Analytics, Security

Why the California Privacy Rights Act (CPRA) Presents Challenges for Legacy ERP Customers

By Michael Cunningham • November 20, 2020

While nearly everyone was focusing on the results of the 2020 Presidential race, California voters passed Proposition 24, the California Privacy Rights Act (CPRA) (full text here). You might be wondering if this is a new privacy law that will replace the 2018 California Consumer Privacy Act (CCPA), which went into effect earlier this year. The CPRA provides additional context to the CCPA and attempts to close some of the loopholes and ambiguity found in the original. The CPRA gives additional rights to consumers and places additional obligations on businesses. 

While some of the CPRA changes will take effect immediately, most will not become enforceable until July 1, 2023, and apply only to personal information collected after January 1, 2022. Like the run-up to the launch of CCPA, companies will have time to prepare for the new requirements. 

A Quick Summary of the California Privacy Rights Act 

In scope, the CPRA retains the same basic structure as the CCPA. It includes establishing a dedicated enforcement agency for consumers, tripling fines against companies that violate kids’ data privacy, and making it harder to weaken privacy laws in the future. 

A couple of the more notable additions in the CPRA are that the law expands the right to opt-out of sharing of information and establishes new rights to limit how businesses use “sensitive personal information,” a new term defined broadly to include, among other things: information about health conditions, genetic data, race and ethnicity, sexual orientation, precise geolocation, and more.

ERP applications already store an abundance of personally identifiable information, such as Social Security numbers, driver’s licenses, or passport numbers. This new data classification adds to the effort of identifying and classifying information necessary to remain in compliance.

The CPRA Signals Organizations Must Get Serious About Enhancing Data Access and Usage Visibility – Especially for Legacy ERP Applications  

The CCPA and CPRA require organizations to implement appropriate security measures around personal data privacy and satisfy consumer requests to opt-out of “sharing” and “selling” of their information. That means businesses must know what personal data they collect and how that data is accessed and used. However, companies using PeopleSoft, SAP ECC, S/4HANA, and Oracle E-Business Suite are likely facing significant compliance challenges due to inherent limitations that plague legacy ERP systems. Traditional ERP application logs do not produce the required level of granularity into how data is accessed.  

How Appsian360 Enables CCPA/CPRA Compliance 

Successful organizations will invest in technologies that monitor user behavior around data access and usage. This is where Appsian360 becomes an essential tool for compliance, as it expands native ERP logging capabilities to capture contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information that is paramount for compliance reporting. 

More Data Privacy Acts Likely on the Horizon 

With the CPRA, Californians will likely have the most robust online privacy rights in the world. And it probably won’t be the last. The original passage of the CCPA incentivized other states to draft their own privacy bills. There’s been activity at the federal level as well. So, while the pandemic rightfully slowed down state and federal activity, there’s a good chance we’ll see additional privacy bills in 2021.

There’s no better time than the present to press forward with your compliance efforts, whether it’s for CCPA, GDPA, and now CRPA. Contact us to learn how Appsian can fast track your CCPA and CRPA compliance efforts by enhancing your visibility into data access and usage. 

Stay Updated

Security

How to Detect Insider Threats in Your ERP System

By Michael Cunningham • November 16, 2020

Insider Threats Are Becoming More Frequent and More Costly to Organizations. Especially Those Using Legacy ERP Systems. Here’s How You Can Proactively Prevent the Risk of Insiders Compromising Data 

While data breaches caused by hacking/phishing/ransomware tend to grab the most headlines, most data security incidents are from trusted insiders with access to sensitive data and systems. Thus, making insider threats one of the most common, yet elusive, risks to manage.

When you hear the term “insider threats,” most people reflexively think about a greedy or disgruntled employee abusing their access for revenge or financial gain. But there’s more to the definition than the angry employee out for revenge. An insider can be a current or former employee, contractor, or business partner with legitimate access to the organization’s network, systems, or data. The insider threat occurs when the insider (user) maliciously or unintentionally misuses their access to negatively affect or harm the business. So assuming all insider threats are disgruntled employees is false – an insider who is unintentionally violating a business policy can inflect plenty of damage.

Why Are Insider Threats So Dangerous to Organizations Using Legacy ERP Systems? 

The number one issue for security teams when it comes to detecting an insider threat is the user in question has authorized access to the ERP system. It’s the malicious intent or individual violation amongst the rest of the legitimate access that makes it difficult to tell the difference between a user’s regular activity and possible malicious activity. What makes them especially dangerous is that insiders usually know how to find and access sensitive data and sometimes have a privileged (or over-privileged) account.  

Insider threats are among the most common causes of data breaches worldwide, and they can often be among the costliest. According to the 2020 Insider Threat Report (Cybersecurity Insiders), 68% of organizations observed that insider attacks have become more frequent over the last 12 months. Moreover, 70% have experienced one or more insider attacks during that same period. Ponemon calculates that the average cost per insider incident is $11.45 million in 2020, increasing by 31% from 2018.  

