Implementing enterprise resource planning (ERP) systems has always been both mission-critical and notoriously difficult. They must align with business processes, but the organization distributes those processes across multiple departments. Legacy ERP systems, often considered a large one-time investment, lack the flexibility necessary to scale with your business. As your organization began its digital transformation journey, cloud-based ERP seemed to be a solution to many of these problems. However, every benefit comes with a cost. Modernizing legacy ERP systems for security and compliance creates new challenges, particularly with distributed workforces.
Why is Modernizing ERP a Mission-Critical Business Goal?
Whether you wanted to modernize your ERP or not, you likely found yourself rapidly adopting to remote access requirements in 2020. In response to COVID-driven stay-at-home orders, companies needed to accelerate their digital transformation strategies. This move included ERP systems.
However, as you look toward a post-pandemic business model, you might be considering maintaining a hybrid workforce. Thus, modernizing your ERP is a mission-critical business goal for several reasons, including:
- Ability to access from anywhere
- Built-in Customer Relationship Management (CRM)
- Lower capital expenditures with subscription models
- Reduced total cost of ownership
According to HubSpot’s 2020 ERP Report, 34% of respondents said they were moving away from legacy systems, and 86% selected SaaS deployment models. However, that same report noted that 27% of respondents remaining on-premises cited security breach risk as their reason.
ERP Security and Privacy Controls are Notoriously Difficult to Implement
When undergoing digital transformation, organizations often struggle trying to secure their ERP systems. Most companies need to take a hybrid approach that connects their legacy on-premise deployment to their new SaaS applications.
Organizations struggle trying to prioritize and mitigate risks for several reasons. However, three fundamental challenges exist:
- Data storage arrangements: Inability to control infrastructure increases data leakage and corporate espionage risks
- Authentication: Continued brute force attacks and credential theft increase data security and privacy risks
- Access controls: Complex identity and access relationships reduce the ability to control who accesses resources
Traditional on-premise ERP deployments used role-based access controls (RBAC) with static permissions lists. However, the inherently static nature means that these alone fail to protect data, particularly in remote or hybrid work environments.
For example, PeopleSoft’s security model assigns roles to user profiles. The user profile defines the data that the person can use. The permissions list is the set of pages the user can access and actions the user can take.
These controls protect data across on-premises deployments where the applications and users sit inside the organization’s network. Since remote access to on-premise ERP is dynamic, these legacy controls increase security and privacy risks when implemented for modernized ERP projects.
5 Strategies for Setting Security and Privacy Controls for a Hybrid ERP Deployment
Companies adopt digital transformation to leverage speed and agility, enabling them to scale operations. At the same time, they still need to maintain their on-premise systems. To protect information, organizations need dynamic and scalable access controls that align with their systems and business goals.
1. Identify Assets and Assess Risk
For effective access controls, the first step is to identify all data that you store, process, and transmit. Second, you need to assess the data’s criticality and risk level. Finally, you need to identify users who access information and assess the risk they post to the organization.
As part of this, you should consider:
- Standard users
- Privileged users
- Users’ payment processing authority level
- Financial information
- Personally identifiable information
- Sensitive corporate information
Once you assess user and data risk, you can create a plan that helps you migrate the information securely. When setting controls, you should limit access according to the principle of least privilege and create fine-grained access privileges.
2. Normalize Data Access Across Integrated Applications
With SaaS applications, organizations no longer need to commit to a single platform. They can pick and choose the applications that best meet their needs, which can mean integrating multiple vendors.
As you build out your application stack, you need to maintain appropriate access controls. This can be difficult when vendors define access rights differently. Many organizations worry that normalizing access data requires an expensive, labor-intensive overhaul of their Identity and Access Management programs.
However, if you focus on visibility instead of connectivity, you can leverage automated tools that help you see into user access. Tracking user access in a single location, despite disparate access definitions, enables you to protect data security and privacy even across different application vendors like SAP and PeopleSoft.
3. Use Context
A primary benefit of hybrid on-premise and cloud ERP systems is the ability for people to work wherever they want. However, that same flexibility drives many of the security and privacy risks companies face.
Adding context to your access permissions is another way to secure data. After setting your role-based controls, you should consider adding context such as time of day, geographic location, and IP address. With these attribute-based access controls (ABAC), you can more granularly define how users interact with data, making it easier to detect anomalies.
4. Enable Step-Up Multi-factor Authentication
ABAC also enables you to use step-up multi-factor authentication (MFA). Step-up authentication is a process where users need to re-authenticate into an ERP application when they attempt a privileged function or transaction. ABAC enables you to trigger step-up MFA when your system detects an abnormal attribute, often one associated with credential theft.
