2020 brought about a reckoning for organizations that were slow to adopt strong data privacy and data loss prevention strategies. As users went remote, the networks and devices used to access SAP financial data became a liability – and organizations were sent scrambling for solutions to their newfound dynamic access demands.
Out-of-the-Box SAP Data Protection is Not Enough
In order to prevent data exfiltration and general over-exposure of enterprise data, the use of SAP data masking has grown in popularity. Unfortunately, customers have no out-of-the-box solutions for SAP data masking. In fact, the entire SAP security model hinges on static, role-based controls that offer little to actually protect the data inside the transactions that the access controls are designed to govern. In many cases, a user who has access to a transaction has access to a wide range of data within that transaction that simply isn’t necessary – providing opportunities for misuse.
To make matters more complicated, if an organization were to undergo a large-scale SAP data masking project, the sheer amount of custom development would prove to be a significant hurdle and nearly impossible to scale effectively.
Appsian Offers a Centralized, Scalable Alternative
To offer SAP ERP customers a scalable data masking solution, the Appsian Security Platform (ASP) features dynamic data masking capabilities that enable fine-grained control over which sensitive data fields customers can mask for any specified user and in the context of any situation. By implementing a full or partial mask to a data record, ASP minimizes the risk of a data breach and fulfills encryption and anonymization mandates imposed or implied by regulatory bodies.
Unlike most off-the-shelf masking solutions, Appsian uses a single ruleset to define and mask data across the entire application:
- Centralize SAP data masking enforcement with a single ruleset
- Deploy dynamic policies that account for risk contexts such as location, IP address, time, data sensitivity, and more
- Protect sensitive data in production and non-production environments
- Implement masking without requiring additional customizations to SAP
- Filter out sensitive data at the presentation layer, resulting in no additional maintenance requirements for updates
Why Appsian is the Essential Dynamic SAP Data Masking Solution
Simply put, when you are trying to protect data without overly-restricting access, then there is no alternative to leveraging a dynamic SAP data masking solution. Because the context of access plays such a critical role in defining risk, being able to apply full or partial masks based on context is the only real way to balance data protection and productivity.
In addition, Appsian uses a “one to many” approach for creating policy-based data masking rules. This enables customers to quickly scale SAP data masking without extensive development effort at implementation or reconfiguration efforts for policy updates.
Example Use Cases for Dynamic SAP Data Masking
- Mask PII of Customers in SAP CRM Based on their residency
GDPR Compliance – Ex: Mask PII Data if Customers’ Address is in the EU
- Mask & Lock Bank Account Fields After Hours
Fraud & Theft – Ex: Insider Changing Data at Night Before Pay-Run
- Obscure Data Fields in Transactions that are Unnecessary for a Role
Data Minimization – Ex: Customer Support Seeing Financial Spend, Pricing Info
- Prevent Remote Access of Unpublished Financial Information
Risk Mitigation – Ex: Mask Data when Access Occurs After Hours or Remote
Get a Demo of Appsian’s Dynamic SAP Data Masking and See for Yourself!
As business processes become more complicated, your ability to protect data must evolve as well. Fortunately, Appsian offers the fastest, most cost-effective approach for SAP data masking. Contact us today and get a demo! And find out how you can be applying dynamic data masking rules within only 4-6 weeks!
Appsian’s Executive Director for Security Solutions, Greg Wendt, appears in the latest episode of Brilliance Security Magazine Podcast. The focus of the conversation between Greg and host Steven Bowcut is legacy ERP data security and compliance. Their wide-ranging conversation also includes some of the potential security risks associated with legacy applications, what companies can do to protect sensitive data in a post-COVID world, and thoughts on the possibility of a federal data privacy law.
Listen to the full episode here:
Legacy ERP applications were initially designed to give users easy access to data and business processes. They were never designed to meet the demands of today’s remote access requirements, let alone provide the security necessary to protect ERP data from internal or external threats.
While there is no silver bullet for comprehensive ERP data security and compliance, Greg recommends that organizations deploy a multi-layered security model to determine who should access what data and when.
ERP data security and compliance are going to have an interesting couple of years. Currently, there isn’t a federal data privacy law. A couple of states implemented their own, with California’s CCPA being the most notable, and more than a dozen other states have laws on the docket. The last thing we need is 50 different state data privacy laws. Greg’s “prediction” is that we’ll soon have a federal law, which will drastically affect some of the compliance requirements.
To learn more about how a multi-layered security approach can protect your ERP data from internal and external threats, contact the security experts at Appsian today.
While the majority of data breaches are from insider threats—a startling 57% according to the Verizon Insider Threat Report—many organizations overlook these internal dangers. Whether careless or malicious, employee, partner, or contractor, insider threats are difficult to spot and often go undetected in your ERP system for months or years.
