Implementing enterprise resource planning (ERP) systems has always been both mission-critical and notoriously difficult. They must align with business processes, but the organization distributes those processes across multiple departments. Legacy ERP systems, often considered a large one-time investment, lack the flexibility necessary to scale with your business. As your organization began its digital transformation journey, cloud-based ERP seemed to be a solution to many of these problems. However, every benefit comes with a cost. Modernizing legacy ERP systems for security and compliance creates new challenges, particularly with distributed workforces.
Why is Modernizing ERP a Mission-Critical Business Goal?
Whether you wanted to modernize your ERP or not, you likely found yourself rapidly adopting to remote access requirements in 2020. In response to COVID-driven stay-at-home orders, companies needed to accelerate their digital transformation strategies. This move included ERP systems.
However, as you look toward a post-pandemic business model, you might be considering maintaining a hybrid workforce. Thus, modernizing your ERP is a mission-critical business goal for several reasons, including:
- Ability to access from anywhere
- Built-in Customer Relationship Management (CRM)
- Lower capital expenditures with subscription models
- Reduced total cost of ownership
According to HubSpot’s 2020 ERP Report, 34% of respondents said they were moving away from legacy systems, and 86% selected SaaS deployment models. However, that same report noted that 27% of respondents remaining on-premises cited security breach risk as their reason.
ERP Security and Privacy Controls are Notoriously Difficult to Implement
When undergoing digital transformation, organizations often struggle trying to secure their ERP systems. Most companies need to take a hybrid approach that connects their legacy on-premise deployment to their new SaaS applications.
Organizations struggle trying to prioritize and mitigate risks for several reasons. However, three fundamental challenges exist:
- Data storage arrangements: Inability to control infrastructure increases data leakage and corporate espionage risks
- Authentication: Continued brute force attacks and credential theft increase data security and privacy risks
- Access controls: Complex identity and access relationships reduce the ability to control who accesses resources
Traditional on-premise ERP deployments used role-based access controls (RBAC) with static permissions lists. However, the inherently static nature means that these alone fail to protect data, particularly in remote or hybrid work environments.
For example, PeopleSoft’s security model assigns roles to user profiles. The user profile defines the data that the person can use. The permissions list is the set of pages the user can access and actions the user can take.
These controls protect data across on-premises deployments where the applications and users sit inside the organization’s network. Since remote access to on-premise ERP is dynamic, these legacy controls increase security and privacy risks when implemented for modernized ERP projects.
5 Strategies for Setting Security and Privacy Controls for a Hybrid ERP Deployment
Companies adopt digital transformation to leverage speed and agility, enabling them to scale operations. At the same time, they still need to maintain their on-premise systems. To protect information, organizations need dynamic and scalable access controls that align with their systems and business goals.
1. Identify Assets and Assess Risk
For effective access controls, the first step is to identify all data that you store, process, and transmit. Second, you need to assess the data’s criticality and risk level. Finally, you need to identify users who access information and assess the risk they post to the organization.
As part of this, you should consider:
- Standard users
- Privileged users
- Users’ payment processing authority level
- Financial information
- Personally identifiable information
- Sensitive corporate information
Once you assess user and data risk, you can create a plan that helps you migrate the information securely. When setting controls, you should limit access according to the principle of least privilege and create fine-grained access privileges.
2. Normalize Data Access Across Integrated Applications
With SaaS applications, organizations no longer need to commit to a single platform. They can pick and choose the applications that best meet their needs, which can mean integrating multiple vendors.
As you build out your application stack, you need to maintain appropriate access controls. This can be difficult when vendors define access rights differently. Many organizations worry that normalizing access data requires an expensive, labor-intensive overhaul of their Identity and Access Management programs.
However, if you focus on visibility instead of connectivity, you can leverage automated tools that help you see into user access. Tracking user access in a single location, despite disparate access definitions, enables you to protect data security and privacy even across different application vendors like SAP and PeopleSoft.
3. Use Context
A primary benefit of hybrid on-premise and cloud ERP systems is the ability for people to work wherever they want. However, that same flexibility drives many of the security and privacy risks companies face.
Adding context to your access permissions is another way to secure data. After setting your role-based controls, you should consider adding context such as time of day, geographic location, and IP address. With these attribute-based access controls (ABAC), you can more granularly define how users interact with data, making it easier to detect anomalies.
4. Enable Step-Up Multi-factor Authentication
ABAC also enables you to use step-up multi-factor authentication (MFA). Step-up authentication is a process where users need to re-authenticate into an ERP application when they attempt a privileged function or transaction. ABAC enables you to trigger step-up MFA when your system detects an abnormal attribute, often one associated with credential theft.
For example, one of your users always logs in from California, USA. If the user tries to access the ERP’s payment module from Ontario, Canada, the system will notice that this is an outlier, an abnormal attribute for this user. The system can require re-authentication, additional proof that the person is who they say they are. If this is a cybercriminal leveraging stolen credentials, then the step-up authentication acts as an additional security and privacy control, preventing unauthorized access.
5. Continuously Monitor Behavior Around Data Access and Usage
Modernizing your ERP security and privacy controls also includes continuously monitoring for anomalous and suspicious activity. Gaining a granular view into data access and use is a way to proactively mitigate risks that can arise in a remote workforce accessing ERP solutions.