The increase in attack frequency shouldn’t surprise anyone thanks to the COVID-induced necessity for remote access to ERP systems and data. While security teams were likely focusing their cybersecurity efforts and budgets on securing the perimeter, cybercriminals found new ways to target user accounts with phishing and social-engineering attacks. 

The good news is that organizations using ERP systems can detect and defend against insider threats with a combination of data-centric security measures and monitoring data access and usage.  

Detecting Insider Threats by Monitoring ERP Data Access and Usage 

Detecting an insider threat as quickly as possible is essential to limiting the amount of damage, financial or otherwise, this insider can cause. However, how can you tell the difference between regular activity and harmful activity? With an insider using a legitimate login profile, there aren’t obvious warning signs when malicious behavior takes place.  

Monitoring user behavior around data access and usage can highlight internal access misuse and credential theft. And continuously monitoring for outlier and anomalous behavior patterns provides visibility into how high-privilege users interact with sensitive data. This monitoring helps security teams identify a possible malicious insider or if an external attacker has compromised an employee’s credentials. For example: 

  • Monitoring user activity during remote access down to the transaction level 
  • Monitoring data access and usage by users with high privileges 
  • Monitoring query attempts to download information onto unauthorized devices 
  • Monitoring exactly who is accessing highly sensitive data fields 

Without advanced analytics and data monitoring, keeping track of every user’s activities after they’ve logged in to the system is a lot of work. In some cases, raw logs from your ERP system need to be manually checked, and each event studied—often after an insider threat has already occurred. No wonder the average time to identify and contain an insider threat incident is 77 days (Ponemon).  

When security teams monitor data access and usage, they can be proactively alerted to potential insider threats by identifying anomalous activity with actionable insights into what was accessed and by whom. Now organizations can quickly respond with a full forensic investigation and a rapid and thorough response. 

Preventing Insider Attacks with Dynamic, Data-Centric Security 

Although security professionals recognize the value of continuously monitoring data access and usage to detect insider threats, companies should also adopt a layered, data-centric security model to improve the likelihood of preventing an insider threat from attacking. 

Enhance Access Controls with Dynamic Authorization Policies 
Organizations should start by incorporating dynamic authorization strategies that use contextually aware access controls. Dynamic authorization gives organizations a way to leverage the contextual attributes of access such as geolocation, time of day, and IP address to better control the resources users access, how they access it, and from where they access it. For example, you can prevent an insider threat who has legitimate credentials from accessing sensitive data because they accessed the ERP system from a foreign IP address and outside of established business hours.  

Expand the Use of Data Masking  
You’re likely already masking the obvious data fields with personal information, like social security numbers, bank account information, national ID number, passport number, driver’s license number, etc. However, now that insider threats are increasing, organizations should expand the use of data masking to all fields that could be considered personally identifiable, giving you greater control over who can see what data and when. And deploying data masking based on dynamic authorization policies, like location, device, and time of day allows a more secure-and flexible-access to data.  

Enable Stepped-Up Multi-Factor User Authentication  
Using stepped-up multi-factor authentication is an important tool for preventing insiders from doing stuff they shouldn’t. When it comes to performing transactions with sensitive information, adding multi-factor at the transaction level as well as the perimeter ensures that users are not only authorized to access and view the data but perform the actual transaction.  

Take A Proactive Approach to Detecting and Preventing Insider Threats 

When it comes to insider threats, most security teams live in a murky gray middle zone struggling to determine the difference between regular user activity and anomalous activity indicating an insider attack. Organizations can help their IT security teams take a clear, proactive approach to detecting and preventing insider threats and attacks by applying a data-centric security approach combined with continuous monitoring of data access and usage. 

Want to see a demonstration of how Appsian can help your organization detect insider threats? Contact us to chat with an Appsian security expert today. 

Stay Updated

Security

How IT Can Use ERP Data to Become a Hero to their Business Stakeholders

By Michael Cunningham • November 4, 2020

When business stakeholders come to you looking for answers, having visibility and context around ERP data access and usage gives you the actionable insight necessary to provide value.

As a leader of Enterprise Applications, customizing legacy ERP applications like PeopleSoft, SAP ECC, Oracle EBS, etc., to meet your business’ exact process specifications can leave you between a rock and a hard place. The more customized your ERP applications get, the more your business stakeholders love it, but the complexity around application support and maintenance also increases. That being said, accepting more complexity is just part of the job, because after all, your most important role (in the eyes of others) is providing timely and accurate resolution to inquiries or incidents from your business stakeholders

You know the drill: members from various business units come to you requesting help for a particular incident or an anomaly they spotted. It’s up to your team to provide a resolution in a timely manner. And that’s where the trouble begins. Many incidents require hours, weeks, and even months to research and resolve. It’s hard to provide excellent customer service to the lines of business when your team is facing major obstacles to resolving incidents in a timely manner.  