Insider threats can be particularly dangerous for organizations using legacy ERP systems, such as SAP, PeopleSoft, and Oracle EBS. The primary issue is that most security teams struggle to determine the difference between regular user activity and anomalous activity indicating an insider attack. What makes insider threats especially dangerous is that insiders usually know how to find and access sensitive data and sometimes have a privileged (or over-privileged) account.
5 Types of Insider Threats in Your ERP System
First, a quick refresh: An insider threat occurs when the insider (user) maliciously or unintentionally misuses their access to negatively affect or harm the business. Not all insiders are disgruntled employees, and their motivations, intent, and access levels vary. Regardless of who they are, an insider who is intentionally or unintentionally violating a business or security policy can inflict plenty of damage.
Insider threats come in all shapes and sizes and display different behaviors you can leverage for detection and prevention. Here are five categories of insider threats that our ERP customers are most likely to encounter: The Careless Worker, the Arrogant Insider, the Disgruntled Employee, the Malicious Insider, and the Irresponsible Vendor.
The Careless Worker
These are employees or partners whose actions are inappropriate as opposed to malicious. They will unintentionally break acceptable use policies, mishandle data, and install unauthorized applications, etc. The Careless Worker ignores security awareness training and best practices, making them likely to be the one that falls for a phishing scam and having their account compromised by a hacker.
The Arrogant Insider
Arrogant Insiders are employees who do not act with malicious intent but believe they are exempt from security policies. They will take deliberate and potentially harmful actions, such as using unapproved workarounds or transferring potentially sensitive information to cloud storage accounts for easy access. These actions leave vulnerable data and resources unserved and vulnerable to hackers.
The Disgruntled Employee
A Disgruntled Employee is not happy or feels disrespected in some way and willfully disregards data privacy and security protocols to commit deliberate sabotage or intellectual property theft. For example, using access to leak executive compensation data and cause negative publicity. Disgruntled Employees are especially dangerous and probably the hardest ones to detect because they have elevated levels of privilege.
The Malicious Insider
The Malicious Insider is an actor with access to corporate assets who uses existing privileges to exfiltrate data or commit other malicious acts with the goal of financial rewards or further personal gains. A Malicious Insider can result from a compromised account caused by a Careless Worker or a Disgruntled Employee who has gone beyond accessing intellectual property and into theft or fraud.
The Irresponsible Contractor
The Irresponsible Contractor compromises security through negligence, misuse, or malicious access to or use of an asset. They are contract workers and temporary employees who are given access like a full-time employee. Sometimes, depending on how an organization assigns roles, they might have more privileges than the job requires.
How to Detect Insider Threats: Know Your Users. Know Your Data.
When an insider uses a legitimate login profile to move about your ERP system, telling the difference between regular activity and harmful activity often prevents rapid detection. In fact, a recent report from Ponemon indicates that the average time to detect and contain an insider threat incident is 77 days.
The number one way to detect anomalous activity is by closely monitoring user behavior around data access and usage. Put another way; you’re looking to identify the context of the access and usage: the who, what, where, when, how, and, ultimately, the why.
Far too often, user behavior is a mystery, resulting in security, fraud, theft, and business policy violations. Specifically, a lack of context around how, when, and by whom transactions and data fields are being accessed. To gain this insight, you need an advanced analytics platform specifically designed to display granular levels of ERP data access & usage. Like Appsian360.
Context of User Access and Data Usage with Appsian360
With Appsian360, security and compliance leaders can drill into specific data access and know exactly who is doing what, where, and why. With that level of in-depth, contextual information, any red flag incidents can undergo a rapid response plan. With Appsian360, you can:
- Identify when a Careless Worker falls victim to a phishing attack by setting up a dashboard that tracks location-based access. If a legitimate user account suddenly starts accessing your ERP system from outside the United States, for example, you can begin an investigation into other activity by that account.
- Closely monitor the activity around sensitive reports and queries and ensure that data is not being exfiltrated in bulk by unauthorized users or offboarding employees, such as Arrogant Insiders.
- Monitor high-risk data activity for unusual behavior. For example, a Disgruntled Employee with access to compensation data needs that ability to their job. However, you can track the number of times a user accesses that data during the day or outside of business hours. Instead of asking “if” a person should have access to that data, you can track how often and when that data is accessed.
- Track a variety of user access data points when it comes to detecting a Malicious Insider. Since this is usually a compromised account, you can set dashboards to track after-hours access, mobile phone access, strange IP address access, and access from a foreign country. All signs that a legitimate account has been compromised.
- Apply a prefix to the username of any outside Irresponsible Contractor or temporary worker to fully track their data access and usage inside your ERP system.
