With 2020 coming to a close, ensuring business applications are equipped to meet the longterm access demands of 2021 is a critical objective. All around the world, information security and financial risk leaders are being tasked with ensuring the security of business data while remote access (on unknown networks and devices) remains the standard for the foreseeable future. Finding solutions that can quickly and easily secure this data – without requiring an exorbitant amount of time and resources is mission critical.
Data security is proving most challenging for organizations that utilize ERP applications like PeopleSoft, Oracle E-Business Suite, and SAP (ECC/S4HANA.) ERP applications like these were designed with ease-of-access to data as the primary objective. They have the biggest hill to climb when it comes to security, privacy, governance, and compliance.
Fortunately, this challenge is why Appsian (and the Appsian Security Platform) exists! We are here so organizations can fully utilize their investment in legacy ERP technology while scaling to meet present and future data security demands. After all, external and internal threats to business data will always continue to evolve.
Right now, thousands of organizations around the world are currently faced with the same challenges and are likely scoping solutions that solve one or two of these challenges. Here is the comprehensive approach that can serve as the playbook for securing legacy ERP data:
Identify Risks From User Access
The most significant risks to data typically originate from:
- Compromised credentials (for example, stolen from phishing attacks)
- Unknown networks and devices
- Capture and visualize data access
These risks can be an acceptable part of an organization’s relationship with its ERP applications, but they don’t have to be. They should be addressed the way any security threat should – and it doesn’t have to result in overly-restricting access and potentially hindering authorized work. Restricting access to sensitive data can be the instinct when these risks are identified because risk mitigation can feel insurmountable. The truth is, mitigating controls can be implemented that fully align data security objectives with the access requirements of the business.
Apply Dynamic Authorization Policies
Dynamic authorization is the foundation of the principle of least privilege (PoLP), which says users should only have access to what they require. Given the access risks outlined above, it should be noted what someone “needs” (or should have) access to likely changes with each new context of access. For example, does high-privilege access require 100% of those capabilities from an unknown network and/or unmanaged device? How about during off-work hours? Many would say “no.” Applying access policies dynamically gives you this control. This strategy alone makes an enormous impact on an organization’s ability to control access to sensitive data and enable data security, privacy, and governance.
Integrate Authentication Solutions
It goes without saying that single sign-on and multi-factor authentication have become table stakes IAM solutions. Whether you have employed these for many years or only since the beginning of the COVID-19 crisis, it is clear that their value goes way beyond the convenience of not having to remember passwords. With these solutions in place, the job of securing data is not necessarily over. In fact, taking authentication a step further to align with zero-trust (aka. never trust, always verify) requires native integration of SSO and MFA solutions for four very important reasons:
- ERP authentication should always align with your enterprise identity and access management strategies
- Users falsely authenticate out of habit
- Stepped-up authentication should be required for particularly sensitive activity
- Using custom code (vs. native integration/configuration) for authentication is NOT a best practice
Capture and Visualize User Behavior
If I told you that most organizations have almost no idea who is accessing sensitive data (at any given time), how and why – would you be surprised? This may be a dirty little secret, but the truth is legacy ERP logging has simply not kept up to meet the demands of security and compliance requirements that must understand data access and usage by users.
What most ERP administrators will tell you is in order to respond to an audit or investigate an incident, they must pull multiple logs manually triangulate them. Only then does a foggy picture of what may have happened come into view. The problem is, a foggy picture of anything related to a forensic investigation or helping align with information security policies is simply not good enough.
Further investment is needed to enhance the granularity of native ERP logging, along with analytics and visualization tools in order to add context to the data, aggregate it and then visualize it so the insights can be actionable. Only then is the logging data that you are alrighty getting out of your ERP truly useful for security and compliance purposes.
Partner with Appsian Security
For over 10 years, Appsian Security has watched organizations struggle with many of the same ERP security and compliance issues. Mostly originating from the fact that their applications were not natively designed to do what they need them to do – i.e., secure data. This end result is the natural progression of security and compliance threats evolving while native ERP security features stay the same.