Continuously monitoring access can help you gain insight into employee productivity, cybersecurity risks, and insider fraud. Tracking when and how employees use data gives you a way to set baselines for “normal” activity—any deviations from this warrant further investigation.
For example, a user consistently accesses your ERP between 8 am and 5 pm from a location in the United States. If the user suddenly accesses the system at 2 am, the anomalous activity could indicate fraud. Even if you’re using step-up MFA to prevent that activity, you still need to investigate the event. While it may be someone with insomnia, it can also be an employee trying to steal information or money.
Appsian Enables ERP Security and Compliance for Your Digital Transformation
Modernizing your legacy ERP application doesn’t mean you have to “sacrifice” the same granular levels of control and visibility as a cloud application to enforce data security, privacy, or compliance policies. Taking a proactive approach to ERP security and data privacy during your company’s digital transformation can mitigate risks before they turn into realities.
Appsian has been enhancing on-premise ERP environments for more than ten years, and we’d love the opportunity to learn more about your digital transformation project so we can help you manage your ERP data security and compliance needs. Contact us today.
ERP security had traditionally focused on vulnerability testing for ERP applications, whether hosted on-premise or in the cloud. Given the sensitive nature of ERP transactions, frequently checking applications, databases, and servers for vulnerabilities through routine assessments had long been considered best practice. It makes sense that application vulnerabilities are considered a top threat vector because ERP applications were long touted for their highly customizable nature. Customizable because every organization’s business requirements are different – which means security settings and access controls need to be highly customizable.
All of this customization was in-service to governing user access to the application – a real “outside looking in” approach. But if you’re constantly looking “out” for threats, how do you protect against the ones that are already “in?”
Is Traditional ERP Security Actually Protecting Data?
While you might be checking for conflicts in your configuration settings, ensuring you’re up-to-date on vendor patches, and executing manual audits every once in a while, you should ask yourself, “am I actually protecting my ERP data?” Sure, preventing intrusions is passively protecting ERP data. But at the end of the day, if you spend your time hardening the walls of your fortress, you’re really only protecting the perimeter of your fortress – not what’s inside. Cybercriminals have identified this disconnect and now spend their time exploiting user credentials to infiltrate systems to steal and manipulate data. Cybercriminals have adjusted. Now it’s time organizations do the same with their ERP applications, and ultimately – their ERP data.
The Information Security Conversation is Going Below the Network & Application Layer
Information security professionals have long been adept at protecting enterprise data and not just network and application perimeters. The abundance of cloud applications has allowed access controls and visibility to go to the next level. Concepts like zero trust and least privilege all require information security policies that are not reliant on arbitrary roles and privileges but on inspecting who a user is, where they are coming from, on what device, and any other attribute. Just because they are allowed access to a network or application does not grant them privileges to data.
If this is where the information security conversation is going, why is ERP security still focused on the perimeter? Shouldn’t the focus be on ERP data security?
How to Shift the Conversation to ERP Data Security
Many would say that ERP security remains a perimeter conversation because such a large part of the ERP market uses on-premise applications. This dates back to the inception of ERP when the appeal was mostly around customizing your business transactions to your processes. This would be accurate – but as business became more complex, organizations became more entwined with their legacy applications. However, that doesn’t mean that on-premise applications (and ERP applications only hosted in the cloud) must remain isolated from a unified “ERP Data Security” conversation.
Here Are a Few Recommendations for Beginning an ERP Data Security Conversation:
- Integrated Identity & Access Management (IAM) – Integrating enterprise solutions meant for identity and access management (ex. SSO & MFA) provides a perfect opportunity to govern access to data versus only governing access to an application. An integration would enable policies to be written that deploy authentication measures based on what someone is attempting to access. This is also referred to as “step-up authentication” or zero trust. Of course, an integration layer is required, which is exactly why Appsian developed the necessary integration connections that organizations can use to natively integrate their IAM solutions with their legacy ERP applications (i.e., Oracle PeopleSoft & E-Business Suite).
- Attribute-Based Access Controls (ABAC) – Traditional ERP governance revolves around role-based access controls. Pre-defined and sometimes over-simplified buckets that dictate what users can and can’t do. Role-based access controls (RBAC) are artifacts of traditional ERP security strategies that have been identified as problematic and flawed when data protection is the objective. This is not to say that RBAC doesn’t have its place but as a sole governance measure? Absolutely not. Many would say that the rapid move to remote work following COVID-19 was the death blow to RBAC because so much of its effectiveness hinges on network and application security layers. Both of which enter a grey area when sensitive financial transactions and data can be accessed remotely.
To help organizations manage, and more importantly, mitigate the risk of remote access to financial applications like SAP ECC, S/4HANA, & E-Business Suite, Appsian has developed Attribute-Based Access Controls that organizations can use to grant, modify, or restrict access to data. Governance policies can be dynamically enforced based on the context of user access – or attributes of user access.
- Data Level Visibility is Critical – ERP applications are no stranger to activity logging. However, current logging is primarily in-service to troubleshooting system issues and receiving basic insight on authentication and page access. This is why auditing an ERP application requires manual pulling and triangulation of reports from multiple sources. It’s an obstacle most have to accept, and because of this, they only audit sporadically.