Close the Visibility Gap to Detect Insider Threats
The unfortunate reality of ERP applications like PeopleSoft and SAP is that they lack the ability to provide actionable insights into user activity, creating many blind spots for detecting insider threat behavior. Fortunately, organizations using Appsian360 can detect and defend against insider threats by monitoring data access and usage at a granular level that was previously unavailable.
Want to see a demonstration of how Appsian can help your organization detect insider threats? Contact us to chat with an Appsian security expert today.
With 2020 coming to a close, ensuring business applications are equipped to meet the longterm access demands of 2021 is a critical objective. All around the world, information security and financial risk leaders are being tasked with ensuring the security of business data while remote access (on unknown networks and devices) remains the standard for the foreseeable future. Finding solutions that can quickly and easily secure this data – without requiring an exorbitant amount of time and resources is mission critical.
Data security is proving most challenging for organizations that utilize ERP applications like PeopleSoft, Oracle E-Business Suite, and SAP (ECC/S4HANA.) ERP applications like these were designed with ease-of-access to data as the primary objective. They have the biggest hill to climb when it comes to security, privacy, governance, and compliance.
Fortunately, this challenge is why Appsian (and the Appsian Security Platform) exists! We are here so organizations can fully utilize their investment in legacy ERP technology while scaling to meet present and future data security demands. After all, external and internal threats to business data will always continue to evolve.
Right now, thousands of organizations around the world are currently faced with the same challenges and are likely scoping solutions that solve one or two of these challenges. Here is the comprehensive approach that can serve as the playbook for securing legacy ERP data:
Identify Risks From User Access
The most significant risks to data typically originate from:
- Compromised credentials (for example, stolen from phishing attacks)
- Unknown networks and devices
- Capture and visualize data access
These risks can be an acceptable part of an organization’s relationship with its ERP applications, but they don’t have to be. They should be addressed the way any security threat should – and it doesn’t have to result in overly-restricting access and potentially hindering authorized work. Restricting access to sensitive data can be the instinct when these risks are identified because risk mitigation can feel insurmountable. The truth is, mitigating controls can be implemented that fully align data security objectives with the access requirements of the business.
Apply Dynamic Authorization Policies
Dynamic authorization is the foundation of the principle of least privilege (PoLP), which says users should only have access to what they require. Given the access risks outlined above, it should be noted what someone “needs” (or should have) access to likely changes with each new context of access. For example, does high-privilege access require 100% of those capabilities from an unknown network and/or unmanaged device? How about during off-work hours? Many would say “no.” Applying access policies dynamically gives you this control. This strategy alone makes an enormous impact on an organization’s ability to control access to sensitive data and enable data security, privacy, and governance.
Integrate Authentication Solutions
It goes without saying that single sign-on and multi-factor authentication have become table stakes IAM solutions. Whether you have employed these for many years or only since the beginning of the COVID-19 crisis, it is clear that their value goes way beyond the convenience of not having to remember passwords. With these solutions in place, the job of securing data is not necessarily over. In fact, taking authentication a step further to align with zero-trust (aka. never trust, always verify) requires native integration of SSO and MFA solutions for four very important reasons:
- ERP authentication should always align with your enterprise identity and access management strategies
- Users falsely authenticate out of habit
- Stepped-up authentication should be required for particularly sensitive activity
- Using custom code (vs. native integration/configuration) for authentication is NOT a best practice
Capture and Visualize User Behavior
If I told you that most organizations have almost no idea who is accessing sensitive data (at any given time), how and why – would you be surprised? This may be a dirty little secret, but the truth is legacy ERP logging has simply not kept up to meet the demands of security and compliance requirements that must understand data access and usage by users.
What most ERP administrators will tell you is in order to respond to an audit or investigate an incident, they must pull multiple logs manually triangulate them. Only then does a foggy picture of what may have happened come into view. The problem is, a foggy picture of anything related to a forensic investigation or helping align with information security policies is simply not good enough.
Further investment is needed to enhance the granularity of native ERP logging, along with analytics and visualization tools in order to add context to the data, aggregate it and then visualize it so the insights can be actionable. Only then is the logging data that you are alrighty getting out of your ERP truly useful for security and compliance purposes.
Partner with Appsian Security
For over 10 years, Appsian Security has watched organizations struggle with many of the same ERP security and compliance issues. Mostly originating from the fact that their applications were not natively designed to do what they need them to do – i.e., secure data. This end result is the natural progression of security and compliance threats evolving while native ERP security features stay the same.
ERP applications are built with static, role-based controls and logging/alerts designed for system troubleshooting. The idea that many of these legacy applications would be exposed to the internet with only a username, password and maybe a VPN standing between malicious actors and your business data is the definition of risky. Some organizations have accepted that risk – but they don’t have to.
Appsian has designed the world-leading security platform designed to provide holistic, end-to-end data security (along with application security), giving legacy ERP customers complete control and visibility over their ERP data.