For example, one of your users always logs in from California, USA. If the user tries to access the ERP’s payment module from Ontario, Canada, the system will notice that this is an outlier, an abnormal attribute for this user. The system can require re-authentication, additional proof that the person is who they say they are. If this is a cybercriminal leveraging stolen credentials, then the step-up authentication acts as an additional security and privacy control, preventing unauthorized access.
5. Continuously Monitor Behavior Around Data Access and Usage
Modernizing your ERP security and privacy controls also includes continuously monitoring for anomalous and suspicious activity. Gaining a granular view into data access and use is a way to proactively mitigate risks that can arise in a remote workforce accessing ERP solutions.
Continuously monitoring access can help you gain insight into employee productivity, cybersecurity risks, and insider fraud. Tracking when and how employees use data gives you a way to set baselines for “normal” activity—any deviations from this warrant further investigation.
For example, a user consistently accesses your ERP between 8 am and 5 pm from a location in the United States. If the user suddenly accesses the system at 2 am, the anomalous activity could indicate fraud. Even if you’re using step-up MFA to prevent that activity, you still need to investigate the event. While it may be someone with insomnia, it can also be an employee trying to steal information or money.
Appsian Enables ERP Security and Compliance for Your Digital Transformation
Modernizing your legacy ERP application doesn’t mean you have to “sacrifice” the same granular levels of control and visibility as a cloud application to enforce data security, privacy, or compliance policies. Taking a proactive approach to ERP security and data privacy during your company’s digital transformation can mitigate risks before they turn into realities.
Appsian has been enhancing on-premise ERP environments for more than ten years, and we’d love the opportunity to learn more about your digital transformation project so we can help you manage your ERP data security and compliance needs. Contact us today.
ERP security had traditionally focused on vulnerability testing for ERP applications, whether hosted on-premise or in the cloud. Given the sensitive nature of ERP transactions, frequently checking applications, databases, and servers for vulnerabilities through routine assessments had long been considered best practice. It makes sense that application vulnerabilities are considered a top threat vector because ERP applications were long touted for their highly customizable nature. Customizable because every organization’s business requirements are different – which means security settings and access controls need to be highly customizable.
All of this customization was in-service to governing user access to the application – a real “outside looking in” approach. But if you’re constantly looking “out” for threats, how do you protect against the ones that are already “in?”
Is Traditional ERP Security Actually Protecting Data?
While you might be checking for conflicts in your configuration settings, ensuring you’re up-to-date on vendor patches, and executing manual audits every once in a while, you should ask yourself, “am I actually protecting my ERP data?” Sure, preventing intrusions is passively protecting ERP data. But at the end of the day, if you spend your time hardening the walls of your fortress, you’re really only protecting the perimeter of your fortress – not what’s inside. Cybercriminals have identified this disconnect and now spend their time exploiting user credentials to infiltrate systems to steal and manipulate data. Cybercriminals have adjusted. Now it’s time organizations do the same with their ERP applications, and ultimately – their ERP data.
The Information Security Conversation is Going Below the Network & Application Layer
Information security professionals have long been adept at protecting enterprise data and not just network and application perimeters. The abundance of cloud applications has allowed access controls and visibility to go to the next level. Concepts like zero trust and least privilege all require information security policies that are not reliant on arbitrary roles and privileges but on inspecting who a user is, where they are coming from, on what device, and any other attribute. Just because they are allowed access to a network or application does not grant them privileges to data.
If this is where the information security conversation is going, why is ERP security still focused on the perimeter? Shouldn’t the focus be on ERP data security?
How to Shift the Conversation to ERP Data Security
Many would say that ERP security remains a perimeter conversation because such a large part of the ERP market uses on-premise applications. This dates back to the inception of ERP when the appeal was mostly around customizing your business transactions to your processes. This would be accurate – but as business became more complex, organizations became more entwined with their legacy applications. However, that doesn’t mean that on-premise applications (and ERP applications only hosted in the cloud) must remain isolated from a unified “ERP Data Security” conversation.
Here Are a Few Recommendations for Beginning an ERP Data Security Conversation:
- Integrated Identity & Access Management (IAM) – Integrating enterprise solutions meant for identity and access management (ex. SSO & MFA) provides a perfect opportunity to govern access to data versus only governing access to an application. An integration would enable policies to be written that deploy authentication measures based on what someone is attempting to access. This is also referred to as “step-up authentication” or zero trust. Of course, an integration layer is required, which is exactly why Appsian developed the necessary integration connections that organizations can use to natively integrate their IAM solutions with their legacy ERP applications (i.e., Oracle PeopleSoft & E-Business Suite).
- Attribute-Based Access Controls (ABAC) – Traditional ERP governance revolves around role-based access controls. Pre-defined and sometimes over-simplified buckets that dictate what users can and can’t do. Role-based access controls (RBAC) are artifacts of traditional ERP security strategies that have been identified as problematic and flawed when data protection is the objective. This is not to say that RBAC doesn’t have its place but as a sole governance measure? Absolutely not. Many would say that the rapid move to remote work following COVID-19 was the death blow to RBAC because so much of its effectiveness hinges on network and application security layers. Both of which enter a grey area when sensitive financial transactions and data can be accessed remotely.
