When business stakeholders come to you looking for answers, having visibility and context around ERP data access and usage gives you the actionable insight necessary to provide value.
As a leader of Enterprise Applications, customizing legacy ERP applications like PeopleSoft, SAP ECC, Oracle EBS, etc., to meet your business’ exact process specifications can leave you between a rock and a hard place. The more customized your ERP applications get, the more your business stakeholders love it, but the complexity around application support and maintenance also increases. That being said, accepting more complexity is just part of the job, because after all, your most important role (in the eyes of others) is providing timely and accurate resolution to inquiries or incidents from your business stakeholders.
You know the drill: members from various business units come to you requesting help for a particular incident or an anomaly they spotted. It’s up to your team to provide a resolution in a timely manner. And that’s where the trouble begins. Many incidents require hours, weeks, and even months to research and resolve. It’s hard to provide excellent customer service to the lines of business when your team is facing major obstacles to resolving incidents in a timely manner.
What if I told you there’s a way to enable your team to spend less time researching an issue (or no time at all) and produce faster results while providing better value for the various business leaders and their teams?
Three Major Obstacles to Timely ERP Incident Resolution
You’re the last person who wants to hear or say, “well, that’s just [insert ERP app name here].” But that’s one way you can sum up the limitations and obstacles your team will immediately encounter.
Here’s a simplified view of that process from the perspective of PeopleSoft. Somebody from a line of business will contact a member of your Sys Admin team and say, “Hey, this user’s account was updated (i.e., maybe they didn’t get their paycheck), or there was some sort of anomaly in the execution of a typical business transaction (i.e., vendor didn’t get paid, etc.). We don’t know what it is, and the functional user(s) say it wasn’t them. We’re not sure what happened. Can you guys look into this? That would be great.”
This incident kicks off your process flow to find a resolution. Then come the obstacles:
Obstacle 1: Legacy ERP Logs Can’t Tell You About Data Access
Experience says that most people who use an ERP application like PeopleSoft don’t know who’s doing what (specifically), who’s accessing what information, or most importantly – why. You probably first need to work out if this is something that the user did themselves or a hacker was able to gain access to the system – and also work out if this is an inside job or an external attack.
And while the logs can point you in the right direction, the legacy ERP logs are not designed to provide detailed information on who accessed what or even, in most cases, viewed something sensitive. This leads to major obstacle number two…
Obstacle 2: ERP Logs are Disparate and Not Correlated
ERP logs were designed for troubleshooting, not granular activity logging, which contributes to organizations and business units not knowing what their employees are doing inside the applications. When it’s time to go under the application hood and examine the native logs, another metaphor comes to mind: looking for a needle in the haystack. Here’s an example of all the native logs you might find in your instance of PeopleSoft:
- App Server
- PIA (Web Server)
- Process Scheduler
- Load Balancer
- Identity Provider (SAML, LDAP, ADFS)
- Host O/S Logs
Your organization likely has more than one of these servers where these logs reside. You might have four application servers, eight web servers, and so on. Now you’re looking at finding a needle in multiple haystacks. And that data is not correlated, so there is little relative context that can enable your investigation.
Here’s a nerdy example using the App Server and Web Server logs. On the Web Server, you cannot identify the person who logged in because you don’t know the OPRID. All you have are an IP address and a timestamp. You need to go to the App Server and review the OPRID, timestamp, and IP address on login or log out and attempt to correlate that information with similar information on the Web Server.
Obstacle 3: Log Data is Not Enriched with Any Context That Makes It Actionable
Once your team has collected data from the logs and assembled material from other sources, the final step is to interpret everything and make a best guess so an action item can be established. How actionable is having a collection of raw data such as IP addresses, user IDs, location of devices, completed transaction, etc., if you’re not able to place that data into a human context?
Let’s take the example of “Jim” and the incident involving him not receiving a paycheck. The raw ERP data shows that Jim’s credentials accessed pages containing personal information and bank account information several times over a period of time. Jim, the human, denies that he made any changes to the data on those pages, so the paycheck should have been routed to his usual bank account. Maybe you change Jim’s username and password and cut him another check. Was Jim trying to defraud the company and get an extra check, or was Jim’s account compromised in some way? Could a hacker have accessed Jim’s payroll data, changed the account number, received the funds, then changed the number back – getting away without a trace? Absolutely! It happens every day. If you cut Jim a new check, you fix Jim’s immediate problem, but do you understand what’s happening in your system?
Why Appsian360 Immediately Makes You a Hero to Your Organization
You’ve been waiting in suspense to know when IT becomes the hero – well, here it is. When the business comes to you looking for answers related to a specific incident, Appsian360 provides the quick, actionable insight necessary to provide the company with the understanding of what happened with their ERP data.
How? Appsian360 logs granular user access to data, correlates existing ERP logs, enriches the data with contextual attributes (who, when, where, what device, etc.), and visualizes the ERP data’s access and usage on dashboards. Now your team can easily look at data access by IP addresses, user IDs, location of devices, pages accessed, etc., and very quickly understand the facts behind an incident.