ERP applications are built with static, role-based controls and logging/alerts designed for system troubleshooting. The idea that many of these legacy applications would be exposed to the internet with only a username, password and maybe a VPN standing between malicious actors and your business data is the definition of risky. Some organizations have accepted that risk – but they don’t have to.
Appsian has designed the world-leading security platform designed to provide holistic, end-to-end data security (along with application security), giving legacy ERP customers complete control and visibility over their ERP data.
We know that every organization is unique, which is why we want you to put our security platform to the test! Request a demonstration today, and let us show you how Appsian can tailor a solution to your organization’s unique requirements.
Improve ERP System Performance with Real-Time Data Access & Usage Visibility
Your ERP system is a complex ecosystem with multiple deployments, serving hundreds to thousands of users. All of which are processing batch jobs, completing transactions, and performing daily functions that are the lifeblood for operations. Sitting at the center of this ecosystem is your system administrators, who oversee monitoring and maintaining the ERP system’s overall health and performance.
Factors Driving up Administration Complexity
In many ERP deployments, integrations with application and web servers, along with other external systems are common. Further increasing complexity is that each has its own set of monitoring tools to determine the quality of service they are delivering. This fragmented approach can make it challenging to identify and resolve ERP system performance issues. Now there’s a tool that allows you to focus exclusively on the health of your ERP system: Appsian360.
How Appsian360 Reduces Complexity
Appsian360 focuses squarely on ERP-specific performance metrics that allow you to quickly isolate and identify performance issues:
- Average Page Load Time
- Top 10 Components Accessed
- Average Page Load Time by Application
- Pages Accessed by Device Type
- Page Access Count and Average Page Load Time
- Top 10 Underperforming Pages
Appsian360 is also capturing real-time data access and usage information that provide a clear narrative around how user traffic is affecting system performance. It can also be used to combat security threats or uncover fraud.
Organization-Wide ERP System Performance at a Glance
Now you have information at your fingertips that allow you to become proactive about system degradation, rather than reactive and relying on users to report the issues to you. Fixing slowness issues ahead of time might also prevent more serious problems like data corruption, which lead to time lost across the whole enterprise.
You can also focus on application performance across office locations and by hardware. For example:
- Average Page Load Time by Country
- Average Page Load Time by Location (looks like office locations)
- Average Page Load Time by IP [Address]
- Average Page Load Time by Web Server
- Average Page Load Time by App Server
If your offices are spread across the globe, for example, in America, India, and New Zealand, you can examine the Average Page Load Time by Country. Just by looking at a map, you can see that maybe one of the offices in India is running slow while the other is performing within normal speeds. You can contact the appropriate IT team in that office to investigate.
Resolving Individual Issues Within Minutes
Raise your hand if a user has ever contacted you with, “Oh, the system is really slow today.” It’s a common yet frustrating reality for sys admins because it lacks context. Is the performance slow just for that one person or for everybody? Is the performance issue for a single component or an entire application?
Without Appsian360, your team has few resources to resolve this issue. For example, the resources available to you might include:
- The user description of the problem
- You can try to replicate what the user was accessing or viewing
- You might need to even visit the user’s office location and check the device
- Maybe it’s related to a time of day, etc.
- Based on this information, you can try to replicate the issue.
- Finally, you might have access to database monitoring tools to give you an idea of how individual queries are performing. However, this is a piecemeal approach and lacks insight into the actual ERP system performance as a whole.
Resolving these system performance issues manually could take hours or days to resolve. With Appsian360, you can drill into a particular IP address and get details on a user’s individual access in the system, and you can drill-down into the context you need to create actionable insights. For example, you can view the user’s Average Page Load Time by Application. Now you can holistically look at those transaction sets together to see how they’re affecting your system and the users working within the system.
