If 2020 was the year of hastily enabling secure remote access to ERP applications, then 2021 will be the year when organizations realize that remote ERP access is here to stay – and long-term data privacy, security, and access governance strategies will be mission–critical. Securing ERP data has always been important in principle, but the mass migration to requiring remote access (in perpetuity) has kicked off a heightened emphasis on the topic.
Amongst a sea of learnings from the pandemic is that 2020 was the “coming of age” for ERP data privacy and the challenges it created. Many organizations were forced to learn the hard way that sensitive ERP data (business data and PII) are top targets for malicious activity and some of the most difficult assets for organizations to secure. Especially data in legacy business applications.
Let’s look back at the Year of the Pandemic and examine some of the data privacy events and trends we observed that will serve as guideposts for making ERP data privacy a mission-critical priority in 2021.
Variations in Access Presents Greater Data Privacy Challenges
It’s clear that working remotely is here to stay. A Gartner HR survey reveals that 41% of employees are likely to work remotely at least some of the time post-pandemic. Tech giants like Facebook, Salesforce, Twitter, and more, announced that they would continue to offer remote work and possibly move to entirely remote models permanently.
A key challenge uncovered when the pandemic forced a rapid transition to remote workforces was most organizations had data privacy and governance policies that didn’t account for variations in user access. Especially those using legacy ERP applications like SAP (ECC & S/4HANA), PeopleSoft, and Oracle EBS. After all, these applications were originally designed so users could get easy access to data inside the firewall. They were never designed for a dynamic access environment.
The fact of the matter is the roles and privileges that governed access to these systems depended on managed devices, corporate firewalls, and in many cases – 9:00 to 5:00 access demands. Remove those variables and enable access from anywhere, on any device, and at any time – and those strict privacy and governance policies were replaced by “wild west” levels of access risk.
Instead of needing to be in a specific physical location, users can access an organization’s sensitive data from anywhere. The physical and network controls that protected IT infrastructures and data privacy no longer provide the same level of confidence. Changing how companies do work requires them to change how they secure data and re-evaluate their data privacy and access governance strategies.
When it Comes to ERP Data Privacy – Identity is the New Perimeter
With organizations continuing to support remote access to ERP applications, they need to design policies and practices that define how data is accessed, viewed, and used – as well as the technology they’ll need to implement and enforce those policies.
A key investment is implementing dynamic capabilities to already established identity and access management (IAM) solutions. In other words, providing the ability to minimize risk by dynamically providing access based on the context of a user’s access.
Applying dynamic IAM and access governance supports traditional role-based controls but accounts for the variations in a user’s access that may indicate risk.
Further examples would be:
- Integrating an MFA on a sensitive transaction or data field and requiring a user to re-authenticate
- Deploying MFA if a user is accessing from an unmanaged device. Also known as zero-trust authentication
- Reducing levels of access privilege for super users if their access is coming from an unknown IP range. Also known as applying the principle of least privilege
- Applying dynamic data masking that masks all PII, account numbers, etc., if access is coming from an unmanaged device, unknown IP range, or outside typical working hours.
The sooner organizations realize that their perimeter is only as strong as their ability to manage user access – the better off they’ll be!
Data Privacy Regulations Mixed with Remote Access Will Only Make Compliance More Challenging
Today’s ever–changing data privacy landscape is a reminder that organizations should always be diligent about what kinds of data they are collecting, how it’s being stored, and most importantly – have the visibility to understand exactly how that data is being accessed. For example, is access suddenly coming from a hostile foreign country, or are certain data records/reports being accessed at a higher-than-normal frequency? Ask yourself, just because someone can access sensitive data, does it mean they should?
Successful organizations will invest in technologies that monitor user behavior around data access and usage, capturing contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information that is paramount for compliance reporting and effectively responding to audit findings.
Hodgepodge of State-Level Data Privacy Regulations Sow Confusion
Up to now, the standard-bearer for data privacy regulations in the United States was California’s CCPA. In 2021, the number of state-level data privacy regulations is likely to increase, which is bound to further complicate matters by creating multiple compliance requirements.