To help organizations manage, and more importantly, mitigate the risk of remote access to financial applications like SAP ECC, S/4HANA, & E-Business Suite, Appsian has developed Attribute-Based Access Controls that organizations can use to grant, modify, or restrict access to data. Governance policies can be dynamically enforced based on the context of user access – or attributes of user access.
- Data Level Visibility is Critical – ERP applications are no stranger to activity logging. However, current logging is primarily in-service to troubleshooting system issues and receiving basic insight on authentication and page access. This is why auditing an ERP application requires manual pulling and triangulation of reports from multiple sources. It’s an obstacle most have to accept, and because of this, they only audit sporadically.
To gain visibility and insight into how data is being accessed and used, Appsian developed Appsian360. Appsian360 represents a powerful combination of comprehensive user activity logging and analytics – all designed to detect and alert to anomalous behavior. Whether it’s access from a foreign country, the same user frequently downloading certain reports, or specific PO or account numbers receiving frequent access, Appsian360 is designed to give ERP customers the data level visibility needed to automate critical security, compliance, and audit functions.
Appsian Helps Enable ERP Data Security
Just because your organization is using a legacy ERP application does not mean that you cannot employ the same granular levels of control and visibility as a cloud application. Appsian has been enhancing on-premise ERP environments for over 10 years, and we’d love the opportunity to learn more about your ERP data security objectives. Contact us today!
Stop me if you’ve heard (or spoken) this phrase: “All non-essential projects have been put on hold.”
To be fair, pausing large-scale IT projects (like a cloud ERP migration) in such an uncertain and unpredictable environment makes sense. If the project will take months to implement and it isn’t helping keep the lights on, it isn’t essential. Simple as that! But what is considered “essential” is often a matter of opinion rather than true importance.
A perfect example is ERP data security. When COVID-19 hit, many organizations began scoping enterprise security solutions like a VPN, which enables remote access. But only in the sense of creating an authentication point – not actually securing data. We touched on this more in a previous blog.
Enabling remote access with a VPN helps keep the lights on, but now that the lights are on (and will hopefully stay on), at what point do you consider the vast amounts of data exposure that have emerged as a NEW risk vector? As a direct result of remote access. This is the point where data security becomes essential.
Overlooked but Essential
ERP data security too often gets thrown into the “non-essential” project pile, with companies considering it an afterthought, regardless of the economic climate. Afterthought might be too harsh – perhaps they consider what they already have in place as “good enough.” Essentially making the decision to go into completely unprecedented times with legacy technology. Such thinking will leave your data fully exposed to theft, fraud, and other forms of damage. Alas, if you don’t prepare for the future, then the future is likely to be your downfall. This is why we think NOW is the perfect time to make ERP data security a high-priority – dare we say essential – project. Here are five reasons why.
1: Your ERP Data is Already Exposed
Just because your virtual front door is locked doesn’t mean there’s nobody in your house. Besides the fact that user credentials (including VPN credentials) are routinely stolen – insider threats are one of the fastest-growing trends in data breaches, accounting for 34% of attacks in 2019, according to Verizon’s 2019 Data Breach Investigations Report. In addition, many insider breaches occur simply by insiders unintentionally misusing data. Without proper data security and monitoring protocols in place, it’s difficult to know if users are leveraging their privilege to access sensitive information for either legitimate or malicious purposes.
2: Remote Access and Data Security Should Be Synonymous
A remote workforce is nothing new, but not to the scale caused by the COVID-19 outbreak. The rapid scaling of remote access for critical business functions left many companies relying on conventional (but outdated) security technology, like a VPN. All the while, not considering that remote access means an expanded threat surface – and the wider your threat surface, the more exposed your data is to risk. A VPN may leave you feeling like you shrank your threat surface, but you haven’t truly shrunk your level of risk. Today, the most devastating data breaches happen when credentials are stolen and/or insiders leak/expose data. In a remote access environment, credential/insider risks go up dramatically while a VPN does little to mitigate.
When allowing remote access to your ERP data, you need to monitor a variety of data points, such as where is a user coming from? What data are they trying to access? What device are they using? Is that device being used by the right person? Cybercriminals know these systems are vulnerable and are stepping up attacks.
3: Data Security is Not as Costly as A Data Breach
According to IBM’s Cost of a Data Breach Report, the average cost of a data breach is $4 million. The average cost of a breach in the U.S. is $8.2 million – more than double the worldwide average.
The risks posed by a data breach extend well beyond financial. They are operational as well as compliance-related. Then there are the difficult to quantify costs, including negative exposure and scrutiny for your brand and senior leadership.