Drilling down a bit further, you can look at the Top 10 Underperforming Pages. Now you’re getting more granular with your detective work to see if a specific page is performing slowly. In a matter of minutes and just a few clicks, a system admin can diagnose a system performance issue and put into place an action plan to resolve the issue.
The Proactive Approach to ERP System Performance
The regular duties of an ERP system administrator include making sure that the system is performing to its maximum ability and resolving any issues and problems the users might have. They’re also trying to resolve system performance issues before people complain there is a problem. Because when the ERP system performance deteriorates, productivity suffers, employee morale declines, and the company’s bottom line is negatively impacted.
Contact us today to learn how Appsian360 can transform your IT team into proactive ERP application administrators and keep your ERP system running at peak performance levels.
We are in the midst of a perfect storm of ERP security calamity: the greatest work from home experiment colliding with historic levels of employee churn and unemployment. Hackers are exploiting the situation by launching phishing, spear-phishing, and other social engineering attacks at remote workers to gain access to privileged user accounts and email passwords.
The increased threat surface and hacker activity mandate that companies deploy a strong security posture at the identity perimeter, using tools such as virtual private networks (VPN) and adaptable multi-factor authentication (MFA). However, limiting security to user access and authentication can leave organizations at risk of malicious activity when, not if, a privileged user account is compromised.
Unfortunately, today’s legacy on-premise SAP and PeopleSoft systems simply do not provide organizations the granular visibility and context of user access and data usage they need in real-time to make proactive and strategic decisions. This lack of visibility and reliance on static controls to ensure your most critical data isn’t compromised means that many organizations are flying blind.
Monitoring Privileged User Activity Must Be Part of a Strong Security Posture
The issue with traditional ERP logging and analytics is that it focuses on troubleshooting errors and scanning for broad system vulnerabilities. They were not designed for understanding user behavior, data access, and usage. In addition to ensuring a strict authentication process, companies need to layer in the ability to monitor privileged user activity continuously.
Using a layered-defense approach, organizations can proactively mitigate many of the risks associated with the increased interest in corporate networks and user accounts. A strict authentication process on its own is no longer acceptable. Actively monitoring privileged account activity is a critical way of identifying that an external threat has entered the network, compromised an account, and is ultimately engaged in fraud or theft.
Granular Privileged User Activity to Monitor
Organizations can set fine-grained access controls all day long. For example, organizations may be able to apply time-based ABAC for standard users, since the general human resources employee likely works during daytime hours, and you have visibility into which user accessed an application. Unfortunately, if you do not have a granular-level view into precisely what a user accessed, then you are missing a significant part of the data security puzzle.
I’m sure you can think of a list of all Tier 1, highly sensitive data fields you want to watch closely. A shortlist includes C-suite salary information, social security numbers, bank account information, national ID number, passport number, visa permit number, driver’s license number, etc.
Continuously monitoring privileged user activity and behavior at the granular level provides valuable visibility into how users engage with data and what they do with their access. For example, application-level logging can’t track or show you if a hacker or malicious insider changes employee direct deposit information to route that week’s payroll run into an offshore account. Only field-level logging can show you how much “over access” users may have or if they are engaged in irregular activity.
With this information, organizations can review whether a certain activity was necessary and document the findings. By tracking the activity back to the user, the organization proves governance and proactively protects data.
Appsian360: Monitor ERP Activity for High Privilege Users
Using Appsian360 to monitor privileged user activity, you get a 360-degree view of what is happening around your ERP data as well as full visibility into exactly how your ERP data is being accessed – by whom, from where, on what, and why. From there, you can map out a targeted incident response before damages become catastrophic.
Your organization needs to be in a constant and vigilant state of security when it comes to monitoring privileged user account activity, especially in these times of excessive employee churn and remote access. Unfortunately, doing so in your ERP system is a manual process that needs to be addressed frequently.
Request a demo of Appsian360 to see for yourself how your organization can actively monitor privileged user activity and mitigate the risks associated with a compromised account or malicious insider.
