With 2020 nearly three months behind us and the rollout of COVID-19 vaccines picking up speed, organizations are looking hopefully to 2021 and beyond. Optimism aside, a hard truth about 2021 is that remote work and ERP access are here to stay. Organizations must put a mission-critical emphasis on ERP data privacy, security, and access governance policies. Here are some key strategies to consider as you strive to improve your ERP data privacy and compliance in 2021 and beyond.
ERP Data Privacy Starts with Knowing Your Data
The obvious first step to any kind of ERP data privacy is knowing exactly what data you have. Think of it this way: you can’t protect what you don’t know. This data inventory, if you will, should align with the basic data privacy guidelines set out by regulations like GDPR, CCPA, SOX, and a growing number of others. Companies should have an understanding of what sort of personal data is collected, how that data is accessed, where and how it is stored, what is it used for, if it is shared with another organization or group, and how long is it kept before being disposed of.
Apply Dynamic Access Governance Policies for ERP Data Access
Now that you’ve identified and categorized your data, it’s time to establish who has access to it, when they can access it, from where, on what device, and how often. The problem is that legacy ERP applications like SAP (ECC and S/4HANA), Oracle PeopleSoft, and Oracle EBS use static role-based access controls (RBAC) to govern access. These roles have reached their limitations in a dynamic workplace because static roles do not leverage contextual attributes.
To create a more dynamic and robust cybersecurity and data privacy program, you can enable dynamic access controls (often called ABAC) to support your RBAC controls by incorporating additional contexts, such as geolocation, time of day, and transaction type. Combining ABAC and RBAC, you can establish rules that grant access to ERP applications and transactions only if the person meets certain contextual criteria. When defining risk through the lens of the context of a user’s access, dynamically enforcing governance is a crucial data privacy objective and investment.
Leverage Dynamic Controls to Enforce Policies
Once dynamic governance policies are in place, organizations can enforce those policies by leveraging dynamic technology. Specifically, here’s how Appsian can help you gain control and visibility of data access and usage without sacrificing productivity.
Avoid Unnecessary Data Exposure with Dynamic Data Masking
An essential requirement of data privacy is ensuring that users accessing ERP applications, either in an authorized or unauthorized manner, do not have needless access to valuable data through various pages, reports, or queries. Appsian can reduce the exposure of sensitive data with dynamic data masking for sensitive fields. You can also leverage click-to-view functionality to protect against unnecessary exposure while logging intentional access to sensitive information.
Add Stepped-Up Multi-Factor Authentication at the Transaction Level
Adding multi-factor authentication at the transaction level, as well as at the perimeter, ensures that users are not only authorized to access and view the data but perform the actual transaction based on their current context of access. This should be applied to highly sensitive transactions like editing a direct deposit account number, accessing compensation data, or running a report containing employee PII.
Strengthen Data Loss Prevention
Data exfiltration, whether malicious or accidental, typically originates from employees’ legitimate access to ERP applications and can be hard to prevent or detect with existing security capabilities. Using context-aware data loss prevention policies, Appsian can prevent users from executing transactions that download ERP data in high-risk scenarios, such as: after business hours, from untrusted locations, networks, or devices.
Enhance Visibility into ERP Data Access and Usage
Compliance mandates such as GDPR, CCPA, SOX, and others require organizations to maintain data access and usage details. Unfortunately, user behavior can be a mystery when relying on native ERP logging features to understand the “what, who, where, why, and how” around data access and usage. It’s a manual, time-consuming task. But not anymore.
Appsian360 provides granular, real-time visibility into user activity logging and analytics, delivering actionable insights to automate compliance audits. It allows organizations to continuously monitor data access and usage and proactively alerts security teams to anomalous activity, allowing them to quickly respond with full forensic information.
See for Yourself How Appsian Can Help Improve Your ERP Data Privacy & Compliance
Appsian can help companies ensure that their ERP data privacy, security, and access governance policies are aligned with today’s regulations and scalable to comply with future mandates. Contact us for a demonstration today.
If 2020 was the year of hastily enabling secure remote access to ERP applications, then 2021 will be the year when organizations realize that remote ERP access is here to stay – and long-term data privacy, security, and access governance strategies will be mission–critical. Securing ERP data has always been important in principle, but the mass migration to requiring remote access (in perpetuity) has kicked off a heightened emphasis on the topic.
Amongst a sea of learnings from the pandemic is that 2020 was the “coming of age” for ERP data privacy and the challenges it created. Many organizations were forced to learn the hard way that sensitive ERP data (business data and PII) are top targets for malicious activity and some of the most difficult assets for organizations to secure. Especially data in legacy business applications.