To gain visibility and insight into how data is being accessed and used, Appsian developed Appsian360. Appsian360 represents a powerful combination of comprehensive user activity logging and analytics – all designed to detect and alert to anomalous behavior. Whether it’s access from a foreign country, the same user frequently downloading certain reports, or specific PO or account numbers receiving frequent access, Appsian360 is designed to give ERP customers the data level visibility needed to automate critical security, compliance, and audit functions.
Appsian Helps Enable ERP Data Security
Just because your organization is using a legacy ERP application does not mean that you cannot employ the same granular levels of control and visibility as a cloud application. Appsian has been enhancing on-premise ERP environments for over 10 years, and we’d love the opportunity to learn more about your ERP data security objectives. Contact us today!
If 2020 was the year of hastily enabling secure remote access to ERP applications, then 2021 will be the year when organizations realize that remote ERP access is here to stay – and long-term data privacy, security, and access governance strategies will be mission–critical. Securing ERP data has always been important in principle, but the mass migration to requiring remote access (in perpetuity) has kicked off a heightened emphasis on the topic.
Amongst a sea of learnings from the pandemic is that 2020 was the “coming of age” for ERP data privacy and the challenges it created. Many organizations were forced to learn the hard way that sensitive ERP data (business data and PII) are top targets for malicious activity and some of the most difficult assets for organizations to secure. Especially data in legacy business applications.
Let’s look back at the Year of the Pandemic and examine some of the data privacy events and trends we observed that will serve as guideposts for making ERP data privacy a mission-critical priority in 2021.
Variations in Access Presents Greater Data Privacy Challenges
It’s clear that working remotely is here to stay. A Gartner HR survey reveals that 41% of employees are likely to work remotely at least some of the time post-pandemic. Tech giants like Facebook, Salesforce, Twitter, and more, announced that they would continue to offer remote work and possibly move to entirely remote models permanently.
A key challenge uncovered when the pandemic forced a rapid transition to remote workforces was most organizations had data privacy and governance policies that didn’t account for variations in user access. Especially those using legacy ERP applications like SAP (ECC & S/4HANA), PeopleSoft, and Oracle EBS. After all, these applications were originally designed so users could get easy access to data inside the firewall. They were never designed for a dynamic access environment.
The fact of the matter is the roles and privileges that governed access to these systems depended on managed devices, corporate firewalls, and in many cases – 9:00 to 5:00 access demands. Remove those variables and enable access from anywhere, on any device, and at any time – and those strict privacy and governance policies were replaced by “wild west” levels of access risk.
Instead of needing to be in a specific physical location, users can access an organization’s sensitive data from anywhere. The physical and network controls that protected IT infrastructures and data privacy no longer provide the same level of confidence. Changing how companies do work requires them to change how they secure data and re-evaluate their data privacy and access governance strategies.
When it Comes to ERP Data Privacy – Identity is the New Perimeter
With organizations continuing to support remote access to ERP applications, they need to design policies and practices that define how data is accessed, viewed, and used – as well as the technology they’ll need to implement and enforce those policies.
A key investment is implementing dynamic capabilities to already established identity and access management (IAM) solutions. In other words, providing the ability to minimize risk by dynamically providing access based on the context of a user’s access.
Applying dynamic IAM and access governance supports traditional role-based controls but accounts for the variations in a user’s access that may indicate risk.
Further examples would be:
- Integrating an MFA on a sensitive transaction or data field and requiring a user to re-authenticate
- Deploying MFA if a user is accessing from an unmanaged device. Also known as zero-trust authentication
- Reducing levels of access privilege for super users if their access is coming from an unknown IP range. Also known as applying the principle of least privilege
- Applying dynamic data masking that masks all PII, account numbers, etc., if access is coming from an unmanaged device, unknown IP range, or outside typical working hours.
The sooner organizations realize that their perimeter is only as strong as their ability to manage user access – the better off they’ll be!
Data Privacy Regulations Mixed with Remote Access Will Only Make Compliance More Challenging
Today’s ever–changing data privacy landscape is a reminder that organizations should always be diligent about what kinds of data they are collecting, how it’s being stored, and most importantly – have the visibility to understand exactly how that data is being accessed. For example, is access suddenly coming from a hostile foreign country, or are certain data records/reports being accessed at a higher-than-normal frequency? Ask yourself, just because someone can access sensitive data, does it mean they should?
Successful organizations will invest in technologies that monitor user behavior around data access and usage, capturing contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information that is paramount for compliance reporting and effectively responding to audit findings.
Hodgepodge of State-Level Data Privacy Regulations Sow Confusion
Up to now, the standard-bearer for data privacy regulations in the United States was California’s CCPA. In 2021, the number of state-level data privacy regulations is likely to increase, which is bound to further complicate matters by creating multiple compliance requirements.
Virginia is poised to become the second state to enact a data privacy bill, while lawmakers in Washington state, New York, Oklahoma, and Utah are currently weighing proposals. Meanwhile, Californians voted to approve the California Privacy Rights Act (CPRA), a series of changes made to the existing California Consumer Privacy Act (CCPA).
This hodgepodge of domestic data privacy regulations should motivate organizations to get data privacy, security, and access governance strategies in place, ensure documentation, and prepare for both financial penalties and civil actions. If 2020 was any indication (GDPR fines rose by nearly 40%), companies are likely to see more frequent and more significant fines for non-compliance in 2021.