Stop me if you’ve heard (or spoken) this phrase: “All non-essential projects have been put on hold.”
To be fair, pausing large-scale IT projects (like a cloud ERP migration) in such an uncertain and unpredictable environment makes sense. If the project will take months to implement and it isn’t helping keep the lights on, it isn’t essential. Simple as that! But what is considered “essential” is often a matter of opinion rather than true importance.
A perfect example is ERP data security. When COVID-19 hit, many organizations began scoping enterprise security solutions like a VPN, which enables remote access. But only in the sense of creating an authentication point – not actually securing data. We touched on this more in a previous blog.
Enabling remote access with a VPN helps keep the lights on, but now that the lights are on (and will hopefully stay on), at what point do you consider the vast amounts of data exposure that have emerged as a NEW risk vector? As a direct result of remote access. This is the point where data security becomes essential.
Overlooked but Essential
ERP data security too often gets thrown into the “non-essential” project pile, with companies considering it an afterthought, regardless of the economic climate. Afterthought might be too harsh – perhaps they consider what they already have in place as “good enough.” Essentially making the decision to go into completely unprecedented times with legacy technology. Such thinking will leave your data fully exposed to theft, fraud, and other forms of damage. Alas, if you don’t prepare for the future, then the future is likely to be your downfall. This is why we think NOW is the perfect time to make ERP data security a high-priority – dare we say essential – project. Here are five reasons why.
1: Your ERP Data is Already Exposed
Just because your virtual front door is locked doesn’t mean there’s nobody in your house. Besides the fact that user credentials (including VPN credentials) are routinely stolen – insider threats are one of the fastest-growing trends in data breaches, accounting for 34% of attacks in 2019, according to Verizon’s 2019 Data Breach Investigations Report. In addition, many insider breaches occur simply by insiders unintentionally misusing data. Without proper data security and monitoring protocols in place, it’s difficult to know if users are leveraging their privilege to access sensitive information for either legitimate or malicious purposes.
2: Remote Access and Data Security Should Be Synonymous
A remote workforce is nothing new, but not to the scale caused by the COVID-19 outbreak. The rapid scaling of remote access for critical business functions left many companies relying on conventional (but outdated) security technology, like a VPN. All the while, not considering that remote access means an expanded threat surface – and the wider your threat surface, the more exposed your data is to risk. A VPN may leave you feeling like you shrank your threat surface, but you haven’t truly shrunk your level of risk. Today, the most devastating data breaches happen when credentials are stolen and/or insiders leak/expose data. In a remote access environment, credential/insider risks go up dramatically while a VPN does little to mitigate.
When allowing remote access to your ERP data, you need to monitor a variety of data points, such as where is a user coming from? What data are they trying to access? What device are they using? Is that device being used by the right person? Cybercriminals know these systems are vulnerable and are stepping up attacks.
3: Data Security is Not as Costly as A Data Breach
According to IBM’s Cost of a Data Breach Report, the average cost of a data breach is $4 million. The average cost of a breach in the U.S. is $8.2 million – more than double the worldwide average.
The risks posed by a data breach extend well beyond financial. They are operational as well as compliance-related. Then there are the difficult to quantify costs, including negative exposure and scrutiny for your brand and senior leadership.
4: Compliance Stakes Have Never Been Higher
Compliance mandates like SOX, GDPR, CCPA, and others require organizations to maintain details regarding data access, and places a substantial liability when companies are not taking appropriate measures to secure ERP data. Fortunately, organizations can improve compliance by implementing data security tools that respond to insider threats, minimize direct damage caused by a breach, and reduce (or even void) penalties incurred by compromising customer data.
5: ERP Data Security is A Manageable Problem
An essential project doesn’t mean it’s complicated or burdensome. In fact, this is one of the more manageable problems to solve, as adding data security doesn’t involve much change management – unlike a cloud migration project. The key is to NOT customize the application(s) but to seek solutions that are configurable. Customizations are not a quick fix – they are not scalable and place additional complexity on support down the line. Configurable solutions to these challenges exist – trust us!