We know that every organization is unique, which is why we want you to put our security platform to the test! Request a demonstration today, and let us show you how Appsian can tailor a solution to your organization’s unique requirements.
Insider Threats Are Becoming More Frequent and More Costly to Organizations. Especially Those Using Legacy ERP Systems. Here’s How You Can Proactively Prevent the Risk of Insiders Compromising Data
While data breaches caused by hacking/phishing/ransomware tend to grab the most headlines, most data security incidents are from trusted insiders with access to sensitive data and systems. Thus, making insider threats one of the most common, yet elusive, risks to manage.
When you hear the term “insider threats,” most people reflexively think about a greedy or disgruntled employee abusing their access for revenge or financial gain. But there’s more to the definition than the angry employee out for revenge. An insider can be a current or former employee, contractor, or business partner with legitimate access to the organization’s network, systems, or data. The insider threat occurs when the insider (user) maliciously or unintentionally misuses their access to negatively affect or harm the business. So assuming all insider threats are disgruntled employees is false – an insider who is unintentionally violating a business policy can inflect plenty of damage.
Why Are Insider Threats So Dangerous to Organizations Using Legacy ERP Systems?
The number one issue for security teams when it comes to detecting an insider threat is the user in question has authorized access to the ERP system. It’s the malicious intent or individual violation amongst the rest of the legitimate access that makes it difficult to tell the difference between a user’s regular activity and possible malicious activity. What makes them especially dangerous is that insiders usually know how to find and access sensitive data and sometimes have a privileged (or over-privileged) account.
Insider threats are among the most common causes of data breaches worldwide, and they can often be among the costliest. According to the 2020 Insider Threat Report (Cybersecurity Insiders), 68% of organizations observed that insider attacks have become more frequent over the last 12 months. Moreover, 70% have experienced one or more insider attacks during that same period. Ponemon calculates that the average cost per insider incident is $11.45 million in 2020, increasing by 31% from 2018.
The increase in attack frequency shouldn’t surprise anyone thanks to the COVID-induced necessity for remote access to ERP systems and data. While security teams were likely focusing their cybersecurity efforts and budgets on securing the perimeter, cybercriminals found new ways to target user accounts with phishing and social-engineering attacks.
The good news is that organizations using ERP systems can detect and defend against insider threats with a combination of data-centric security measures and monitoring data access and usage.
Detecting Insider Threats by Monitoring ERP Data Access and Usage
Detecting an insider threat as quickly as possible is essential to limiting the amount of damage, financial or otherwise, this insider can cause. However, how can you tell the difference between regular activity and harmful activity? With an insider using a legitimate login profile, there aren’t obvious warning signs when malicious behavior takes place.
Monitoring user behavior around data access and usage can highlight internal access misuse and credential theft. And continuously monitoring for outlier and anomalous behavior patterns provides visibility into how high-privilege users interact with sensitive data. This monitoring helps security teams identify a possible malicious insider or if an external attacker has compromised an employee’s credentials. For example:
- Monitoring user activity during remote access down to the transaction level
- Monitoring data access and usage by users with high privileges
- Monitoring query attempts to download information onto unauthorized devices
- Monitoring exactly who is accessing highly sensitive data fields
Without advanced analytics and data monitoring, keeping track of every user’s activities after they’ve logged in to the system is a lot of work. In some cases, raw logs from your ERP system need to be manually checked, and each event studied—often after an insider threat has already occurred. No wonder the average time to identify and contain an insider threat incident is 77 days (Ponemon).
When security teams monitor data access and usage, they can be proactively alerted to potential insider threats by identifying anomalous activity with actionable insights into what was accessed and by whom. Now organizations can quickly respond with a full forensic investigation and a rapid and thorough response.
Preventing Insider Attacks with Dynamic, Data-Centric Security
Although security professionals recognize the value of continuously monitoring data access and usage to detect insider threats, companies should also adopt a layered, data-centric security model to improve the likelihood of preventing an insider threat from attacking.
Enhance Access Controls with Dynamic Authorization Policies
Organizations should start by incorporating dynamic authorization strategies that use contextually aware access controls. Dynamic authorization gives organizations a way to leverage the contextual attributes of access such as geolocation, time of day, and IP address to better control the resources users access, how they access it, and from where they access it. For example, you can prevent an insider threat who has legitimate credentials from accessing sensitive data because they accessed the ERP system from a foreign IP address and outside of established business hours.
Expand the Use of Data Masking
You’re likely already masking the obvious data fields with personal information, like social security numbers, bank account information, national ID number, passport number, driver’s license number, etc. However, now that insider threats are increasing, organizations should expand the use of data masking to all fields that could be considered personally identifiable, giving you greater control over who can see what data and when. And deploying data masking based on dynamic authorization policies, like location, device, and time of day allows a more secure-and flexible-access to data.