Having Weak ERP Data Privacy Policies Will Become Expensive
COVID raised the awareness of ERP data privacy as companies struggled last year to continue with normal business operations in a remote environment. These struggles forced many leaders to establish privacy and compliance frameworks and implement the technology to support them. However, this is just the beginning.
With 2020 being a record year for data breaches – along with an ever-growing list of data privacy regulations that carry monetary fines for non-compliance – the writing is on the wall. Organizations will not be able to call themselves victims if their decades of accumulated PII and business data get exploited or breached. The monetary consequences that come from these incidences can have catastrophic effects—both against your bottom line and reputation.
Contact Appsian to learn how we can help you align your legacy ERP applications with today’s data privacy and compliance demands. Effectively scale your efforts for future mandates.
Appsian’s Executive Director for Security Solutions, Greg Wendt, appears in the latest episode of Brilliance Security Magazine Podcast. The focus of the conversation between Greg and host Steven Bowcut is legacy ERP data security and compliance. Their wide-ranging conversation also includes some of the potential security risks associated with legacy applications, what companies can do to protect sensitive data in a post-COVID world, and thoughts on the possibility of a federal data privacy law.
Listen to the full episode here:
Legacy ERP applications were initially designed to give users easy access to data and business processes. They were never designed to meet the demands of today’s remote access requirements, let alone provide the security necessary to protect ERP data from internal or external threats.
While there is no silver bullet for comprehensive ERP data security and compliance, Greg recommends that organizations deploy a multi-layered security model to determine who should access what data and when.
ERP data security and compliance are going to have an interesting couple of years. Currently, there isn’t a federal data privacy law. A couple of states implemented their own, with California’s CCPA being the most notable, and more than a dozen other states have laws on the docket. The last thing we need is 50 different state data privacy laws. Greg’s “prediction” is that we’ll soon have a federal law, which will drastically affect some of the compliance requirements.
To learn more about how a multi-layered security approach can protect your ERP data from internal and external threats, contact the security experts at Appsian today.
While the majority of data breaches are from insider threats—a startling 57% according to the Verizon Insider Threat Report—many organizations overlook these internal dangers. Whether careless or malicious, employee, partner, or contractor, insider threats are difficult to spot and often go undetected in your ERP system for months or years.
Insider threats can be particularly dangerous for organizations using legacy ERP systems, such as SAP, PeopleSoft, and Oracle EBS. The primary issue is that most security teams struggle to determine the difference between regular user activity and anomalous activity indicating an insider attack. What makes insider threats especially dangerous is that insiders usually know how to find and access sensitive data and sometimes have a privileged (or over-privileged) account.
5 Types of Insider Threats in Your ERP System
First, a quick refresh: An insider threat occurs when the insider (user) maliciously or unintentionally misuses their access to negatively affect or harm the business. Not all insiders are disgruntled employees, and their motivations, intent, and access levels vary. Regardless of who they are, an insider who is intentionally or unintentionally violating a business or security policy can inflict plenty of damage.
Insider threats come in all shapes and sizes and display different behaviors you can leverage for detection and prevention. Here are five categories of insider threats that our ERP customers are most likely to encounter: The Careless Worker, the Arrogant Insider, the Disgruntled Employee, the Malicious Insider, and the Irresponsible Vendor.
The Careless Worker
These are employees or partners whose actions are inappropriate as opposed to malicious. They will unintentionally break acceptable use policies, mishandle data, and install unauthorized applications, etc. The Careless Worker ignores security awareness training and best practices, making them likely to be the one that falls for a phishing scam and having their account compromised by a hacker.
The Arrogant Insider
Arrogant Insiders are employees who do not act with malicious intent but believe they are exempt from security policies. They will take deliberate and potentially harmful actions, such as using unapproved workarounds or transferring potentially sensitive information to cloud storage accounts for easy access. These actions leave vulnerable data and resources unserved and vulnerable to hackers.
The Disgruntled Employee
A Disgruntled Employee is not happy or feels disrespected in some way and willfully disregards data privacy and security protocols to commit deliberate sabotage or intellectual property theft. For example, using access to leak executive compensation data and cause negative publicity. Disgruntled Employees are especially dangerous and probably the hardest ones to detect because they have elevated levels of privilege.
The Malicious Insider
The Malicious Insider is an actor with access to corporate assets who uses existing privileges to exfiltrate data or commit other malicious acts with the goal of financial rewards or further personal gains. A Malicious Insider can result from a compromised account caused by a Careless Worker or a Disgruntled Employee who has gone beyond accessing intellectual property and into theft or fraud.
The Irresponsible Contractor
The Irresponsible Contractor compromises security through negligence, misuse, or malicious access to or use of an asset. They are contract workers and temporary employees who are given access like a full-time employee. Sometimes, depending on how an organization assigns roles, they might have more privileges than the job requires.
How to Detect Insider Threats: Know Your Users. Know Your Data.
When an insider uses a legitimate login profile to move about your ERP system, telling the difference between regular activity and harmful activity often prevents rapid detection. In fact, a recent report from Ponemon indicates that the average time to detect and contain an insider threat incident is 77 days.