Data Protection Can Help Keep the Lights On
You could argue that an ERP data security project isn’t going to help keep the lights on; therefore, it isn’t essential. We would say that any project that helps mitigate business and security risks by enhancing your ability to authenticate users, control access to data, and monitor & respond to potential threats, is essential. And if that project can protect you from fines, theft, and fraud due to a data breach in this current work environment? That’s money you can use to keep the lights on.
Request a demonstration today to learn how Appsian can help you with your essential ERP data security project.
According to Kate Hash, Manager of ITS Communications at UNC Chapel Hill, “Up until Friday, our largest download month had been 600 downloads of the app. On Friday alone, we had 2,000. It is clear that ConnectCarolina is adding a value to the app and that the students are now discovering the app because they want to use ConnectCarolina.”
Want to sort cybercrime fact from fiction? Do you think you know the difference? Test your knowledge. In this OHUG sponsored webinar, GreyHeller will set the record straight about cybersecurity myths using data from its Annual Cybersecurity Survey, the Sans Survey and live audience polling.
This engaging and interactive webinar session will test your internal and external threat knowledge and give you the tools necessary to assess your organizations’ PeopleSoft security. All participants will be given a copy of GreyHeller’s Confidential Threat Assessment Matrix which identifies the internal, external and data threat vectors the bad guys have used to compromise HCM data.
The session will include information on:
- Data Masking
- Data Leakage
- Multi-Factor Authentication
- Location Based Security
- Self Service Use
- High Privilege Access
- Logging/Analysis & Forensic Investigation
We will conclude with real world case studies of how PeopleSoft customers are protecting their HCM data from cybercrime.
In this two-part series, GreyHeller founders and former, early PeopleSoft Technical Strategists, Larry Grey and Chris Heller will discuss ERP trends and how they affect PeopleSoft customers. Part I will discuss Gartner’s recently published 2015 Strategic Road Map for Postmodern ERP and how the opportunities and challenges affect PeopleSoft customers. Part II will be a demo-intensive session showing how GreyHeller customers are meeting these challenges today.
July 15 • 11am PST
According to Gartner, Monolithic ERP solutions are being deconstructed into postmodern ERP that will result in a more federated, loosely coupled ERP environment with much of the functionality sourced as cloud services or via business process outsourcers. This direction is driven by a need to support strategic, organization-wide functionality that is more flexible, secure, integrated, and modern.
Where does this leave you as a PeopleSoft customer? Do you need to replace PeopleSoft to achieve the architecture and benefits to drive your organization in the future, or do you have an option to leverage it along with other cloud-based solutions?
This session will answer these questions as well as describe how PeopleSoft can be part of a hybrid approach to utilizing PeopleSoft and the cloud:
- Where PeopleSoft fits
- Integration considerations, including data and security
- User experience modernization
- Lifecycle Management and compliance
- Control over functionality and infrastructure
July 29 • 11am PST
This session will discuss how GreyHeller customers are utilizing our technology today to utilize PeopleSoft effectively in their postmodern ERP roadmap. This demo-intensive session will include customer case studies and product demonstrations that illustrate how to flexibly and safely retain your PeopleSoft investment by evolving its role from being a monolithic application to a key component of your hybrid ERP architecture.
Security: how to protect your most sensitive data and processes in an ever-evolving cybercrime landscape
Identity Management: how to leverage multiple identity providers for your different constituents — Candidates, Vendors, Employees using solutions such as Facebook, LinkedIn, Azure, and on-premise resources
User Experience: how to provide a seamless solution that is modern, looks consistent across cloud and on-premise components, and is easy to use
Flexibility: how to evolve the functionality you deploy rapidly
Lifecycle Management: how to keep up with new updates (driven by regulatory or business value requirements) while keeping a low TCO
Integration: how to control all of the integrations between each of the component