What if I told you there’s a way to enable your team to spend less time researching an issue (or no time at all) and produce faster results while providing better value for the various business leaders and their teams? 

Three Major Obstacles to Timely ERP Incident Resolution 

You’re the last person who wants to hear or say, “well, that’s just [insert ERP app name here].” But that’s one way you can sum up the limitations and obstacles your team will immediately encounter.  

Here’s a simplified view of that process from the perspective of PeopleSoft. Somebody from a line of business will contact a member of your Sys Admin team and say, “Hey, this user’s account was updated (i.e., maybe they didn’t get their paycheck), or there was some sort of anomaly in the execution of a typical business transaction (i.e., vendor didn’t get paid, etc.). We don’t know what it is, and the functional user(s) say it wasn’t them. We’re not sure what happened. Can you guys look into this? That would be great.”  

This incident kicks off your process flow to find a resolution. Then come the obstacles: 

Obstacle 1Legacy ERP Logs Can’t Tell You About Data Access 

Experience says that most people who use an ERP application like PeopleSoft don’t know who’s doing what (specifically), who’s accessing what information, or most importantly – why. You probably first need to work out if this is something that the user did themselves or a hacker was able to gain access to the system – and also work out if this is an inside job or an external attack.

And while the logs can point you in the right direction, the legacy ERP logs are not designed to provide detailed information on who accessed what or even, in most cases, viewed something sensitive. This leads to major obstacle number two…

Obstacle 2ERP Logs are Disparate and Not Correlated 

ERP logs were designed for troubleshooting, not granular activity logging, which contributes to organizations and business units not knowing what their employees are doing inside the applications. When it’s time to go under the application hood and examine the native logs, another metaphor comes to mind: looking for a needle in the haystack. Here’s an example of all the native logs you might find in your instance of PeopleSoft: 

  1. App Server 
  2. PIA (Web Server) 
  3. Database 
  4. Process Scheduler 
  5. Load Balancer 
  6. Identity Provider (SAML, LDAP, ADFS) 
  7. Host O/S Logs 
  8. Firewall 

Your organization likely has more than one of these servers where these logs reside. You might have four application servers, eight web servers, and so on. Now you’re looking at finding a needle in multiple haystacks. And that data is not correlated, so there is little relative context that can enable your investigation. 

Here’s a nerdy example using the App Server and Web Server logs. On the Web Server, you cannot identify the person who logged in because you don’t know the OPRID. All you have are an IP address and a timestamp. You need to go to the App Server and review the OPRID, timestamp, and IP address on login or log out and attempt to correlate that information with similar information on the Web Server.  

Obstacle 3: Log Data is Not Enriched with Any Context That Makes It Actionable 

Once your team has collected data from the logs and assembled material from other sources, the final step is to interpret everything and make a best guess so an action item can be established. How actionable is having a collection of raw data such as IP addresses, user IDs, location of devices, completed transaction, etc., if you’re not able to place that data into a human context?  

Let’s take the example of “Jim” and the incident involving him not receiving a paycheck. The raw ERP data shows that Jim’s credentials accessed pages containing personal information and bank account information several times over a period of time. Jim, the human, denies that he made any changes to the data on those pages, so the paycheck should have been routed to his usual bank account. Maybe you change Jim’s username and password and cut him another check. Was Jim trying to defraud the company and get an extra check, or was Jim’s account compromised in some way? Could a hacker have accessed Jim’s payroll data, changed the account number, received the funds, then changed the number back – getting away without a trace? Absolutely! It happens every day. If you cut Jim a new check, you fix Jim’s immediate problem, but do you understand what’s happening in your system?  

Why Appsian360 Immediately Makes You a Hero to Your Organization 

You’ve been waiting in suspense to know when IT becomes the hero – well, here it is. When the business comes to you looking for answers related to a specific incident, Appsian360 provides the quick, actionable insight necessary to provide the company with the understanding of what happened with their ERP data.  

How? Appsian360 logs granular user access to data, correlates existing ERP logs, enriches the data with contextual attributes (who, when, where, what device, etc.), and visualizes the ERP data’s access and usage on dashboards. Now your team can easily look at data access by IP addresses, user IDs, location of devices, pages accessed, etc., and very quickly understand the facts behind an incident. 

Let’s go back to Jim’s situation. With just a handful of clicks in Appsian360, you confirm that “Jim’s credentials” did indeed access and edit his personal information. Additionally, you discover that “Jim” was logging in after-hours using a foreign IP address based in another country. With a few more clicks, it’s clear that the IP address is responsible for other compromised user accounts. You didn’t just discover Jim’s breach, you now have a clear picture and a direction to fix the actual security issue – one that was growing in urgency by the day!