The number one way to detect anomalous activity is by closely monitoring user behavior around data access and usage. Put another way; you’re looking to identify the context of the access and usage: the who, what, where, when, how, and, ultimately, the why.
Far too often, user behavior is a mystery, resulting in security, fraud, theft, and business policy violations. Specifically, a lack of context around how, when, and by whom transactions and data fields are being accessed. To gain this insight, you need an advanced analytics platform specifically designed to display granular levels of ERP data access & usage. Like Appsian360.
Context of User Access and Data Usage with Appsian360
With Appsian360, security and compliance leaders can drill into specific data access and know exactly who is doing what, where, and why. With that level of in-depth, contextual information, any red flag incidents can undergo a rapid response plan. With Appsian360, you can:
- Identify when a Careless Worker falls victim to a phishing attack by setting up a dashboard that tracks location-based access. If a legitimate user account suddenly starts accessing your ERP system from outside the United States, for example, you can begin an investigation into other activity by that account.
- Closely monitor the activity around sensitive reports and queries and ensure that data is not being exfiltrated in bulk by unauthorized users or offboarding employees, such as Arrogant Insiders.
- Monitor high-risk data activity for unusual behavior. For example, a Disgruntled Employee with access to compensation data needs that ability to their job. However, you can track the number of times a user accesses that data during the day or outside of business hours. Instead of asking “if” a person should have access to that data, you can track how often and when that data is accessed.
- Track a variety of user access data points when it comes to detecting a Malicious Insider. Since this is usually a compromised account, you can set dashboards to track after-hours access, mobile phone access, strange IP address access, and access from a foreign country. All signs that a legitimate account has been compromised.
- Apply a prefix to the username of any outside Irresponsible Contractor or temporary worker to fully track their data access and usage inside your ERP system.
Close the Visibility Gap to Detect Insider Threats
The unfortunate reality of ERP applications like PeopleSoft and SAP is that they lack the ability to provide actionable insights into user activity, creating many blind spots for detecting insider threat behavior. Fortunately, organizations using Appsian360 can detect and defend against insider threats by monitoring data access and usage at a granular level that was previously unavailable.
Want to see a demonstration of how Appsian can help your organization detect insider threats? Contact us to chat with an Appsian security expert today.
With 2020 coming to a close, ensuring business applications are equipped to meet the longterm access demands of 2021 is a critical objective. All around the world, information security and financial risk leaders are being tasked with ensuring the security of business data while remote access (on unknown networks and devices) remains the standard for the foreseeable future. Finding solutions that can quickly and easily secure this data – without requiring an exorbitant amount of time and resources is mission critical.
Data security is proving most challenging for organizations that utilize ERP applications like PeopleSoft, Oracle E-Business Suite, and SAP (ECC/S4HANA.) ERP applications like these were designed with ease-of-access to data as the primary objective. They have the biggest hill to climb when it comes to security, privacy, governance, and compliance.
Fortunately, this challenge is why Appsian (and the Appsian Security Platform) exists! We are here so organizations can fully utilize their investment in legacy ERP technology while scaling to meet present and future data security demands. After all, external and internal threats to business data will always continue to evolve.
Right now, thousands of organizations around the world are currently faced with the same challenges and are likely scoping solutions that solve one or two of these challenges. Here is the comprehensive approach that can serve as the playbook for securing legacy ERP data:
Identify Risks From User Access
The most significant risks to data typically originate from:
- Compromised credentials (for example, stolen from phishing attacks)
- Unknown networks and devices
- Capture and visualize data access
These risks can be an acceptable part of an organization’s relationship with its ERP applications, but they don’t have to be. They should be addressed the way any security threat should – and it doesn’t have to result in overly-restricting access and potentially hindering authorized work. Restricting access to sensitive data can be the instinct when these risks are identified because risk mitigation can feel insurmountable. The truth is, mitigating controls can be implemented that fully align data security objectives with the access requirements of the business.
Apply Dynamic Authorization Policies
Dynamic authorization is the foundation of the principle of least privilege (PoLP), which says users should only have access to what they require. Given the access risks outlined above, it should be noted what someone “needs” (or should have) access to likely changes with each new context of access. For example, does high-privilege access require 100% of those capabilities from an unknown network and/or unmanaged device? How about during off-work hours? Many would say “no.” Applying access policies dynamically gives you this control. This strategy alone makes an enormous impact on an organization’s ability to control access to sensitive data and enable data security, privacy, and governance.
Integrate Authentication Solutions
It goes without saying that single sign-on and multi-factor authentication have become table stakes IAM solutions. Whether you have employed these for many years or only since the beginning of the COVID-19 crisis, it is clear that their value goes way beyond the convenience of not having to remember passwords. With these solutions in place, the job of securing data is not necessarily over. In fact, taking authentication a step further to align with zero-trust (aka. never trust, always verify) requires native integration of SSO and MFA solutions for four very important reasons:
- ERP authentication should always align with your enterprise identity and access management strategies
- Users falsely authenticate out of habit
- Stepped-up authentication should be required for particularly sensitive activity
- Using custom code (vs. native integration/configuration) for authentication is NOT a best practice
Capture and Visualize User Behavior
If I told you that most organizations have almost no idea who is accessing sensitive data (at any given time), how and why – would you be surprised? This may be a dirty little secret, but the truth is legacy ERP logging has simply not kept up to meet the demands of security and compliance requirements that must understand data access and usage by users.