Let’s go back to Jim’s situation. With just a handful of clicks in Appsian360, you confirm that “Jim’s credentials” did indeed access and edit his personal information. Additionally, you discover that “Jim” was logging in after-hours using a foreign IP address based in another country. With a few more clicks, it’s clear that the IP address is responsible for other compromised user accounts. You didn’t just discover Jim’s breach, you now have a clear picture and a direction to fix the actual security issue – one that was growing in urgency by the day!
Without context, you lack insight. Context around data access and usage creates actionable insights. Actionable insights support the company and provide value to key stakeholders.
Understanding user activity and data usage are precisely what the business needs – and without Appsian360, ERP logs lack insight. You can buck that trend with Appsian360.
Contact us to learn how Appsian360 can provide you with the most powerful, real-time view into ERP data access & usage.
As your company’s digital footprint grows, you can enhance your security posture by complementing your existing SAP Role-Based Access Controls (RBAC) with dynamic, Attribute-Based Access Controls (ABAC) to strengthen authentication and authorization. Both RBAC and ABAC are ways that organizations can control authentication and authorization, but they perform different functions across an enterprise IT stack.
Understanding SAP Access Control Using Roles
Functionally, a role is a collection of permissions using sets, relations, and mapping that align access needs to resources based and limit access on a “need to know” basis.
RBAC involves three basic principles:
- Role assignment: Only users with the right login can gain access to and interact with a system or application.
- Role authorization: When combined with role assignment, administrators authorize a set of credentials that can gain access to and interact with a system.
- Transaction authorization: A user can only interact with a resource to which she is authorized through her role memberships while also limited on a “need to know basis.”
RBAC has since evolved to include “hierarchies.” Hierarchies assign different roles different levels of access. For example, a Chief Executive Officer (CEO) needs to have a lot of access to sensitive information. Therefore, the CEO role has access that also encompasses the type of access provided to the Vice President’s, line of business managers, and standard employees. However, since a standard employee is at the “bottom” of the hierarchy, RBAC prevents her from accessing the sensitive information that the CEO can access.
Enhancing RBAC by Using Dynamic Authorizations in SAP
RBAC provides a strong foundation for setting access controls. However, digital transformation changes the way people interact with data resources. Since RBAC was intended for on-premises data repositories, it creates a very strict, static set of permissions. You either have access or you don’t.
Dynamic authorization – also known as attribute-based access controls (ABAC) – enhances RBAC by taking into account different “attributes.” Attributes are the adjectives of the access control world because they incorporate an additional description of either the user or resource.
Examples of user attributes:
- Department within the organization
- Management level
- Citizenship / Residency
- Security Clearance
Examples of action attributes:
- Transfer (money)
Examples of resource attributes:
- Data Classification
- Transaction Code
- Document Number
- Plant Code
Example of environment attributes:
- Geographic location
- Device type
- Connection type
By incorporating these attributes, organizations can control user access more precisely, and with the flexibility of dynamic authorizations, better balance business and security requirements.
Achieving Dynamic Access by Using Attributes
Roles act as the foundation for providing access. If you think about it like a sentence, RBAC is the subject and verb. An IT admin has what we call “superuser” access. A simple RBAC sentence might look like this:
IT administrators can read and edit all information.
Based on RBAC, this sentence provides so much access that an IT administrator could be a data breach risk. Whether maliciously stealing sensitive information or accidentally sharing private information, the unrestricted access means organizations struggle to restrict IT administrator access while still providing enough access for the employee to do their job.
However, if we add attributes, or additional descriptors about how/when/where IT administrators can use their access, we limit the risk. By creating an “if-then” statement, we apply restrictions based on the defined characteristics.
If IT administrators are accessing the database (resource attribute)
from their homes (environment attribute) then
they can read (action attribute) the information.
By adding these attributes, we can prevent IT administrators from making changes to databases while they are at home.
Furthermore, we can use attributes to grant access as well. Taking the same statement, let’s incorporate time of day as an additional attribute.
If IT administrators are accessing the database (resource attribute)
from their homes (environment attribute) then
they can read (action attribute) the information,
but if they access the database
between 8 AM and 10 AM (environment attribute 2),
they can edit user data (action attribute 2).
By adding the additional environment and action attributes, you’re creating a scenario that allows IT administrators to work from home while also reducing the risk. You have created a time-bound restriction that requires them to only make user data changes during the hours of 8 AM and 10 AM if they are at home while at all other times, they can only read the database information.
The more attributes you can incorporate, the more precisely you can define what, how, and when a user or group of users can access data.
Creating a Robust Data Security Strategy Using a Hybrid SAP Access Control Model
As organizations accelerate their digital transformation initiatives and allow more remote access to data and transactions, they need a way to configure a layered defense using a hybrid approach to SAP access control. Starting with RBAC, organizations set the foundation of their access policies. However, by incorporating different attributes such as user, resource, action, and environment characteristics, you can more appropriately limit access to and within your SAP data.
Without a solution like Appsian, the closest and organization can come to granting dynamic access to SAP is through customization or adding roles to a user for each attribute. Both options are costly and ultimately unmanageable in the long run.