Without context, you lack insight. Context around data access and usage creates actionable insights. Actionable insights support the company and provide value to key stakeholders.  

Understanding user activity and data usage are precisely what the business needs – and without Appsian360, ERP logs lack insight. You can buck that trend with Appsian360.

Contact us to learn how Appsian360 can provide you with the most powerful, real-time view into ERP data access & usage. 

Stay Updated

Security

Are Advanced Persistent Threats (APT) Haunting Your ERP Applications?

By Michael Cunningham • October 29, 2020

Halloween 2020 (the day, not another movie) is right around the corner. Usually, I’m thinking about spirits and haunted houses and candy. Now that I’m working for a company that helps organizations defend their ERP data, my mind wanders to a more sinister “spirit” that might be haunting the halls of your legacy ERP system: the advanced persistent threat (APT). These technological poltergeists work hard to remain undetected as they quietly take possession of the very soul of your company: your data. Let’s look at how you can find out if you have one and what you can do about it.  

What Is An Advanced Persistent Threat?  

TechTarget defines an advanced persistent threat (APT) as a “prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time.” APT attacks are typically aimed at organizations in sectors such as national defense, manufacturing, and the financial industry due to their high-value information.   

While your company may not be the type of organization to draw the attention of well-organized and well-funded hacker groups or rogue nation-states, you must remember that the attacker’s primary focus is to steal data rather than cause damage to the network. That means an APT can be a malicious outsider or an insider. And the last thing they want is for you to detect their presence and cast them out.   

Signs that You May Be Haunted by An Advanced Persistent Threat  

Haunted house movies typically start the same way: the residents of the house begin to notice slight anomalies that indicate something out of the norm is happening. Let’s take a look at some spooky behavior that can indicate the presence of a figurative ghost in the ERP system.   

Payroll Theft is Most Commonly a Result of an APT 

Perhaps your payroll department notices irregularities: different direct deposits getting wired to the same account, employees who opted for paper paychecks instead of direct deposit report they are no longer receiving their mail. Or, perhaps during a routine security audit, you notice the sudden creation of high-privileged user accounts, yet there are no entries in the logs that show who requested or approved them. Finally, you might wonder why, and how, Fred from procurement is logging into the HRIS and frequently accessing executive payroll information. Is it actually Fred or Fred’s login credentials? 

The Context of Access Can be a Sign of an APT 

There are other signs of paranormal activity in your ERP system, such as after-hours activity by normal accounts, excessive login failures, and suspicious access from overseas locations and unknown IP addresses. Regardless of the signs, your next step is to begin an investigation. The advanced persistent threat is counting on your inactivity to stay hidden.   

Using Layered Security to ‘Ghost Proof’ Your ERP 

When abnormal behavior reveals itself, companies using legacy ERP systems are often left in the dark. These systems lack the granular visibility into data access and usage essential to locating and removing malicious spirits.   

Appsian empowers companies to adopt a layered security approach that features dynamic controls for authentication & authorization, along with real-time monitoring that provides transparency over what data is accessed and by whom. Appsian adds these extra layers of security WITHIN your ERP system to help ensure that data is still protected even if it is being haunted by an APT (ex. valid login credential stolen by a phishing attack.)   

Who You Gonna Call?  

Every organization, regardless of size or industry, is susceptible to advanced persistent threats, in addition to all the other cybersecurity threats that go bump in the night. Prevention and early detection are your best defenses against these ghosts and spooks accessing and stealing your company’s data. 

Contact us today to learn how the Appsian can help you establish a multi-layered security solution and increase your visibility into data access and usage.  

Stay Updated

Security

Data Breaches Are Going Up, While Cybersecurity Training is… Going Down?

By Scott Lavery • October 27, 2020

According to a recent Shred-It survey, both senior leaders and employees indicated data breaches doubling in frequency in the last few years. Consequently, these same groups also reported modest but still peculiar decreases in cybersecurity training commonly used to identify tactics like phishing, ransomware, or other malicious software. Senior leaders saw a 6% drop, and employees saw a 7% drop from 2019-2020. While not eye-popping numbers by themselves, it begs the question – if data breaches are going up, why is cybersecurity training going down?

You could argue that a top theme of 2020 would be the dramatic rise in data breaches, so it’s worth wondering if a downward trend in training is likely to continue, or will it reverse course in 2021?

Cybersecurity Training for Employees May No Longer Be Relevant?

