If 2020 was the year of hastily enabling secure remote access to ERP applications, then 2021 will be the year when organizations realize that remote ERP access is here to stay – and long-term data privacy, security, and access governance strategies will be mission–critical. Securing ERP data has always been important in principle, but the mass migration to requiring remote access (in perpetuity) has kicked off a heightened emphasis on the topic.
Amongst a sea of learnings from the pandemic is that 2020 was the “coming of age” for ERP data privacy and the challenges it created. Many organizations were forced to learn the hard way that sensitive ERP data (business data and PII) are top targets for malicious activity and some of the most difficult assets for organizations to secure. Especially data in legacy business applications.
Let’s look back at the Year of the Pandemic and examine some of the data privacy events and trends we observed that will serve as guideposts for making ERP data privacy a mission-critical priority in 2021.
Variations in Access Presents Greater Data Privacy Challenges
It’s clear that working remotely is here to stay. A Gartner HR survey reveals that 41% of employees are likely to work remotely at least some of the time post-pandemic. Tech giants like Facebook, Salesforce, Twitter, and more, announced that they would continue to offer remote work and possibly move to entirely remote models permanently.
A key challenge uncovered when the pandemic forced a rapid transition to remote workforces was most organizations had data privacy and governance policies that didn’t account for variations in user access. Especially those using legacy ERP applications like SAP (ECC & S/4HANA), PeopleSoft, and Oracle EBS. After all, these applications were originally designed so users could get easy access to data inside the firewall. They were never designed for a dynamic access environment.
The fact of the matter is the roles and privileges that governed access to these systems depended on managed devices, corporate firewalls, and in many cases – 9:00 to 5:00 access demands. Remove those variables and enable access from anywhere, on any device, and at any time – and those strict privacy and governance policies were replaced by “wild west” levels of access risk.
Instead of needing to be in a specific physical location, users can access an organization’s sensitive data from anywhere. The physical and network controls that protected IT infrastructures and data privacy no longer provide the same level of confidence. Changing how companies do work requires them to change how they secure data and re-evaluate their data privacy and access governance strategies.
When it Comes to ERP Data Privacy – Identity is the New Perimeter
With organizations continuing to support remote access to ERP applications, they need to design policies and practices that define how data is accessed, viewed, and used – as well as the technology they’ll need to implement and enforce those policies.
A key investment is implementing dynamic capabilities to already established identity and access management (IAM) solutions. In other words, providing the ability to minimize risk by dynamically providing access based on the context of a user’s access.
Applying dynamic IAM and access governance supports traditional role-based controls but accounts for the variations in a user’s access that may indicate risk.
Further examples would be:
- Integrating an MFA on a sensitive transaction or data field and requiring a user to re-authenticate
- Deploying MFA if a user is accessing from an unmanaged device. Also known as zero-trust authentication
- Reducing levels of access privilege for super users if their access is coming from an unknown IP range. Also known as applying the principle of least privilege
- Applying dynamic data masking that masks all PII, account numbers, etc., if access is coming from an unmanaged device, unknown IP range, or outside typical working hours.
The sooner organizations realize that their perimeter is only as strong as their ability to manage user access – the better off they’ll be!
Data Privacy Regulations Mixed with Remote Access Will Only Make Compliance More Challenging
Today’s ever–changing data privacy landscape is a reminder that organizations should always be diligent about what kinds of data they are collecting, how it’s being stored, and most importantly – have the visibility to understand exactly how that data is being accessed. For example, is access suddenly coming from a hostile foreign country, or are certain data records/reports being accessed at a higher-than-normal frequency? Ask yourself, just because someone can access sensitive data, does it mean they should?
Successful organizations will invest in technologies that monitor user behavior around data access and usage, capturing contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information that is paramount for compliance reporting and effectively responding to audit findings.
Hodgepodge of State-Level Data Privacy Regulations Sow Confusion
Up to now, the standard-bearer for data privacy regulations in the United States was California’s CCPA. In 2021, the number of state-level data privacy regulations is likely to increase, which is bound to further complicate matters by creating multiple compliance requirements.
Virginia is poised to become the second state to enact a data privacy bill, while lawmakers in Washington state, New York, Oklahoma, and Utah are currently weighing proposals. Meanwhile, Californians voted to approve the California Privacy Rights Act (CPRA), a series of changes made to the existing California Consumer Privacy Act (CCPA).
This hodgepodge of domestic data privacy regulations should motivate organizations to get data privacy, security, and access governance strategies in place, ensure documentation, and prepare for both financial penalties and civil actions. If 2020 was any indication (GDPR fines rose by nearly 40%), companies are likely to see more frequent and more significant fines for non-compliance in 2021.