Let’s look back at the Year of the Pandemic and examine some of the data privacy events and trends we observed that will serve as guideposts for making ERP data privacy a mission-critical priority in 2021.
Variations in Access Presents Greater Data Privacy Challenges
It’s clear that working remotely is here to stay. A Gartner HR survey reveals that 41% of employees are likely to work remotely at least some of the time post-pandemic. Tech giants like Facebook, Salesforce, Twitter, and more, announced that they would continue to offer remote work and possibly move to entirely remote models permanently.
A key challenge uncovered when the pandemic forced a rapid transition to remote workforces was most organizations had data privacy and governance policies that didn’t account for variations in user access. Especially those using legacy ERP applications like SAP (ECC & S/4HANA), PeopleSoft, and Oracle EBS. After all, these applications were originally designed so users could get easy access to data inside the firewall. They were never designed for a dynamic access environment.
The fact of the matter is the roles and privileges that governed access to these systems depended on managed devices, corporate firewalls, and in many cases – 9:00 to 5:00 access demands. Remove those variables and enable access from anywhere, on any device, and at any time – and those strict privacy and governance policies were replaced by “wild west” levels of access risk.
Instead of needing to be in a specific physical location, users can access an organization’s sensitive data from anywhere. The physical and network controls that protected IT infrastructures and data privacy no longer provide the same level of confidence. Changing how companies do work requires them to change how they secure data and re-evaluate their data privacy and access governance strategies.
When it Comes to ERP Data Privacy – Identity is the New Perimeter
With organizations continuing to support remote access to ERP applications, they need to design policies and practices that define how data is accessed, viewed, and used – as well as the technology they’ll need to implement and enforce those policies.
A key investment is implementing dynamic capabilities to already established identity and access management (IAM) solutions. In other words, providing the ability to minimize risk by dynamically providing access based on the context of a user’s access.
Applying dynamic IAM and access governance supports traditional role-based controls but accounts for the variations in a user’s access that may indicate risk.
Further examples would be:
- Integrating an MFA on a sensitive transaction or data field and requiring a user to re-authenticate
- Deploying MFA if a user is accessing from an unmanaged device. Also known as zero-trust authentication
- Reducing levels of access privilege for super users if their access is coming from an unknown IP range. Also known as applying the principle of least privilege
- Applying dynamic data masking that masks all PII, account numbers, etc., if access is coming from an unmanaged device, unknown IP range, or outside typical working hours.
The sooner organizations realize that their perimeter is only as strong as their ability to manage user access – the better off they’ll be!
Data Privacy Regulations Mixed with Remote Access Will Only Make Compliance More Challenging
Today’s ever–changing data privacy landscape is a reminder that organizations should always be diligent about what kinds of data they are collecting, how it’s being stored, and most importantly – have the visibility to understand exactly how that data is being accessed. For example, is access suddenly coming from a hostile foreign country, or are certain data records/reports being accessed at a higher-than-normal frequency? Ask yourself, just because someone can access sensitive data, does it mean they should?
Successful organizations will invest in technologies that monitor user behavior around data access and usage, capturing contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information that is paramount for compliance reporting and effectively responding to audit findings.
Hodgepodge of State-Level Data Privacy Regulations Sow Confusion
Up to now, the standard-bearer for data privacy regulations in the United States was California’s CCPA. In 2021, the number of state-level data privacy regulations is likely to increase, which is bound to further complicate matters by creating multiple compliance requirements.
Virginia is poised to become the second state to enact a data privacy bill, while lawmakers in Washington state, New York, Oklahoma, and Utah are currently weighing proposals. Meanwhile, Californians voted to approve the California Privacy Rights Act (CPRA), a series of changes made to the existing California Consumer Privacy Act (CCPA).
This hodgepodge of domestic data privacy regulations should motivate organizations to get data privacy, security, and access governance strategies in place, ensure documentation, and prepare for both financial penalties and civil actions. If 2020 was any indication (GDPR fines rose by nearly 40%), companies are likely to see more frequent and more significant fines for non-compliance in 2021.
Having Weak ERP Data Privacy Policies Will Become Expensive
COVID raised the awareness of ERP data privacy as companies struggled last year to continue with normal business operations in a remote environment. These struggles forced many leaders to establish privacy and compliance frameworks and implement the technology to support them. However, this is just the beginning.
With 2020 being a record year for data breaches – along with an ever-growing list of data privacy regulations that carry monetary fines for non-compliance – the writing is on the wall. Organizations will not be able to call themselves victims if their decades of accumulated PII and business data get exploited or breached. The monetary consequences that come from these incidences can have catastrophic effects—both against your bottom line and reputation.
Contact Appsian to learn how we can help you align your legacy ERP applications with today’s data privacy and compliance demands. Effectively scale your efforts for future mandates.