This is a controversial and over-simplified statement, but the downward trends point to this attitude within organizations. If cyberattacks are evolving in sophistication each day, then how can organizations keep up? At what point do you accept the fact that attacks are likely to be successful, and you need to invest your resources in risk management and mitigation? The truth is, information security professionals are constantly playing behind the 8-ball when it comes to combatting employee-targeted cybercrime. Spoofed landing pages and emails that mimic corporate branding can be created in a matter of minutes – while LinkedIn, along with countless databases, have made it simple to discover and exploit org charts. If cybercriminals are always one step ahead, is cybersecurity training constantly obsolete?

Is Employee-Targeted Cybercrime Becoming Too Hard for Employees to Spot?

As the head of a department myself, who reports directly to the CEO, I cannot begin to tell you how many emails I’ve received “from” my CEO, disguised to send money, reports, or some information that a hacker would use maliciously. It’s not magic. The hacker found my CEO, worked their way backward to assume who the direct reports were, created a perfect replica of my company’s email signature, sent it around, and hoped for the best! The only reason it didn’t work is because I scrutinized the nature of the request – not the email used to make the request. The email was flawless.

Let’s apply this enterprise-wide. Heading into end-of-year, countless employees will be asked up update information in their ERP applications. All for many reasons – benefits open enrollment, updating personal information so tax documents or bonuses can be received. Spoofed “update your password” emails and landing pages that are designed to steal login credentials are the #1 cause of identity theft and payroll diversion. Why are they so effective? Because if you have the ERP login credential, you have the power! Primarily relying on a password security model means employees must correctly scrutinize those spoofed emails and landing pages, then choose NOT to comply with what this spoofed “corporate email” is telling them to do. How effective do you think that will be throughout an entire organization?

It is challenging to teach scrutiny, but organizations are trying. The lesson always is – never open attachments from outside email addresses, never send personal information, etc. However, in the age of remote work and ubiquitous mobile device usage, relying on this level of scrutiny is extremely difficult. And the hackers know this! Detecting spoofed emails and landing pages is tough enough on a desktop, but it’s extremely hard on a mobile device.

What’s a More Effective Way of Preventing Cybercrime?

Simple. Using software to analyze email links and attachments (which most companies are already doing) and making the data that the hackers want more difficult to obtain (ex. employee PII from ERP applications.) Information security teams use these solutions to fail-proof an employee’s lack of scrutiny. As these solutions become more sophisticated, it makes sense for these to be your primary areas of protection. Leaving good ole’ employee training in the dust.

Is Cybersecurity Training for Employees Still Relevant?

Short answer, yes! Employees should always be doing their part to protect their personal data, along with business data. However, the inverse trend in data breaches and training is simply a reflection of a re-allocation of resources. Or, as my dad would say, “the juice is not worth the squeeze.”  Training a workforce is extremely complicated and expensive. As technology evolves to the point where it can do the scrutinizing for employees, we’re likely to see the downward trend in training continue.

How Can I Protect Legacy ERP Data Since Data Breaches are Going Up?

Another short answer, invest in ERP data security! Like I discussed above, solutions that provide risk-aware controls reinforce authentication protocols (ex. multi-factor authentication) and enable data access & usage monitoring are available. However, organizations must be aware that not all applications are created equally when it comes to control and visibility.

Legacy ERP applications like SAP ECC, PeopleSoft, and Oracle EBS require additional sophisticated solutions to enable control and visibility because their native security features have an antiquated focus. Their native security features rely solely on usernames and passwords, static governance policies (role-based access controls), and system logging designed to troubleshoot application errors – not monitor data access.

This is where Appsian has helped hundreds of legacy ERP customers – and can help you as well. Contact us today, and we’ll show you how you can enable a sophisticated data security model (for legacy ERP data) in a matter of weeks!

And whether you decide to do more or less cybersecurity training for employees, know that Appsian is here to protect your data no matter what tactics malicious attackers try to use!

Stay Updated

Security

Protecting ERP Data from Application Vulnerabilities Using A Multi-Layered Security Approach

By Michael Cunningham • August 6, 2020

You spend countless hours, not to mention considerable money, to secure your SAP and Oracle ERP data. One day, you discover that cybercriminals have exposed a vulnerability using an application misconfiguration. This has become increasingly common as criminals seek methods to covertly infiltrate applications to gain access to thousands of employee records. 

This situation happened to Microsoft in December 2019 and didn’t generate the kind of headlines usually associated with data breaches. This was simply a human error. But these kinds of human errors and misconfigurations are one way that hackers can gain a foothold into your SAP or PeopleSoft ERP system. Now the question is, how are you going to protect your data after an attacker side-stepped your perimeter defenses? 

Misconfiguration is the Fastest Growing Security Risk 

According to the 2020 Verizon Data Breach Investigations Report, misconfiguration errors (failing to implement all security controls) are up 4.9% from last year’s report and are the fastest-growing risk to web applications. It’s easy to apply this kind of risk to legacy ERP systems because SAP and PeopleSoft environments often consist of millions of lines of custom code and custom-built components communicating with each other and to external systems through various APIs and interfaces bolted together over time. 

