With 2020 nearly three months behind us and the rollout of COVID-19 vaccines picking up speed, organizations are looking hopefully to 2021 and beyond. Optimism aside, a hard truth about 2021 is that remote work and ERP access are here to stay. Organizations must put a mission-critical emphasis on ERP data privacy, security, and access governance policies. Here are some key strategies to consider as you strive to improve your ERP data privacy and compliance in 2021 and beyond.
ERP Data Privacy Starts with Knowing Your Data
The obvious first step to any kind of ERP data privacy is knowing exactly what data you have. Think of it this way: you can’t protect what you don’t know. This data inventory, if you will, should align with the basic data privacy guidelines set out by regulations like GDPR, CCPA, SOX, and a growing number of others. Companies should have an understanding of what sort of personal data is collected, how that data is accessed, where and how it is stored, what is it used for, if it is shared with another organization or group, and how long is it kept before being disposed of.
Apply Dynamic Access Governance Policies for ERP Data Access
Now that you’ve identified and categorized your data, it’s time to establish who has access to it, when they can access it, from where, on what device, and how often. The problem is that legacy ERP applications like SAP (ECC and S/4HANA), Oracle PeopleSoft, and Oracle EBS use static role-based access controls (RBAC) to govern access. These roles have reached their limitations in a dynamic workplace because static roles do not leverage contextual attributes.
To create a more dynamic and robust cybersecurity and data privacy program, you can enable dynamic access controls (often called ABAC) to support your RBAC controls by incorporating additional contexts, such as geolocation, time of day, and transaction type. Combining ABAC and RBAC, you can establish rules that grant access to ERP applications and transactions only if the person meets certain contextual criteria. When defining risk through the lens of the context of a user’s access, dynamically enforcing governance is a crucial data privacy objective and investment.
Leverage Dynamic Controls to Enforce Policies
Once dynamic governance policies are in place, organizations can enforce those policies by leveraging dynamic technology. Specifically, here’s how Appsian can help you gain control and visibility of data access and usage without sacrificing productivity.
Avoid Unnecessary Data Exposure with Dynamic Data Masking
An essential requirement of data privacy is ensuring that users accessing ERP applications, either in an authorized or unauthorized manner, do not have needless access to valuable data through various pages, reports, or queries. Appsian can reduce the exposure of sensitive data with dynamic data masking for sensitive fields. You can also leverage click-to-view functionality to protect against unnecessary exposure while logging intentional access to sensitive information.
Add Stepped-Up Multi-Factor Authentication at the Transaction Level
Adding multi-factor authentication at the transaction level, as well as at the perimeter, ensures that users are not only authorized to access and view the data but perform the actual transaction based on their current context of access. This should be applied to highly sensitive transactions like editing a direct deposit account number, accessing compensation data, or running a report containing employee PII.
Strengthen Data Loss Prevention
Data exfiltration, whether malicious or accidental, typically originates from employees’ legitimate access to ERP applications and can be hard to prevent or detect with existing security capabilities. Using context-aware data loss prevention policies, Appsian can prevent users from executing transactions that download ERP data in high-risk scenarios, such as: after business hours, from untrusted locations, networks, or devices.
Enhance Visibility into ERP Data Access and Usage
Compliance mandates such as GDPR, CCPA, SOX, and others require organizations to maintain data access and usage details. Unfortunately, user behavior can be a mystery when relying on native ERP logging features to understand the “what, who, where, why, and how” around data access and usage. It’s a manual, time-consuming task. But not anymore.
Appsian360 provides granular, real-time visibility into user activity logging and analytics, delivering actionable insights to automate compliance audits. It allows organizations to continuously monitor data access and usage and proactively alerts security teams to anomalous activity, allowing them to quickly respond with full forensic information.
See for Yourself How Appsian Can Help Improve Your ERP Data Privacy & Compliance
Appsian can help companies ensure that their ERP data privacy, security, and access governance policies are aligned with today’s regulations and scalable to comply with future mandates. Contact us for a demonstration today.
Appsian’s Executive Director for Security Solutions, Greg Wendt, appears in the latest episode of Brilliance Security Magazine Podcast. The focus of the conversation between Greg and host Steven Bowcut is legacy ERP data security and compliance. Their wide-ranging conversation also includes some of the potential security risks associated with legacy applications, what companies can do to protect sensitive data in a post-COVID world, and thoughts on the possibility of a federal data privacy law.
Listen to the full episode here:
Legacy ERP applications were initially designed to give users easy access to data and business processes. They were never designed to meet the demands of today’s remote access requirements, let alone provide the security necessary to protect ERP data from internal or external threats.
While there is no silver bullet for comprehensive ERP data security and compliance, Greg recommends that organizations deploy a multi-layered security model to determine who should access what data and when.
ERP data security and compliance are going to have an interesting couple of years. Currently, there isn’t a federal data privacy law. A couple of states implemented their own, with California’s CCPA being the most notable, and more than a dozen other states have laws on the docket. The last thing we need is 50 different state data privacy laws. Greg’s “prediction” is that we’ll soon have a federal law, which will drastically affect some of the compliance requirements.
To learn more about how a multi-layered security approach can protect your ERP data from internal and external threats, contact the security experts at Appsian today.