What most ERP administrators will tell you is in order to respond to an audit or investigate an incident, they must pull multiple logs manually triangulate them. Only then does a foggy picture of what may have happened come into view. The problem is, a foggy picture of anything related to a forensic investigation or helping align with information security policies is simply not good enough.
Further investment is needed to enhance the granularity of native ERP logging, along with analytics and visualization tools in order to add context to the data, aggregate it and then visualize it so the insights can be actionable. Only then is the logging data that you are alrighty getting out of your ERP truly useful for security and compliance purposes.
Partner with Appsian Security
For over 10 years, Appsian Security has watched organizations struggle with many of the same ERP security and compliance issues. Mostly originating from the fact that their applications were not natively designed to do what they need them to do – i.e., secure data. This end result is the natural progression of security and compliance threats evolving while native ERP security features stay the same.
ERP applications are built with static, role-based controls and logging/alerts designed for system troubleshooting. The idea that many of these legacy applications would be exposed to the internet with only a username, password and maybe a VPN standing between malicious actors and your business data is the definition of risky. Some organizations have accepted that risk – but they don’t have to.
Appsian has designed the world-leading security platform designed to provide holistic, end-to-end data security (along with application security), giving legacy ERP customers complete control and visibility over their ERP data.
We know that every organization is unique, which is why we want you to put our security platform to the test! Request a demonstration today, and let us show you how Appsian can tailor a solution to your organization’s unique requirements.
While nearly everyone was focusing on the results of the 2020 Presidential race, California voters passed Proposition 24, the California Privacy Rights Act (CPRA) (full text here). You might be wondering if this is a new privacy law that will replace the 2018 California Consumer Privacy Act (CCPA), which went into effect earlier this year. The CPRA provides additional context to the CCPA and attempts to close some of the loopholes and ambiguity found in the original. The CPRA gives additional rights to consumers and places additional obligations on businesses.
While some of the CPRA changes will take effect immediately, most will not become enforceable until July 1, 2023, and apply only to personal information collected after January 1, 2022. Like the run-up to the launch of CCPA, companies will have time to prepare for the new requirements.
A Quick Summary of the California Privacy Rights Act
In scope, the CPRA retains the same basic structure as the CCPA. It includes establishing a dedicated enforcement agency for consumers, tripling fines against companies that violate kids’ data privacy, and making it harder to weaken privacy laws in the future.
A couple of the more notable additions in the CPRA are that the law expands the right to opt-out of sharing of information and establishes new rights to limit how businesses use “sensitive personal information,” a new term defined broadly to include, among other things: information about health conditions, genetic data, race and ethnicity, sexual orientation, precise geolocation, and more.
ERP applications already store an abundance of personally identifiable information, such as Social Security numbers, driver’s licenses, or passport numbers. This new data classification adds to the effort of identifying and classifying information necessary to remain in compliance.
The CPRA Signals Organizations Must Get Serious About Enhancing Data Access and Usage Visibility – Especially for Legacy ERP Applications
The CCPA and CPRA require organizations to implement appropriate security measures around personal data privacy and satisfy consumer requests to opt-out of “sharing” and “selling” of their information. That means businesses must know what personal data they collect and how that data is accessed and used. However, companies using PeopleSoft, SAP ECC, S/4HANA, and Oracle E-Business Suite are likely facing significant compliance challenges due to inherent limitations that plague legacy ERP systems. Traditional ERP application logs do not produce the required level of granularity into how data is accessed.
How Appsian360 Enables CCPA/CPRA Compliance
Successful organizations will invest in technologies that monitor user behavior around data access and usage. This is where Appsian360 becomes an essential tool for compliance, as it expands native ERP logging capabilities to capture contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information that is paramount for compliance reporting.
More Data Privacy Acts Likely on the Horizon
With the CPRA, Californians will likely have the most robust online privacy rights in the world. And it probably won’t be the last. The original passage of the CCPA incentivized other states to draft their own privacy bills. There’s been activity at the federal level as well. So, while the pandemic rightfully slowed down state and federal activity, there’s a good chance we’ll see additional privacy bills in 2021.
There’s no better time than the present to press forward with your compliance efforts, whether it’s for CCPA, GDPA, and now CRPA. Contact us to learn how Appsian can fast track your CCPA and CRPA compliance efforts by enhancing your visibility into data access and usage.
Insider Threats Are Becoming More Frequent and More Costly to Organizations. Especially Those Using Legacy ERP Systems. Here’s How You Can Proactively Prevent the Risk of Insiders Compromising Data
While data breaches caused by hacking/phishing/ransomware tend to grab the most headlines, most data security incidents are from trusted insiders with access to sensitive data and systems. Thus, making insider threats one of the most common, yet elusive, risks to manage.
When you hear the term “insider threats,” most people reflexively think about a greedy or disgruntled employee abusing their access for revenge or financial gain. But there’s more to the definition than the angry employee out for revenge. An insider can be a current or former employee, contractor, or business partner with legitimate access to the organization’s network, systems, or data. The insider threat occurs when the insider (user) maliciously or unintentionally misuses their access to negatively affect or harm the business. So assuming all insider threats are disgruntled employees is false – an insider who is unintentionally violating a business policy can inflect plenty of damage.