On top of that, you’re dealing with an abundance of changes to roles, configurations, access controls, and compliance protocols to accommodate new business processes and evolving data privacy policies. If companies are not analyzing and monitoring the underlying security implications of all these changes and movement, they’re bound to face a similar situation as Microsoft with a backdoor left unlocked for any hacker to stroll through. 

Finally, don’t forget that many organizations simply do not stay current with system updates and security patches. According to the Data Breach Investigations Report, only half of the vulnerabilities are patched within three months after discovery, leaving companies exposed to attacks against known exploits.  

The Multi-Layered ERP Data Security Approach 

The growing complexity of SAP and PeopleSoft environments make securing ERP data an enormous challenge. To prevent inadvertent exposures from misconfiguration, Greg Wendt, executive director of Appsian, suggests that companies “must adopt a multi-layered security approach with dynamic security tools that can monitor user access in real-time, providing transparency over what data is accessed and by whom.”  

This multi-layered approach includes masking sensitive data, verifying identity via multi-factor authentication (MFA), and enhanced logging and analytics. Appsian adds layers of security WITHIN your ERP system to help ensure your data is still protected when a hacker strolls past your perimeter defenses, thanks to a misconfiguration. 

Dynamic Data Masking provides contextual masking policies that adapt to the context of access. That means when a hacker attempts to access sensitive data fields but doesn’t match key attributes such as user ID, privilege, device, location, or IP address, they will encounter full, partial, click-to-view masking or complete redaction of the data field. 

Adaptive MFA ensures that contextual attributes (ex. device, network, location) are the determining factor for deploying MFA challenges. For example, customers can require an MFA challenge when a user account is accessing the system from a remote IP address or after business hours.  

Enhanced Logging and Analytics with Appsian360 allow you to monitor your networks for suspicious activity and provide detailed insights regarding how, when, and by whom transactions and data fields are being accessed. This visibility is particularly important for identifying users with high-privilege access who are accessing pages they shouldn’t be. The enhanced logging can trace all the pages a user accessed during a session, helping to identify a potential intrusion. This kind of real-time data access and usage visibility was previously unavailable to SAP and Oracle ERP customers. 

Eyes and Ears on the Entire ERP Data Ecosystem at All Times  

“The enterprise must learn to have eyes and ears on their entire data ecosystem at all times,” said Wendt. Microsoft’s recent data breach due to misconfiguration highlights the importance of a security strategy that continuously looks for misconfigurations and compliance violations. Next, they should establish a multi-layered security approach to prevent unauthorized data access, along with enabling organizations with the ability to identify access trends that may be indicative of incorrect access controls. 

Misconfigurations are, unfortunately, a common error and should be treated with the same sense of urgency and level of effort by security professionals as their network perimeter. After all, not all attacks are external. 

Contact us today to learn how the Appsian Security Platform and Appsian360 can help you establish a multi-layered security solution. 

Stay Updated

Security

When it Comes to ERP Data Security, Context (of Access) Matters – Appsian360 Can Help!

By Michael Cunningham • July 28, 2020

Organizations using traditional, on-premise ERP applications like SAP ECC and Oracle PeopleSoft are facing a rapidly changing reality around the collection, storage, and usage of data. Aside from the growing number of compliance regulations they need to follow, such as GDRP, CCPA, and others, they face critical visibility gaps related (explicitly) to understanding ERP data access & usage.  Especially at a fine-grained level.

This lack of visibility is exacerbated by organizations enabling remote and mobile access to their users, exposing them to a myriad of data security and compliance threats like hacking (phishing), along with fraud and theft from internal users. All of which result in the loss of millions of dollars each year.  

Fortunately, ERP applications that were once considered a “black box” can now be enhanced with the most sophisticated logging and analytics technology available on the market. Introducing Appsian360, the first and only data access and usage analytics platform for SAP and PeopleSoft.  

Why Context of User Access and Data Usage Matters  

Far too often, user behavior is a mystery, resulting in security, fraud, theft, and business policy violations. Specifically, a lack of detailed insights regarding how, when, and by whom transactions and data fields are being accessed.   

As they exist today, legacy on-premise SAP and PeopleSoft systems simply do not provide organizations the granular visibility and context of user access and data usage they need in real-time to make proactive and strategic decisions.   

“For years, organizations have been operating with limited visibility, and current threats to ERP data have made this status quo completely intolerable,” said Piyush Pandey, CEO of Appsian. “Appsian360 is about knowing who is doing what – at a very granular level.”   

With Appsian360, security and compliance leaders can drill into specific data access and know exactly who is doing what, where, and why. With that level of in-depth, contextual information, any red flag incidents can undergo a rapid response plan.   