Enable Stepped-Up Multi-Factor User Authentication
Using stepped-up multi-factor authentication is an important tool for preventing insiders from doing stuff they shouldn’t. When it comes to performing transactions with sensitive information, adding multi-factor at the transaction level as well as the perimeter ensures that users are not only authorized to access and view the data but perform the actual transaction.
Take A Proactive Approach to Detecting and Preventing Insider Threats
When it comes to insider threats, most security teams live in a murky gray middle zone struggling to determine the difference between regular user activity and anomalous activity indicating an insider attack. Organizations can help their IT security teams take a clear, proactive approach to detecting and preventing insider threats and attacks by applying a data-centric security approach combined with continuous monitoring of data access and usage.
Want to see a demonstration of how Appsian can help your organization detect insider threats? Contact us to chat with an Appsian security expert today.
Don’t Risk the Security of your Data by Customizing an SSO Integration for PeopleSoft
I was on a discovery call recently, and the Senior Software Engineer shared how they’re “ripping out” a custom-built (for PeopleSoft) single sign-on solution (SSO). After acquiring an enterprise SSO, they attempted to build a custom integration with PeopleSoft that presented far more challenges than benefits – especially when users attempted to access with a deep link. Now they’re looking to remove the solution along with the additional infrastructure that was required.
And here’s the sad part: they’re not the first organization I’ve encountered this month who are experiencing the same challenge. Across all verticals including healthcare, higher education, government, retail and more – PeopleSoft customers are rethinking their decision to enable their enterprise SSO solutions with custom coding, external gateway agents, and reverse proxies. Alternatively, implementing solutions that feature native SAML authentication handlers.
Your Custom Single Sign-On Integration Was Not Designed with ERP Data Security in Mind
These projects often start with the IT department recognizing that it can solve a business requirement by building the solution themselves or by using a generic gateway with copy-and-paste code off an internet forum. The main motivation? They possibly save the company some money, bypass the need for approvals or budget, and check a project off their list. Easy-peasy, right? As highlighted in the example above, it’s not always that straight forward.
Often, these projects lack a thoughtful mindset and instead leverage code that is many years old, unsupported and public to developers and hackers alike. Here lies one of the biggest problems with customizing PeopleSoft for SSO authentication. Getting the integration to work “well enough” is often the goal, and since developers are not information security professionals – they may not have considered the ramifications of using code that hackers can reverse engineer, potentially exploiting loopholes to gain unauthorized access. As a former PSAdmin who personally retrofitted a custom PeopleSoft SSO solution in my past life, I can tell you that security implications are not on the forefront. Between IT wanting to be a good partner to the business and drowning in long-haul projects, “good enough” was often the goal.
The “Typical” Custom Single Sign-On Approach
There are a few ways to approach building a custom SSO solution. You could try linking SAML open-source code libraries, using reverse proxies, or having an external agent handle it. These solutions seem relatively simple at the outset, but the introduced vulnerabilities are often not obvious or ignored. The end result is that the SSO “works” but is plagued by technical, functional, and security issues once in production.
Linking SAML Open Source Code Libraries
A custom coding project typically begins with a review of PeopleBooks and a Google search to find a relatively quick way to write the code. PeopleCode allows you to link external open source java libraries inside PeopleSoft. This is code that you’re literally pulling from an old blog and has not been reviewed since the author first published it. Imagine using code from 2007 to secure your custom single sign-on project. It would never pass a security review!
Secondly, developing a solution yourself is tricky. It isn’t easy to write software that deals with passwords, identity, and authentication. Reputable IdPs spend tens of thousands of man-hours designing, coding, and testing, then supporting their solutions. The lone developer who built your custom solution is now responsible for supporting, maintaining, and upgrading the code. That’s excellent job security for him but a security liability for you.
Reverse Proxies, Gateways, and External Authentication Agents
This one is probably a favorite with system administrators who want to support a multitude of non-SAML apps with a one-size-fits-all solution. I’ve also implemented SSO like this in the past, so I can speak from experience about how this works and its risks.
The short version of how this works is that the authentication is offloaded to a reverse-proxy, an agent, or a gateway, that sits outside PeopleSoft. Once the authentication process is successfully completed, only then is a connection made to PeopleSoft, and the authenticated user-ID passed to the HTTP header. Then that request has to be trusted by a custom Sign-on PeopleCode.
Aside from the risky firewall configuration, another issue here is that it needs to be scaled carefully for bandwidth because all of the requests will now go through a new server and several new applications to complete the process. Now you have additional hardware, software, and customizations to maintain and patch in addition to your regular PeopleSoft duties.