Why Are Insider Threats So Dangerous to Organizations Using Legacy ERP Systems?
The number one issue for security teams when it comes to detecting an insider threat is the user in question has authorized access to the ERP system. It’s the malicious intent or individual violation amongst the rest of the legitimate access that makes it difficult to tell the difference between a user’s regular activity and possible malicious activity. What makes them especially dangerous is that insiders usually know how to find and access sensitive data and sometimes have a privileged (or over-privileged) account.
Insider threats are among the most common causes of data breaches worldwide, and they can often be among the costliest. According to the 2020 Insider Threat Report (Cybersecurity Insiders), 68% of organizations observed that insider attacks have become more frequent over the last 12 months. Moreover, 70% have experienced one or more insider attacks during that same period. Ponemon calculates that the average cost per insider incident is $11.45 million in 2020, increasing by 31% from 2018.
The increase in attack frequency shouldn’t surprise anyone thanks to the COVID-induced necessity for remote access to ERP systems and data. While security teams were likely focusing their cybersecurity efforts and budgets on securing the perimeter, cybercriminals found new ways to target user accounts with phishing and social-engineering attacks.
The good news is that organizations using ERP systems can detect and defend against insider threats with a combination of data-centric security measures and monitoring data access and usage.
Detecting Insider Threats by Monitoring ERP Data Access and Usage
Detecting an insider threat as quickly as possible is essential to limiting the amount of damage, financial or otherwise, this insider can cause. However, how can you tell the difference between regular activity and harmful activity? With an insider using a legitimate login profile, there aren’t obvious warning signs when malicious behavior takes place.
Monitoring user behavior around data access and usage can highlight internal access misuse and credential theft. And continuously monitoring for outlier and anomalous behavior patterns provides visibility into how high-privilege users interact with sensitive data. This monitoring helps security teams identify a possible malicious insider or if an external attacker has compromised an employee’s credentials. For example:
- Monitoring user activity during remote access down to the transaction level
- Monitoring data access and usage by users with high privileges
- Monitoring query attempts to download information onto unauthorized devices
- Monitoring exactly who is accessing highly sensitive data fields
Without advanced analytics and data monitoring, keeping track of every user’s activities after they’ve logged in to the system is a lot of work. In some cases, raw logs from your ERP system need to be manually checked, and each event studied—often after an insider threat has already occurred. No wonder the average time to identify and contain an insider threat incident is 77 days (Ponemon).
When security teams monitor data access and usage, they can be proactively alerted to potential insider threats by identifying anomalous activity with actionable insights into what was accessed and by whom. Now organizations can quickly respond with a full forensic investigation and a rapid and thorough response.
Preventing Insider Attacks with Dynamic, Data-Centric Security
Although security professionals recognize the value of continuously monitoring data access and usage to detect insider threats, companies should also adopt a layered, data-centric security model to improve the likelihood of preventing an insider threat from attacking.
Enhance Access Controls with Dynamic Authorization Policies
Organizations should start by incorporating dynamic authorization strategies that use contextually aware access controls. Dynamic authorization gives organizations a way to leverage the contextual attributes of access such as geolocation, time of day, and IP address to better control the resources users access, how they access it, and from where they access it. For example, you can prevent an insider threat who has legitimate credentials from accessing sensitive data because they accessed the ERP system from a foreign IP address and outside of established business hours.
Expand the Use of Data Masking
You’re likely already masking the obvious data fields with personal information, like social security numbers, bank account information, national ID number, passport number, driver’s license number, etc. However, now that insider threats are increasing, organizations should expand the use of data masking to all fields that could be considered personally identifiable, giving you greater control over who can see what data and when. And deploying data masking based on dynamic authorization policies, like location, device, and time of day allows a more secure-and flexible-access to data.
Enable Stepped-Up Multi-Factor User Authentication
Using stepped-up multi-factor authentication is an important tool for preventing insiders from doing stuff they shouldn’t. When it comes to performing transactions with sensitive information, adding multi-factor at the transaction level as well as the perimeter ensures that users are not only authorized to access and view the data but perform the actual transaction.
Take A Proactive Approach to Detecting and Preventing Insider Threats
When it comes to insider threats, most security teams live in a murky gray middle zone struggling to determine the difference between regular user activity and anomalous activity indicating an insider attack. Organizations can help their IT security teams take a clear, proactive approach to detecting and preventing insider threats and attacks by applying a data-centric security approach combined with continuous monitoring of data access and usage.
Want to see a demonstration of how Appsian can help your organization detect insider threats? Contact us to chat with an Appsian security expert today.
When business stakeholders come to you looking for answers, having visibility and context around ERP data access and usage gives you the actionable insight necessary to provide value.
As a leader of Enterprise Applications, customizing legacy ERP applications like PeopleSoft, SAP ECC, Oracle EBS, etc., to meet your business’ exact process specifications can leave you between a rock and a hard place. The more customized your ERP applications get, the more your business stakeholders love it, but the complexity around application support and maintenance also increases. That being said, accepting more complexity is just part of the job, because after all, your most important role (in the eyes of others) is providing timely and accurate resolution to inquiries or incidents from your business stakeholders.
