With remote workplaces being put to the test, organizations are looking to quickly scale their security practices. Unfortunately, many are learning the hard way. They find themselves at the intersection of using conventional security technology like a virtual private network (VPN) to secure data residing in traditional, on-premise ERP applications like PeopleSoft and SAP ECC. This can be a toxic combination that may leave you feeling secure, but it should be noted that your data remains at risk.
A VPN is Not Data Security
Plain and simple – a VPN is a connection point. While it may shrink your threat surface, there are still many risk factors to consider. For instance: where is a user coming from? What data are they trying to access? What device are they using? Is that device actually being used by the right person? What PeopleSoft data are they trying to extract onto their personal device? And so on, and so one…
Once a VPN authenticates a user, a myriad of risk factors remain. This is where a VPN ends and data security should begin. However, most organizations are simply not prepared to mitigate the risks that come once a user has passed a VPN. Here are a few examples:
Federating High Privilege Users
High privilege users should face the most scrutiny. Ideally, a high privilege user should authenticate through Active Directory or whatever identity provider an organization is using. They should then receive federated privileges to PeopleSoft based on the contextual attributes of their access (ex. are they accessing from a foreign country?) Federating high privilege access is a fundamental way to ensure a user is provided with the appropriate level of privilege. However, a VPN cannot do this. In fact, authenticating to PeopleSoft using a SAML identity provider (like Active Directory) can be challenging unto itself (see this blog for more info.)
If the point of a VPN is securing remote access, then why not consider the contextual attributes that come with said access? After all, the remoteness is what is considered the risk. In this scenario, a VPN is merely acting as a thin authentication layer, on top of PeopleSoft’s typical username and password model. What if a user opts to make their VPN password the same as their PeopleSoft password? This is what hackers anticipate and sadly, they are usually correct.
Malicious Insiders Tend to be High Privilege Users
This is a touchy subject but should be acknowledged. While no one wants to assume the worst in their employees, the fact remains that the more access you have, the more damage you can do. Given the right motivation – bad things can happen. This is the most compelling case for data security because the highest stakes surround high privilege users. A/P, A/R, Finance, Supply Chain, Payroll – all these functions deal with money. Having the ability to lock down and limit access to data and transactions will have a tremendous impact on an organization’s ability to mitigate financial losses from fraud, theft, and espionage. And because of COVID-19, all of these functions are now being executed remotely. The potential for damage is exponentially greater than before.
Ask yourself – should payroll queries be run and exported onto a personal device? Should wires be sent outside of normal business hours? Should a vendor be created when access is coming from a foreign country? I believe the answer you’re looking for is… NOOOOOOO!!!
Integrating dynamic, risk aware controls on sensitive financial transactions (and data fields) mitigates much of this risk. In addition, transaction logging and analytics prove to be extremely beneficial, as many organizations would prefer not to hamstring their employees with restrictions. However, they would prefer to gain better visibility in case an anomaly is detected.
A VPN Can Be Costly, Unscalable, and Leave You in The Lurch
Like any addition to your architecture, downtime can occur. VPN vendors can experience enterprise-wide outages – causing major disruption. In addition, with organizations moving toward a 100% remote access, VPNs can be prone to kicking people off after a period of time. Adjusting to remote work environments is frustrating enough, but if access is limited or hindered, and you don’t have the benefit of a readily available help desk – your users will become agitated. With so many senior leaders focused on business continuity, having additional hoops for your employees to jump through is counter to productivity.
And then there is the cost factor – which will certainly balloon with the increased number of users. We understand that costs will vary, but the ROI of 100% of your employees requiring a VPN to log into PeopleSoft is not positive. And as we established above, if the point of a VPN is increasing data security/maintaining integrity of financial transactions – then the ROI is even further from positive.
How Appsian Provides ERP Data Security for PeopleSoft and SAP Applications
Appsian believes user authentication is important, but it’s only one part of an ERP data security posture. This is why we developed the Appsian Security Platform for PeopleSoft. Enhancing an organizations ability to authenticate users is most effective when its: integrated with your existing identity management strategy and risk aware. This is where Appsian provides far greater value than a VPN. We enable seamless, secure access to PeopleSoft (specifically) via Single Sign-On (integrated with a SAML IdP), along with adaptive Multi-Factor Authentication. These solutions combine to provide a much better user experience and a vastly superior value if protecting PeopleSoft from bad actors is the primary intention of your VPN.
