutions to protect their sensitive data from cyber attack.
San Ramon, California-based GreyHeller serves Oracle® PeopleSoft customers globally across all industries, helping them secure and mobilize their PeopleSoft investment. GreyHeller’s software solutions – PeopleMobile®, ERP Firewall and Single Signon – are in production at nearly 100 PeopleSoft customers. PeopleMobile® renders PeopleSoft responsive across any mobile device and desktop. ERP Firewall and Single Signon protect PeopleSoft customers from criminal and inadvertent breach. For more information about GreyHeller, please visit www.greyheller.com.