You know the drill: members from various business units come to you requesting help for a particular incident or an anomaly they spotted. It’s up to your team to provide a resolution in a timely manner. And that’s where the trouble begins. Many incidents require hours, weeks, and even months to research and resolve. It’s hard to provide excellent customer service to the lines of business when your team is facing major obstacles to resolving incidents in a timely manner.
What if I told you there’s a way to enable your team to spend less time researching an issue (or no time at all) and produce faster results while providing better value for the various business leaders and their teams?
Three Major Obstacles to Timely ERP Incident Resolution
You’re the last person who wants to hear or say, “well, that’s just [insert ERP app name here].” But that’s one way you can sum up the limitations and obstacles your team will immediately encounter.
Here’s a simplified view of that process from the perspective of PeopleSoft. Somebody from a line of business will contact a member of your Sys Admin team and say, “Hey, this user’s account was updated (i.e., maybe they didn’t get their paycheck), or there was some sort of anomaly in the execution of a typical business transaction (i.e., vendor didn’t get paid, etc.). We don’t know what it is, and the functional user(s) say it wasn’t them. We’re not sure what happened. Can you guys look into this? That would be great.”
This incident kicks off your process flow to find a resolution. Then come the obstacles:
Obstacle 1: Legacy ERP Logs Can’t Tell You About Data Access
Experience says that most people who use an ERP application like PeopleSoft don’t know who’s doing what (specifically), who’s accessing what information, or most importantly – why. You probably first need to work out if this is something that the user did themselves or a hacker was able to gain access to the system – and also work out if this is an inside job or an external attack.
And while the logs can point you in the right direction, the legacy ERP logs are not designed to provide detailed information on who accessed what or even, in most cases, viewed something sensitive. This leads to major obstacle number two…
Obstacle 2: ERP Logs are Disparate and Not Correlated
ERP logs were designed for troubleshooting, not granular activity logging, which contributes to organizations and business units not knowing what their employees are doing inside the applications. When it’s time to go under the application hood and examine the native logs, another metaphor comes to mind: looking for a needle in the haystack. Here’s an example of all the native logs you might find in your instance of PeopleSoft:
- App Server
- PIA (Web Server)
- Process Scheduler
- Load Balancer
- Identity Provider (SAML, LDAP, ADFS)
- Host O/S Logs
Your organization likely has more than one of these servers where these logs reside. You might have four application servers, eight web servers, and so on. Now you’re looking at finding a needle in multiple haystacks. And that data is not correlated, so there is little relative context that can enable your investigation.
Here’s a nerdy example using the App Server and Web Server logs. On the Web Server, you cannot identify the person who logged in because you don’t know the OPRID. All you have are an IP address and a timestamp. You need to go to the App Server and review the OPRID, timestamp, and IP address on login or log out and attempt to correlate that information with similar information on the Web Server.
Obstacle 3: Log Data is Not Enriched with Any Context That Makes It Actionable
Once your team has collected data from the logs and assembled material from other sources, the final step is to interpret everything and make a best guess so an action item can be established. How actionable is having a collection of raw data such as IP addresses, user IDs, location of devices, completed transaction, etc., if you’re not able to place that data into a human context?
Let’s take the example of “Jim” and the incident involving him not receiving a paycheck. The raw ERP data shows that Jim’s credentials accessed pages containing personal information and bank account information several times over a period of time. Jim, the human, denies that he made any changes to the data on those pages, so the paycheck should have been routed to his usual bank account. Maybe you change Jim’s username and password and cut him another check. Was Jim trying to defraud the company and get an extra check, or was Jim’s account compromised in some way? Could a hacker have accessed Jim’s payroll data, changed the account number, received the funds, then changed the number back – getting away without a trace? Absolutely! It happens every day. If you cut Jim a new check, you fix Jim’s immediate problem, but do you understand what’s happening in your system?
Why Appsian360 Immediately Makes You a Hero to Your Organization
You’ve been waiting in suspense to know when IT becomes the hero – well, here it is. When the business comes to you looking for answers related to a specific incident, Appsian360 provides the quick, actionable insight necessary to provide the company with the understanding of what happened with their ERP data.
How? Appsian360 logs granular user access to data, correlates existing ERP logs, enriches the data with contextual attributes (who, when, where, what device, etc.), and visualizes the ERP data’s access and usage on dashboards. Now your team can easily look at data access by IP addresses, user IDs, location of devices, pages accessed, etc., and very quickly understand the facts behind an incident.
Let’s go back to Jim’s situation. With just a handful of clicks in Appsian360, you confirm that “Jim’s credentials” did indeed access and edit his personal information. Additionally, you discover that “Jim” was logging in after-hours using a foreign IP address based in another country. With a few more clicks, it’s clear that the IP address is responsible for other compromised user accounts. You didn’t just discover Jim’s breach, you now have a clear picture and a direction to fix the actual security issue – one that was growing in urgency by the day!
Without context, you lack insight. Context around data access and usage creates actionable insights. Actionable insights support the company and provide value to key stakeholders.
Understanding user activity and data usage are precisely what the business needs – and without Appsian360, ERP logs lack insight. You can buck that trend with Appsian360.
Contact us to learn how Appsian360 can provide you with the most powerful, real-time view into ERP data access & usage.