Virginia is poised to become the second state to enact a data privacy bill, while lawmakers in Washington state, New York, Oklahoma, and Utah are currently weighing proposals. Meanwhile, Californians voted to approve the California Privacy Rights Act (CPRA), a series of changes made to the existing California Consumer Privacy Act (CCPA).
This hodgepodge of domestic data privacy regulations should motivate organizations to get data privacy, security, and access governance strategies in place, ensure documentation, and prepare for both financial penalties and civil actions. If 2020 was any indication (GDPR fines rose by nearly 40%), companies are likely to see more frequent and more significant fines for non-compliance in 2021.
Having Weak ERP Data Privacy Policies Will Become Expensive
COVID raised the awareness of ERP data privacy as companies struggled last year to continue with normal business operations in a remote environment. These struggles forced many leaders to establish privacy and compliance frameworks and implement the technology to support them. However, this is just the beginning.
With 2020 being a record year for data breaches – along with an ever-growing list of data privacy regulations that carry monetary fines for non-compliance – the writing is on the wall. Organizations will not be able to call themselves victims if their decades of accumulated PII and business data get exploited or breached. The monetary consequences that come from these incidences can have catastrophic effects—both against your bottom line and reputation.
Contact Appsian to learn how we can help you align your legacy ERP applications with today’s data privacy and compliance demands. Effectively scale your efforts for future mandates.
Appsian’s Executive Director for Security Solutions, Greg Wendt, appears in the latest episode of Brilliance Security Magazine Podcast. The focus of the conversation between Greg and host Steven Bowcut is legacy ERP data security and compliance. Their wide-ranging conversation also includes some of the potential security risks associated with legacy applications, what companies can do to protect sensitive data in a post-COVID world, and thoughts on the possibility of a federal data privacy law.
Listen to the full episode here:
Legacy ERP applications were initially designed to give users easy access to data and business processes. They were never designed to meet the demands of today’s remote access requirements, let alone provide the security necessary to protect ERP data from internal or external threats.
While there is no silver bullet for comprehensive ERP data security and compliance, Greg recommends that organizations deploy a multi-layered security model to determine who should access what data and when.
ERP data security and compliance are going to have an interesting couple of years. Currently, there isn’t a federal data privacy law. A couple of states implemented their own, with California’s CCPA being the most notable, and more than a dozen other states have laws on the docket. The last thing we need is 50 different state data privacy laws. Greg’s “prediction” is that we’ll soon have a federal law, which will drastically affect some of the compliance requirements.
To learn more about how a multi-layered security approach can protect your ERP data from internal and external threats, contact the security experts at Appsian today.
While nearly everyone was focusing on the results of the 2020 Presidential race, California voters passed Proposition 24, the California Privacy Rights Act (CPRA) (full text here). You might be wondering if this is a new privacy law that will replace the 2018 California Consumer Privacy Act (CCPA), which went into effect earlier this year. The CPRA provides additional context to the CCPA and attempts to close some of the loopholes and ambiguity found in the original. The CPRA gives additional rights to consumers and places additional obligations on businesses.
While some of the CPRA changes will take effect immediately, most will not become enforceable until July 1, 2023, and apply only to personal information collected after January 1, 2022. Like the run-up to the launch of CCPA, companies will have time to prepare for the new requirements.
A Quick Summary of the California Privacy Rights Act
In scope, the CPRA retains the same basic structure as the CCPA. It includes establishing a dedicated enforcement agency for consumers, tripling fines against companies that violate kids’ data privacy, and making it harder to weaken privacy laws in the future.
A couple of the more notable additions in the CPRA are that the law expands the right to opt-out of sharing of information and establishes new rights to limit how businesses use “sensitive personal information,” a new term defined broadly to include, among other things: information about health conditions, genetic data, race and ethnicity, sexual orientation, precise geolocation, and more.
ERP applications already store an abundance of personally identifiable information, such as Social Security numbers, driver’s licenses, or passport numbers. This new data classification adds to the effort of identifying and classifying information necessary to remain in compliance.