Having Weak ERP Data Privacy Policies Will Become Expensive
COVID raised the awareness of ERP data privacy as companies struggled last year to continue with normal business operations in a remote environment. These struggles forced many leaders to establish privacy and compliance frameworks and implement the technology to support them. However, this is just the beginning.
With 2020 being a record year for data breaches – along with an ever-growing list of data privacy regulations that carry monetary fines for non-compliance – the writing is on the wall. Organizations will not be able to call themselves victims if their decades of accumulated PII and business data get exploited or breached. The monetary consequences that come from these incidences can have catastrophic effects—both against your bottom line and reputation.
Contact Appsian to learn how we can help you align your legacy ERP applications with today’s data privacy and compliance demands. Effectively scale your efforts for future mandates.
California State University, the largest four-year public university system in the country, made headlines when it announced Tuesday that it intends to continue with remote teaching in the fall term at all 23 CSU campuses, affecting most of its 482,000 students. This was a bold move, but I applaud the CSU system, or any college or university, as the rapid shift to online instruction amidst COVID-19 has been an undertaking of historic proportions.
Lost in the headlines is the amount of work that IT teams must do to enable remote access for nearly the entire university staff and faculty. For Cal State University (an Appsian customer – 17 campuses), that’s more than 53,000 faculty and staff who need access to key information and systems. Along with student users, in total, that’s 535,000 (mostly remote) users accessing the university’s ERP systems from all over the world.
The implications of this decision are wide-reaching. Beyond answering questions like, how will you be able to keep students engaged or how will you be able to provide parity to classroom learning, there are a myriad of implications placed squarely on the enterprise systems that support these institutions (ex. PeopleSoft and SAP ECC.) With millions of students, faculty and staff depending on these applications to keep operations running smoothly, how will campuses look to adapt these systems to their new normal? How can they ensure these systems can meet these new demands?
Universities Must Focus on (2) Key Areas: User Experience and Data Security
Remote and distance learning means operations will be extremely dependent on self-service. Universities using PeopleSoft Campus Solutions face a double-whammy. Maintaining strict authentication and data security policies create challenges on their own. In addition, many campuses require additional UX/UI solutions that enable a unified mobile user experience. Without additional UX solutions in place, PeopleSoft’s mobile user experience can be challenging for students to navigate – especially as they’re trying to access self service via mobile devices. Several colleges and universities use the full suite of Appsian’s technology to address these issues.
For Students, User Experience is EVERYTHING
Today, student’s primary method for communication is through their mobile devices. A common problem for universities is that PeopleSoft Campus Solutions’ primary interface is PeopleSoft Classic. This UI is not mobile responsive and has a look and feel that doesn’t necessarily align with Millennial and Gen Z. expectations. As tens of thousands of students register for classes in the fall, this user experience could prove to be problematic, as students are so used to intuitive experiences. Without UX/UI enhancements, campuses run the risk of flooding their support desks or having students abandon self-service transactions – not meeting key enrollment deadlines.
PeopleUX by Appsian turns the Classic interface of PeopleSoft Campus Solution into a visually engaging user experience. Students can easily navigate through transactions like add/drop/swap courses, view grades, class schedules, search for classes, access advisor information, and financial aid details from their mobile device. Giving students the proper tools to execute the majority of their tasks through self-service will alleviate your staff’s workload. It will also provide one less hurdle students (especially new students) will have to get over before class begins in the Fall.
For EVERYONE, Data Security is EVERYTHING
Colleges and universities face the same challenges as businesses that had to transition entire workforces from office-based to work-from-home. Remote access is now a requirement, and IT departments should have the ability to dynamically control access to sensitive transactions and maintain granular visibility into user behavior – something ERP systems like PeopleSoft and SAP ECC inherently lack.
Campuses are turning to VPN to ensure secure authentication, but VPNs have plenty of vulnerabilities. In many cases, adding Multi-Factor Authentication via Duo Security® has been a top choice – one that Appsian couldn’t recommend more. However, integrating an MFA like Duo with PeopleSoft or SAP ECC presents significant challenges. Integration is necessary, especially if you’re looking to apply step-up MFA at the transaction level. This is recommended because application-layer authentication is good, but transaction level authentication is ultimately the best way to ensure data isn’t unnecessarily exposed.
Integration also allows you to leverage adaptive MFA. This can enable you to deploy MFA challenges (at the application layer) based on the context of access, such as business hours, location of the device accessing the system, and type of device. This flexibility can reduce the disruption of MFA challenges on the user and ultimately provides significantly better data security.