Why a Native SAML Handler is Best Practice
SSO is critical to help you increase your security posture within your organization while keeping your customers happy, so I don’t want to sound negative, and I’m not trying to put you off on installing an SSO solution in your environment. Instead, I want to make sure you do it correctly and aligned to security best practices.
My advice is to use a solution that natively supports a SAML authentication handler and seamlessly and securely passes the token to PeopleSoft built-in authentication without customizations. The term “native” is extremely important here! The lack of native support is a critical issue that plagues custom solutions, creating more hoops to jump through to complete the project.
Fortunately, Appsian delivers the SAML integration layer required to connect PeopleSoft, an IdP, and your enterprise Single Sign-On. This solution is natively installed right into the PeopleSoft Internet Architecture (PIA) and does not require the use of proxy servers, agents, or gateways. Furthermore, there are zero customizations, simple configuration with extensive support for SAML attributes, user-mapping, and the support and maintenance is offloaded from your team.
There is Beauty in Customization but Comfort in ERP Data Security
Part of PeopleSoft’s beauty and power is that you can customize the system to improve your business processes. However, one thing you shouldn’t take into your own hands is authentication, and indirectly, security. Your IT team, system admins, and developers should spend their time supporting and customizing your system to provide outstanding service to the business units and keeping the system running smoothly. Why add more hardware, software, applications, and customization than necessary?
Contact us today to learn how Appsian solves the SAML integration challenge by providing the only configurable SSO for PeopleSoft.
You spend countless hours, not to mention considerable money, to secure your SAP and Oracle ERP data. One day, you discover that cybercriminals have exposed a vulnerability using an application misconfiguration. This has become increasingly common as criminals seek methods to covertly infiltrate applications to gain access to thousands of employee records.
This situation happened to Microsoft in December 2019 and didn’t generate the kind of headlines usually associated with data breaches. This was simply a human error. But these kinds of human errors and misconfigurations are one way that hackers can gain a foothold into your SAP or PeopleSoft ERP system. Now the question is, how are you going to protect your data after an attacker side-stepped your perimeter defenses?
Misconfiguration is the Fastest Growing Security Risk
According to the 2020 Verizon Data Breach Investigations Report, misconfiguration errors (failing to implement all security controls) are up 4.9% from last year’s report and are the fastest-growing risk to web applications. It’s easy to apply this kind of risk to legacy ERP systems because SAP and PeopleSoft environments often consist of millions of lines of custom code and custom-built components communicating with each other and to external systems through various APIs and interfaces bolted together over time.
On top of that, you’re dealing with an abundance of changes to roles, configurations, access controls, and compliance protocols to accommodate new business processes and evolving data privacy policies. If companies are not analyzing and monitoring the underlying security implications of all these changes and movement, they’re bound to face a similar situation as Microsoft with a backdoor left unlocked for any hacker to stroll through.
Finally, don’t forget that many organizations simply do not stay current with system updates and security patches. According to the Data Breach Investigations Report, only half of the vulnerabilities are patched within three months after discovery, leaving companies exposed to attacks against known exploits.
The Multi-Layered ERP Data Security Approach
The growing complexity of SAP and PeopleSoft environments make securing ERP data an enormous challenge. To prevent inadvertent exposures from misconfiguration, Greg Wendt, executive director of Appsian, suggests that companies “must adopt a multi-layered security approach with dynamic security tools that can monitor user access in real-time, providing transparency over what data is accessed and by whom.”
This multi-layered approach includes masking sensitive data, verifying identity via multi-factor authentication (MFA), and enhanced logging and analytics. Appsian adds layers of security WITHIN your ERP system to help ensure your data is still protected when a hacker strolls past your perimeter defenses, thanks to a misconfiguration.
Dynamic Data Masking provides contextual masking policies that adapt to the context of access. That means when a hacker attempts to access sensitive data fields but doesn’t match key attributes such as user ID, privilege, device, location, or IP address, they will encounter full, partial, click-to-view masking or complete redaction of the data field.
Adaptive MFA ensures that contextual attributes (ex. device, network, location) are the determining factor for deploying MFA challenges. For example, customers can require an MFA challenge when a user account is accessing the system from a remote IP address or after business hours.
Enhanced Logging and Analytics with Appsian360 allow you to monitor your networks for suspicious activity and provide detailed insights regarding how, when, and by whom transactions and data fields are being accessed. This visibility is particularly important for identifying users with high-privilege access who are accessing pages they shouldn’t be. The enhanced logging can trace all the pages a user accessed during a session, helping to identify a potential intrusion. This kind of real-time data access and usage visibility was previously unavailable to SAP and Oracle ERP customers.