Lastly, visibility is key. With sensitive transactions being executed outside of the office having a better sense of how your data is being accessed and used is critically important. Using transaction logging and real-time analytics, Appsian provides PeopleSoft customers with unparalleled levels of visibility. Thus, allowing you to keep a watchful eye on your data at all times.
When approaching how you can enable secure, remote access – its best to identify what are the key objectives and invest in the technology that best suits those needs. Are you concerned that the data inside your ERP applications could be breached or exfiltrated? Are you concerned that financial transactions could be corrupted? If the answer is yes, then data security – and not solely a VPN are the answer.
At the end of the day, COVID-19 has forced organizations into unprecedented challenges. With an unstable market and unpredictable year(s) ahead, it’s important to focus security efforts on internal data and processes – as these being corrupted will result in losses that can make recovery significantly harder.
A GreyHeller customer – one of the largest financial services firms in the US – licensed and implemented our ERP Firewall layered security platform specifically to put in place detailed logging and analysis to prevent the same type of breach suffered by Anthem Healthcare in 2015. Anthem settled that breach for $115 million.
On July 31, 2017 it was reported that Anthem suffered another breach. This breach involved a malicious insider – one of the hardest situations to track down.
If you as a PeopleSoft customer are concerned about your PeopleSoft sensitive data being exfiltrated, our ERP Firewall software solution can help.
• Multi-Factor Authentication to prevent a phished employee’s credentials being used to use Query to download sensitive data
• Data Masking to redact sensitive data
You can prevent cyber criminals from stealing your PeopleSoft sensitive data.
How does it work and how easy is ERP Firewall to implement?
ERP Firewall plugs into your PeopleSoft webserver and is delivered with a pre-configured set of the most commonly used rules (based on implementing ERP Firewall for nearly 100 customers). Our highly automated install process takes a couple of hours after which you will be invoking MFA, masking data and logging transactions at a highly granular level. Many of our customers actually go-live within 30-days of installation.
Kevin R. Brock, a leading cybersecurity expert and the FBI’s former Principal Deputy Director, National Counterterrorism Center and Assistant Director for Intelligence, in a recent Forbes article stated –
“The impacts of cyber intrusions and disruptions are much greater and often devastatingly public—bringing to bear significant risk to company reputation, shareholder value and creating an entire new set of liabilities. Historically, the management of this risk has been delegated down in the organization. Current studies still show that upper management in most companies is rarely briefed on cyber threats.” (http://www.forbes.com/sites/christopherskroupa/2014/07/15/company-cyber-resilience-or-cyber-attack-choose-one/)
When working with PeopleSoft customers to help them understand their security risks, we often find that these organizations believe they are better protected than they actually are.
Our advice? Stop being reactive. Be proactive.
Correct preparation makes incidents far easier to resolve. Detailed and specific event-driven logging can alleviate some of the frustrations. Within the PeopleSoft application stack, it is often difficult to understand what users are doing after the fact. Sometimes effective dated pages make that easier, but nothing can replace a great logging solution.
Case in point….a user gets phished and the attacker then impersonates that user to update data within the PeopleSoft application. It might be easy to see the one row the attacker updated, but what about the data the attacker just looked at? How would you like to definitively answer what that attacker did?
Correct preparation would give you these answers – all the components, pages, and records that attacker saw. Yes, that’s right – know what the attacker accessed. Correlate by times, IP address or other information that you choose to log.
How about another scenario in which a professor travels abroad, accesses their personal data and updates an address? Later on in the day the organization is attacked from the country visited. The security staff at the University wants validation of the transaction(s). With the right logging this is an easy question to definitively answer – a quick resolution to a false positive.
Detailed, specific, event driven, customizable logging designed for your business processes greatly simplifies incident response.
The costs of resolving an incident continue to increase.
Our advice? Minimize the risks by being proactive with your security.