Additionally, campuses must consider how they can maintain visibility over the data in their transactions. After all, when you consider the sheer volume of sensitive data in a student information system like student records, student financial information, parent financial information, etc. it becomes clear that the implications of a breach could be catastrophic. This is not lost on hackers who are now aware that large university systems are moving to 100% remote learning. These are data security implications that are not simple to solve, but the focus must be on visibility, control, oversight, and accountability. How detailed is your view of data access and usage? If there was a potential security threat, how long would it take you to detect and remediate it?
It’s too early to tell how many colleges and universities will follow Cal State University’s lead and announce remote learning plans for the Fall semester. Regardless, now is the time to prepare for a school year that still has many variables and unknown factors that can influence a decision.
Request a demonstration so you can get to know the many ways that Appsian can help your university and college tighten your PeopleSoft data security and deliver a mobile-responsive and visually compelling user experience to students.
Analytics have always been necessary for informing ERP data security policies. This has never been more relevant than today, in this everybody-works-from-home environment where function leaders are scrambling to attain oversight and accountability. With whole departments spending 8 hours a day in business applications like PeopleSoft and SAP, establishing strong ERP user activity monitoring strategies is mission-critical. We also touched on this topic a few weeks ago, but now that organizations are adopting visibility solutions, the question becomes – what are the most important details to capture?
Always Capture the Who, Where, When, What, and How
Remember the good old days of February 2020 when articles touted the growing trend of working from home and that remote access to your ERP system and making transactions available on the internet will one day become the “new normal?” Ah, good times.
Then COVID-19 happened, and remote work went from growing trend to hard-core reality in a matter of days. System administrators scrambled to collaborate with managers to create new or updated work-from-home polices that determine who, what, where, when, and how workers can access ERP data – and what transactions they’re allowed to perform. Good times, indeed.
Let’s break down these different details…
1. Who – Details of the User Accessing the Data
Even if your user authentication strategies are strong (ex. leveraging multi-factor authentication), you’re still going to have security concerns – especially with high privileged user accounts. Narrowing your visibility efforts on high privilege user activity allows you to focus on the accounts that can cause the most damage (if corrupted or misused.) For example, your organization may be global (with ERP access coming from multiple countries) but your high privilege users may primarily reside near your domestic HQ. High privilege access coming from outside this IP range may be an early sign of unauthorized activity.
2. What – Details of the Data Being Accessed
What are those Tier 1, highly sensitive data fields you want to closely watch? I’m talking about C-suite salary information, social security numbers, bank account information, etc. Application level logging falls short in showing exactly what a user accessed. However, these details are ultimately the most important. If you do not have visibility into exactly what a user accessed, then you are missing a significant part of the data security puzzle. In many instances, field level logging can show you how much “over access” users may have. After all, least privilege is a best practice – especially in remote environments.
3. Where – Location Where the User is Accessing the Data
As mentioned above, location can be a leading indicator of unauthorized activity. This strategy can be expanded, especially if you’re operating in a vertical that typically doesn’t require global access (ex. higher education, healthcare, state & local government, etc.) Whether it is a sudden influx of authentication requests from China or one-off access from a European country, having location data is an essential component of ERP user activity monitoring.
4. When –Time of Day When User is Accessing Data
Thanks to stay-at-home orders, normal 8 to 5 work hours don’t apply when users must (potentially) deal with kids or other distractions. Simply enacting policies that restrict certain transactions from being executed outside of business hours is a quick way organizations can enhance oversight – but how can you really enforce it at scale? Either way, monitoring after hours activity, while not an obvious indicator of a problem, is a solid baseline. Especially if most ERP processing activities are being executed by hourly employees.
5. How – Type of Device Accessing Data
One of the difficult aspects of rapidly deploying remote ERP access is getting an inventory of all the devices they’ll use. Corporate-managed vs personal devices have a large impact on how you want sensitive business data accessed. Even if every employee has a company-issued device, you’re bound to see unauthorized devices (mobile phone, tablet, personal workstation or laptop, etc.) accessing your system. Knowing exactly what these devices are accessing (or possibly downloading) is extremely important for data loss prevention.
Real-Time User Activity Monitoring Leads to More Informed ERP Data Security Decisions
Using the Appsian Analytics Console, you get a 360-degree view of what is happening around your ERP data. From there, you can map out a targeted incident response before damages become catastrophic and influence your ERP data security policies.
Some additional examples of ERP data security measures you can deploy include:
- Enabling adaptive authentication policies that deploy additional authentication challenges based on the context of access
- Restricting the availability of specific transactions (partial or full) when access is coming from unwanted geographic locations
- Masking any data field (partial or full)
Appsian enables organizations to enhance their level of control and visibility over business data. To ease the anxiety of allowing remote ERP access, Appsian can help you make the rapid changes (avg. go-live in 2 weeks) necessary to manage and mitigate risk.
Request a demonstration of the Appsian Analytics Console today.