Eyes and Ears on the Entire ERP Data Ecosystem at All Times
“The enterprise must learn to have eyes and ears on their entire data ecosystem at all times,” said Wendt. Microsoft’s recent data breach due to misconfiguration highlights the importance of a security strategy that continuously looks for misconfigurations and compliance violations. Next, they should establish a multi-layered security approach to prevent unauthorized data access, along with enabling organizations with the ability to identify access trends that may be indicative of incorrect access controls.
Misconfigurations are, unfortunately, a common error and should be treated with the same sense of urgency and level of effort by security professionals as their network perimeter. After all, not all attacks are external.
Contact us today to learn how the Appsian Security Platform and Appsian360 can help you establish a multi-layered security solution.
Stop me if you’ve heard (or spoken) this phrase: “All non-essential projects have been put on hold.”
To be fair, pausing large-scale IT projects (like a cloud ERP migration) in such an uncertain and unpredictable environment makes sense. If the project will take months to implement and it isn’t helping keep the lights on, it isn’t essential. Simple as that! But what is considered “essential” is often a matter of opinion rather than true importance.
A perfect example is ERP data security. When COVID-19 hit, many organizations began scoping enterprise security solutions like a VPN, which enables remote access. But only in the sense of creating an authentication point – not actually securing data. We touched on this more in a previous blog.
Enabling remote access with a VPN helps keep the lights on, but now that the lights are on (and will hopefully stay on), at what point do you consider the vast amounts of data exposure that have emerged as a NEW risk vector? As a direct result of remote access. This is the point where data security becomes essential.
Overlooked but Essential
ERP data security too often gets thrown into the “non-essential” project pile, with companies considering it an afterthought, regardless of the economic climate. Afterthought might be too harsh – perhaps they consider what they already have in place as “good enough.” Essentially making the decision to go into completely unprecedented times with legacy technology. Such thinking will leave your data fully exposed to theft, fraud, and other forms of damage. Alas, if you don’t prepare for the future, then the future is likely to be your downfall. This is why we think NOW is the perfect time to make ERP data security a high-priority – dare we say essential – project. Here are five reasons why.
1: Your ERP Data is Already Exposed
Just because your virtual front door is locked doesn’t mean there’s nobody in your house. Besides the fact that user credentials (including VPN credentials) are routinely stolen – insider threats are one of the fastest-growing trends in data breaches, accounting for 34% of attacks in 2019, according to Verizon’s 2019 Data Breach Investigations Report. In addition, many insider breaches occur simply by insiders unintentionally misusing data. Without proper data security and monitoring protocols in place, it’s difficult to know if users are leveraging their privilege to access sensitive information for either legitimate or malicious purposes.
2: Remote Access and Data Security Should Be Synonymous
A remote workforce is nothing new, but not to the scale caused by the COVID-19 outbreak. The rapid scaling of remote access for critical business functions left many companies relying on conventional (but outdated) security technology, like a VPN. All the while, not considering that remote access means an expanded threat surface – and the wider your threat surface, the more exposed your data is to risk. A VPN may leave you feeling like you shrank your threat surface, but you haven’t truly shrunk your level of risk. Today, the most devastating data breaches happen when credentials are stolen and/or insiders leak/expose data. In a remote access environment, credential/insider risks go up dramatically while a VPN does little to mitigate.
When allowing remote access to your ERP data, you need to monitor a variety of data points, such as where is a user coming from? What data are they trying to access? What device are they using? Is that device being used by the right person? Cybercriminals know these systems are vulnerable and are stepping up attacks.
3: Data Security is Not as Costly as A Data Breach
According to IBM’s Cost of a Data Breach Report, the average cost of a data breach is $4 million. The average cost of a breach in the U.S. is $8.2 million – more than double the worldwide average.
The risks posed by a data breach extend well beyond financial. They are operational as well as compliance-related. Then there are the difficult to quantify costs, including negative exposure and scrutiny for your brand and senior leadership.
4: Compliance Stakes Have Never Been Higher
Compliance mandates like SOX, GDPR, CCPA, and others require organizations to maintain details regarding data access, and places a substantial liability when companies are not taking appropriate measures to secure ERP data. Fortunately, organizations can improve compliance by implementing data security tools that respond to insider threats, minimize direct damage caused by a breach, and reduce (or even void) penalties incurred by compromising customer data.
5: ERP Data Security is A Manageable Problem
An essential project doesn’t mean it’s complicated or burdensome. In fact, this is one of the more manageable problems to solve, as adding data security doesn’t involve much change management – unlike a cloud migration project. The key is to NOT customize the application(s) but to seek solutions that are configurable. Customizations are not a quick fix – they are not scalable and place additional complexity on support down the line. Configurable solutions to these challenges exist – trust us!