The CPRA Signals Organizations Must Get Serious About Enhancing Data Access and Usage Visibility – Especially for Legacy ERP Applications
The CCPA and CPRA require organizations to implement appropriate security measures around personal data privacy and satisfy consumer requests to opt-out of “sharing” and “selling” of their information. That means businesses must know what personal data they collect and how that data is accessed and used. However, companies using PeopleSoft, SAP ECC, S/4HANA, and Oracle E-Business Suite are likely facing significant compliance challenges due to inherent limitations that plague legacy ERP systems. Traditional ERP application logs do not produce the required level of granularity into how data is accessed.
How Appsian360 Enables CCPA/CPRA Compliance
Successful organizations will invest in technologies that monitor user behavior around data access and usage. This is where Appsian360 becomes an essential tool for compliance, as it expands native ERP logging capabilities to capture contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information that is paramount for compliance reporting.
More Data Privacy Acts Likely on the Horizon
With the CPRA, Californians will likely have the most robust online privacy rights in the world. And it probably won’t be the last. The original passage of the CCPA incentivized other states to draft their own privacy bills. There’s been activity at the federal level as well. So, while the pandemic rightfully slowed down state and federal activity, there’s a good chance we’ll see additional privacy bills in 2021.
There’s no better time than the present to press forward with your compliance efforts, whether it’s for CCPA, GDPA, and now CRPA. Contact us to learn how Appsian can fast track your CCPA and CRPA compliance efforts by enhancing your visibility into data access and usage.
Do You Even Know What and Where It Is?
Not too long ago, I was involved in the war room activities surrounding the breach of a major travel company. A breach that not only led to the exposure of sensitive information, but also to the use of that information to subvert the international travel infrastructure (yes, I’m being cagey with details here.)
A war room, in this instance, is an immediate incident response step and is typically a dedicated conference room full of ‘smart’ people that is setup to lead identification and remediation activities around a suspected or confirmed security breach.
Once the firefighting was done and the immediate threat remediated, the team moved into forensics mode, where the questions moved from ‘what happened?’ to ‘how did this happen?’.
In the course of that activity, the CISO of the company was brought in. In addition to questions around security policies and response capabilities, two key questions were asked:
“Where do we have exposure to the hacking of data we categorize as sensitive to our customers, employees or partners?”
“What controls are in place to secure that data?”
In essence, his answers were:
“If you’re asking for an inventory of where sensitive data exists, I’d have to partner with the application teams to determine that.”
“As far as controls, we have a pretty strong network perimeter. But, again, I would have to partner with the application teams to ascertain what controls are in place at that level.”
That CISO is no longer employed by that travel company.
Let’s talk about the role of the Chief Information Security Officer (CISO)
Presumably it is a position that leads the charge to ensure that the organization is adequately protecting all data that is proprietary and/or necessary to conduct business operations. That casts a pretty wide net.
But that net, in addition to proprietary business intellectual property, clearly includes customer, partner and employee data. The compromise of any of these can lead to major impacts to business operations.
A phishing attack yields the credentials of an application-level, high privileged user? Well, that application is essentially ‘owned’ by the bad guy. What kind of damage can they now do?
Even the compromise of lower level users can lead to a bad guy being able to escalate privileges and/or leap frog across other applications in the enterprise.
Aside from the potential for business disruption, the exposure and malicious use of sensitive data can lead to major financial losses and regulatory penalties for any organization.
Data awareness is a critical component of today’s CISO responsibilities. Knowing where your sensitive data lives is key. Knowing the mechanisms of how it’s accessed and managed is just as key.
In the current compliance environment, data privacy is a hot button that is shaping many of the new regulations around the digital economy. Whether it be GDPR, the California Consumer Privacy Act or the multitude of other mandates on how companies will be required to support data privacy, the anticipated responsibilities of the CISO are evolving well beyond having a handle on your network protection controls.
Application awareness is becoming a necessity. Understanding what applications are housing sensitive data; whether it be a legacy ERP system or a cutting-edge cloud application, will be an inventory a CISO will be expected to maintain.
Contact us to see how Appsian can help inventory and address your sensitive data exposure in ERP applications.