“The beauty of Appsian360 is it’s a comprehensive solution that provides actionable insights,” added Pandey. “We know that forensic investigations and time to mitigation costs organizations countless amounts of money – and we’re pleased that Appsian360 can alleviate much of this burden.”  

Appsian360 for SAP and PeopleSoft  

Appsian360 installs into your ERP web server and does not require any additional customizations. There are zero noticeable effects on application performance. Here’s a high-level look at what Appsian360 can do for you.  

Detect Security Threats in Real-Time: Appsian360 proactively alerts you to security threats like hacking, phishing, misuse of privileged accounts, and many more. You can quickly receive the information required to fully enable forensic investigations.  

Uncover Hidden Business Risks: Appsian360 helps you detect and respond to fraud, theft, and errors by employees and third parties (vendors, consultants, etc.). Companies can maintain a complete view of sensitive business transactions, and what (specific) users are doing.  

Monitor Employee Productivity: Appsian360 helps you maintain oversight as users process and execute business transactions. You can use these insights to ensure efficient staffing and identify potential bottlenecks in critical HR, payroll, and finance activities.  

Understand Data Access & Usage with More Clarity Than Ever Before  

Organizations can no longer rely on having a lot of data. They need to start triangulating and developing context around the data they’re getting and how it’s being used. Appsian360 provides real-time data access and usage visibility previously unavailable to SAP and Oracle ERP customers.  

To see how data security and compliance threats that were once considered “the price of doing business” are no match for the watchful eye of Appsian360, join us for a virtual demonstration on Thursday, August 13. You can register here: https://www.appsian.com/visibilty-using-appsian360/.  

Contact us today for a personalized demo and find out how Appsian360 can fill critical visibility gaps for your organization.   

Stay Updated

Security

CCPA Enforcement Is on Track to Start July 1, 2020. Are Your Data Privacy Strategies Ready?

By Michael Cunningham • June 24, 2020

Time is almost up for companies scrambling to get their data privacy strategies in compliance with the California Consumer Protection Act (CCPA). Beginning as early as July 1, 2020, the California Attorney General’s office can start enforcing the CCPA and handing out penalties of up to $2,500 per violation or up to $7,500 per intentional violation.  

So, when exactly, will the CCPA become law? On June 1, 2020, the California AG took the final step before the regulations become enforceable by submitting the final text of the CCPA Regulations to the California Office of Administrative Law (the “OAL”). The OAL has 30 working days–plus an additional 60 calendar days related to the COVID-19 pandemic–to review the submission and approve it to become an enforceable law. Doing the math, the California AG can begin enforcing violations as early as July 1 or as late as September 1, 2020

Strategies for Improving ERP CCPA Compliance  

Companies using PeopleSoft, SAP ECC, S/4HANA and Oracle EBS are likely facing additional compliance challenges due to inherent limitations built into these legacy ERP systems. Let’s look at a couple of tactics for enhancing your ERP systems to improve compliance with CCPA and establishing the capabilities to prepare for the uncertainty around data privacy. 

1: Enhance Visibility into User Activity 

The CCPA requires organizations to implement appropriate security measures around personal data and satisfy data subject access requests (DSARs). That means businesses must know what personal data they store and the user activity going on around it. However, traditional ERP systems do not provide the required level of granularity. 

To achieve detailed visibility around data usage, organizations need to expand their native logging capabilities by adopting a strategy that focuses on data access and usage. Meaning, organizations must capture contextual details like date of access, UserID, IP address, device, location of access, actions performed, etc. 

This is information that is critical for compliance reporting and understanding how data is being used within your organization. 

2: High Privilege Access Should be the Highest Priority for Strengthening DLP 

When it comes to ERP systems, the static rules that govern access can be limiting because roles and privileges are user-centric, not data-centric. User-centric roles say a person (or group in most cases) can view something under any circumstances, while data-centric means the nature of the data defines the access. This gets organizations in trouble time and time again from a DLP perspective because high privilege users always have the ability to see more data than they actually need (to do their job.) This makes non-compliance with CCPA almost inevitable. Overexposure of data is your biggest enemy and governing access by static rules (aka ‘all or nothing access rules’) creates an enormous liability.

Implementing data-centric policies (typically through attribute-based access controls) ensures that a user can only access data deemed necessary and job-related. This is because the data itself is governing access – not a user role. For example, access to certain high-risk transactions can be restricted based on a user’s location – or access can be granted, but with masked data fields. With every variation of context, attribute-based access controls can pivot and adjust accordingly. By reducing the threat surface, companies can reduce the risk of data leakage and mitigate compromised access damages.  