Data Protection Can Help Keep the Lights On
You could argue that an ERP data security project isn’t going to help keep the lights on; therefore, it isn’t essential. We would say that any project that helps mitigate business and security risks by enhancing your ability to authenticate users, control access to data, and monitor & respond to potential threats, is essential. And if that project can protect you from fines, theft, and fraud due to a data breach in this current work environment? That’s money you can use to keep the lights on.
Request a demonstration today to learn how Appsian can help you with your essential ERP data security project.
Remote workforces are nothing new to most organizations. According to Buffer’s 2019 State of Remote Work report, 44% of respondents noted that at least part of their team was “full-time remote,” and 31% said that everyone on the team works remotely. Further, at the time of the report, 30% of respondents said that their entire company worked remotely. However, the COVID-19 pandemic accelerated the work-from-home model. By March 31, 2020, the percent of users working remotely had increased 15 percentage points since the start of the COVID-19 outbreak. With that in mind, organizations are assessing how they can maintain granular levels of control and visibility when ERP data is being accessed remotely.
Adopting Contextual Controls to Protect ERP Data
Most organizations already leverage role-based access controls. These controls, which align data access privileges and job function resources, provide a baseline for data governance. However, they often lead to excessive levels of data access and, in turn, produce additional risks. Contextual controls enable an organization to dynamically control access to data during varying contexts of access, often aligning to least privilege best practices. Migrations to cloud applications are largely due to contextual controls being a business requirement, simply because the interconnected applications required a more dynamic approach.
With the move to a remote workforce, organizations need to create more detailed and more dynamic access controls. With attribute-based access controls (ABAC), a company can incorporate additional context such as geolocation, time of day, and IP address to both ensure the appropriate user is accessing the resources and prevent users from having more access than they need. For example, if the organization knows that an employee should be working from Connecticut, ABAC can prevent access to resources if the user’s location is suddenly California – or a foreign country.
Contextual controls provide both the prevention of access policy violations, along with alignment between business requirements and security protocols. Because the organization can limit access according to the principle of least privilege, it reduces the risk of data leakage and financial fraud. Meanwhile, by creating more granular, data-centric access privileges, an organization can ensure that users do not get too much or not enough access – limiting the potential negative effects of restricting access excessively.
User Activity Monitoring for ERP Data Security and Managing Productivity
Monitoring user access to resources and tracking how users interact with data provides an additional benefit for many organizations as their workforces move towards a remote model. Most organizations recognize the benefit of monitoring user access – but not just instances of logging in and logging out of applications. Understanding data access and usage is now a key requirement when maintaining visibility over business data. Organizations are turning to analytics platforms that both include granular access details, along with a visualization element (for example, SIEM). Data is only as useful as the insights it provides, and rapid aggregation and visualization of user access data is a crucial requirement for data security.
Using “Virtual” Work Hours
Looking at a common security use case, many organizations leverage “virtual” work hours to detect anomalies. For example, an employee usually works between the hours of 8 AM and 6 PM but monitoring and alerting to activity around sensitive data at 3 AM, for instance, can be indicative of unauthorized behavior. This uncharacteristic behavior may be an anomaly, but the organization needs to monitor the user activity more closely. If the user denies accessing the information at 3 AM, then the organization needs to focus its monitoring and have the employee change their password. If the organization detects additional unusual activity, then it may need to review the employee’s activities or investigate a potential data breach.
Monitoring User Productivity
From a workforce management perspective, organizations can leverage these insights to review employee productivity. Two use cases present themselves. First, many organizations have contracts that stipulate late payments incur a late fee. If the organization knows that employees should be processing payments ten days prior to the payment date, then they can leverage these reports to ensure that employees meet their timelines, even from a remote location. Additionally, by tracking resource usage data, organizations can monitor whether workforce members are appropriately prioritizing their workdays. If the employees are only accessing a business application at the end of the month, then they are likely waiting until the last minute to input payment information. Preventing these potential revenue losses or rush projects in other areas by speaking with the employee enables the organization to stay on top of its financials.
Enabling Visibility for Business Applications Has Never Been More Critical
Creating trust within and across distributed workforces ensures productivity. However, continued status update meetings across multiple time zones decrease workforce member efficiency. Organizations already monitor user access to their systems, networks, and applications. As part of a robust security posture, organizations should apply protections at the new perimeter – user identity. Rather than micromanaging employees via emails or chats, managers can gain valuable insight into how users are accessing resources and prioritizing work schedules by reviewing data and resource usage.
In an unprecedented time, companies need to find ways to enable their levels of control and visibility over business data. Whether a business application is on-premise or in the cloud, enhancing these solutions should be a mission-critical objective.
Risks against an organization are prevalent in a remote environment, whether those risks are security-related or employee-related by fraud, theft, and error. The keys to maintaining ERP data security ultimately lie in your ability to provide oversight for your data, and the time to act is now.
This article was originally published on Global Trade.