4: Compliance Stakes Have Never Been Higher
Compliance mandates like SOX, GDPR, CCPA, and others require organizations to maintain details regarding data access, and places a substantial liability when companies are not taking appropriate measures to secure ERP data. Fortunately, organizations can improve compliance by implementing data security tools that respond to insider threats, minimize direct damage caused by a breach, and reduce (or even void) penalties incurred by compromising customer data.
5: ERP Data Security is A Manageable Problem
An essential project doesn’t mean it’s complicated or burdensome. In fact, this is one of the more manageable problems to solve, as adding data security doesn’t involve much change management – unlike a cloud migration project. The key is to NOT customize the application(s) but to seek solutions that are configurable. Customizations are not a quick fix – they are not scalable and place additional complexity on support down the line. Configurable solutions to these challenges exist – trust us!
Data Protection Can Help Keep the Lights On
You could argue that an ERP data security project isn’t going to help keep the lights on; therefore, it isn’t essential. We would say that any project that helps mitigate business and security risks by enhancing your ability to authenticate users, control access to data, and monitor & respond to potential threats, is essential. And if that project can protect you from fines, theft, and fraud due to a data breach in this current work environment? That’s money you can use to keep the lights on.
Request a demonstration today to learn how Appsian can help you with your essential ERP data security project.
Representatives of the Open Web Application Security Project (OWASP) periodically release a top 10 list of known vulnerabilities that impact applications across a typical enterprise. Why is this so important? In today’s world, the common digital attack does not focus on network vulnerabilities because networks no longer represent the wall or moat that protects an organization. Today, the bad guys are focused on applications.
With the advent of mobile and the connected economy, identity is the new perimeter. And identities live in applications. So, that’s what the attackers are targeting. And Enterprise Resource Planning (ERP) applications represent juicy targets as they are typically the user store of record for most companies. Names, addresses, SSNs, bank account numbers and other sensitive data are usually found in an organization’s ERP infrastructure.
Let’s talk about a couple of the top vulnerabilities recently identified by OWASP, and how they specifically relate to an ERP application:
Authentication encompasses the controls in place to ascertain the identity of an entity logging into an application. It is commonly confused with ‘authorization’, but authorization represents the controls in place to determine what rights and permissions are in a system after being authenticated.
ERP systems, like all critical applications, rely heavily on controls around making sure that I am who I say I am when logging in.
Broken authentication is when those controls can be subverted. And it is pretty common due to the ineffective design and implementation of most identity and access controls. Session management is the backbone of most identity management solutions and is present in most all stateful applications. ‘Stateful’ just means that once I log in, I am able to traverse the application doing what I need to do without having to re-login every time I access a new page or component. The application ‘remembers’ me.
Attackers can use automated tools to detect broken authentication controls and essentially gain access to an application by utilizing session hijacking or stuffing credentials into a session via dictionary attacks.
Many ERP systems are what we consider to be legacy applications and were designed and implemented when session management was not a huge concern due to the insular nature of their deployments (accessible only inside the network, etc.). This leaves them very vulnerable to authentication attacks.
Sensitive Data Exposure
Legacy on-premise applications are notorious for not maintaining good data controls around the information they contain. The risk was typically viewed as minimal, because the only people that could access those applications were ‘trusted’ employees inside the network. ERP implementations typically fell into this category.
In my experience doing security assessments in years past, ERP systems were typically an asterisk in my final report as my customers were not willing to invest in the time or expertise needed to fully vet their security controls. The common rationale? It’s an inside application that is only accessible by a few individuals in Finance and HR.
In today’s world, many of those legacy applications, including ERP, have evolved into web applications that allow access from the internet. And, in many cases, that evolution has not been well-planned or architected. Patchwork code and sloppy implementations rushed to market to meet a need to become part of the connected world have led to a whole new attack space for bad actors.
What’s exposed? Attackers have discovered that many organization’s keys-to-the-kingdom are data stores, including ERP systems, which are not well protected and are now exposed to the world wide web as a highway in. Whether it be financial data, personal information or private health data, attackers have new targets to go after.
Most of these applications are unable to implement the granular controls needed to control and monitor access to sensitive information. Companies have to start looking beyond the built-in security capabilities of these applications. Capabilities that weren’t typically designed or implemented to deal with today’s connected world.
What Can Companies Do?
It’s time to take a different view of application security. Applications no longer exist behind network perimeters, managed by firewalls and other network-level protections. In today’s digital economy, companies are rushing to be able to exchange data with prospects, customers, employees and partners – regardless of how they’re accessing the application (mobile phone, tablet or desktop), and from where they are trying to access it (inside/outside the network, etc).
Learn how Appsian can help protect against the risks associated with Broken Authentication, Sensitive Data Exposure and many of the other top application vulnerabilities identified by OWASP.