3: Use Real-Time Analytics and Data Visualization (SEIM) to Expedite Incident Response Time 

 Integrated and real-time analytics displayed on dashboards were always a “nice-to-have” feature for security teams; however, keeping CCPA deadlines of breach identification and reporting in mind, data visualization has become a must-have feature. These advanced dashboards equip security professionals with real-time snapshots of data usage. The drill-down capabilities allow for enhanced data discovery and exploration to expedite breach detection and response, helping organizations stay compliant with CCPA and other existing and upcoming regulations.   

Ready or Not, CCPA Enforcement Has Arrived  

If you’ve not wrapping up your CCPA compliance efforts by now, there’s no better time than the present to start (or continue down that road). Appsian can help you fast track your compliance efforts by enhancing your visibly and applying a data-centric ERP compliance framework. 

The last thing any company wants is to discover that they’re out of CCPA compliance only when there’s a breach of the regulation. 

Contact us to learn how Appsian can help you address your end-to-end security and compliance needs.

Stay Updated

Security

Your Network Access Could Be for Sale on the Dark Web. Why ABAC is Critical for ERP Data when Your Network is Vulnerable

By Michael Cunningham • June 1, 2020

Thanks to TV commercials for identity protection services, you’re forgiven for thinking that that dark web is primarily a place where criminals and hackers buy and sell personal information such as credit cards, usernames and passwords, and social security numbers (and other PII). Lately, however, the dark web has seen a flurry of activity for offers to purchase corporate network access, according to a recent “Access for Sale” report from Positive Technologies.  

Criminals Are Becoming More Interested in Corporate Network Access 

Just a year ago, according to the report, cybercriminals were focused more on trading in access to the servers of private individuals for as little as $20. During the second half of 2019, Interest has since picked up in the sale of access to corporate networks. In Q1 2020, the number of postings advertising access to these networks increased by 69 percent from the previous quarter. Prices have also increased: the average cost of privileged access to a single local network is now in the $5,000 range. Additionally, hackers are offering a commission of up to 30 percent of the potential profit from a hack of a company’s infrastructure. 

It’s bad enough that your threat surface has increased due to so many employees working from home, now you have a posse of hackers roaming the dark web looking for bounties to collect. We have a few suggestions to help you keep your ERP data safe even if hackers manage to gain access to your corporate network.   

Adopt Attribute-Based Access Controls (ABAC) to Strengthen ERP Data Security 

Companies using ERP systems are already leveraging role-based access controls. These controls, which align data access privileges and job function resources, provide a baseline for data governance. With the rapid expansion to a remote workforce earlier this year, organizations needed to create more detailed and more dynamic access controls—policies to determine who, what, where, when, and how workers can access ERP data and what transactions they’re allowed to perform.  

With attribute-based access controls (ABAC), a company can incorporate additional context such as geolocation, time of day, and IP address to both ensure the appropriate user is accessing the resources and prevent users from having more access than they need. For example, if the organization knows that an employee should be working from Connecticut, ABAC can prevent access to resources, mask highly sensitive data, or prevent a transaction entirely if the user’s location is suddenly California – or a foreign country.  

These granular, data-centric access privileges can help an organization ensure that users–internal or malicious–do not get too much access to important ERP data – limiting the potential negative effects of a network intrusion by hackers. 

ABAC Should be Coupled with User Activity Monitoring  

Let’s revisit how ABAC helps organizations establish roles and permissions to determine who, what, where, when, and how workers can access ERP data and what transactions they’re allowed to perform. It’s important that you don’t set these controls and “forget” them. You want to make sure what you’ve established is working and to watch for any anomalies that reveal unusual or unwelcome activity.  

Most organizations are already performing some kind of monitoring of user access – but it has to extend beyond manual audits of instances of logging in and logging out of applications and what pages were displayed. Understanding data access, usage, and transactions performed is now a key requirement when maintaining visibility over business data and enforcing security policies. 

Here are five details we recommend monitoring (more details here): 

  1. Who – Details of the User Accessing the Data  
  2. What – Details of the Data Being Accessed  
  3. Where – Location Where the User is Accessing the Data   
  4. When –Time of Day When User is Accessing Data  
  5. How – Type of Device Accessing Data 

Data is only as useful as the insights it provides. Using an analytics platform that includes granular access details, rapid aggregation, and visualization of user access data is a crucial requirement for data security. 

Conclusion 

You know that hackers are already looking for any and all security lapses on your perimeter to gain access to your corporate network. The “Access for Sale” report serves as an important reminder that hackers are willing to do anything to gain an advantage, and organizations must deploy a variety of ERP data security protocols in addition to the standard role-based access controls. 

Appsian has helped hundreds of organizations that leverage legacy ERP applications like PeopleSoft and SAP ECC strengthen their data security posture with ABAC and user-activity monitoring. 

Request a demonstration of the Appsian Security Platform today. Learn how Appsian can help you manage the risks of the dark web in little as 30 days! 

Stay Updated