Contact us to learn how Appsian can help you extend and enhance your existing SAP access controls and improve your reporting and auditing capabilities.
At the SAPinsider 2020 virtual conference experience, one of our product demo attendees asked how Appsian works with SAP GRC Access Control. We get this question a lot as SAP security and system professionals explore adding attribute-based access controls (ABAC) to the native SAP role-based access controls (RBAC) to streamline and strengthen access policy management and enforcement. Sometimes there is confusion about whether ABAC is enhancing or replacing their RBAC. Let’s take a quick look at how Appsian’s ABAC works with and enhances SAP GRC Access Control.
What is SAP GRC Access Control
Organizations use SAP Governance, Risk, and Compliance (SAP GRC) to manage regulations and compliance and remove any risk in managing critical operations. One of the SAP GRC modules that helps organizations meet data security and authorization standards is SAP GRC Access Control. This module ensures that the right access is given to the right people with RBAC. It uses templates and workflow-driven access requests and approvals to streamline the process of managing and validating user access and provisioning. Without SAP GRC, for comparison, a person is creating all the roles from scratch and assigning privileges to them.
Appsian Enhances SAP GRC with Attribute-Based Access Controls
Appsian combines the SAP GRC role-based access controls with an attribute-based access control solution that delivers an ABAC + RBAC hybrid approach. This enhanced approach enables granular control and visibility that delivers a wide range of business benefits and lets you deploy data-centric security policies that leverage the context of access to reduce risk.
Appsian overcomes the limitations of traditional RBAC, allowing you to fully align SAP security policies with the objectives of your business and streamline audits and compliance.
As you can see in this illustration, ABAC begins the moment users start to access data and transactions. Where RBAC assigns access based specific roles, ABAC considers the context of access (who, what, where, when, and how) before allowing access to transactions or data. Customers can set up additional rules that allow conditional access, for example, masking specific data fields or limiting the number of transactions after a particular time of day) or entirely denying access based on factors such as an unknown IP address.
Real-Time Analytics for SAP Security & Risk Management
With Appsian360, our real-time analytics and reporting tool, Appsian can enhance the SAP GRC reporting capabilities with direct, real-time visibility into transaction usage, violations, and compliance risk. Additionally, customers can:
- Monitor transaction usage, master data changes, and SoD violations
- View actual SoD violations with user, data, and transaction correlation
- Segment reports by user/data attributes
- Drill down into end-user usage events
Appsian360 provides analytical reports to drill down into end-user usage events to capture business risks and anomalies, and usage events that tie back to compliance risks.
The ABAC + RBAC Hybrid Approach to SAP GRC Access Control
By combining data-centric security capabilities with attribute-based policies, Appsian extends and enhances the existing SAP GRC internal access controls and improves the reporting and auditing capabilities.
Contact us today and schedule a demo to see how Appsian can help you enforce access controls beyond the standard RBAC model of SAP.
Organizations using traditional, on-premise ERP applications like SAP ECC and Oracle PeopleSoft are facing a rapidly changing reality around the collection, storage, and usage of data. Aside from the growing number of compliance regulations they need to follow, such as GDRP, CCPA, and others, they face critical visibility gaps related (explicitly) to understanding ERP data access & usage. Especially at a fine-grained level.
This lack of visibility is exacerbated by organizations enabling remote and mobile access to their users, exposing them to a myriad of data security and compliance threats like hacking (phishing), along with fraud and theft from internal users. All of which result in the loss of millions of dollars each year.
Fortunately, ERP applications that were once considered a “black box” can now be enhanced with the most sophisticated logging and analytics technology available on the market. Introducing Appsian360, the first and only data access and usage analytics platform for SAP and PeopleSoft.
Why Context of User Access and Data Usage Matters
Far too often, user behavior is a mystery, resulting in security, fraud, theft, and business policy violations. Specifically, a lack of detailed insights regarding how, when, and by whom transactions and data fields are being accessed.
As they exist today, legacy on-premise SAP and PeopleSoft systems simply do not provide organizations the granular visibility and context of user access and data usage they need in real-time to make proactive and strategic decisions.
“For years, organizations have been operating with limited visibility, and current threats to ERP data have made this status quo completely intolerable,” said Piyush Pandey, CEO of Appsian. “Appsian360 is about knowing who is doing what – at a very granular level.”
With Appsian360, security and compliance leaders can drill into specific data access and know exactly who is doing what, where, and why. With that level of in-depth, contextual information, any red flag incidents can undergo a rapid response plan.
“The beauty of Appsian360 is it’s a comprehensive solution that provides actionable insights,” added Pandey. “We know that forensic investigations and time to mitigation costs organizations countless amounts of money – and we’re pleased that Appsian360 can alleviate much of this burden.”
Appsian360 for SAP and PeopleSoft
Appsian360 installs into your ERP web server and does not require any additional customizations. There are zero noticeable effects on application performance. Here’s a high-level look at what Appsian360 can do for you.
Detect Security Threats in Real-Time: Appsian360 proactively alerts you to security threats like hacking, phishing, misuse of privileged accounts, and many more. You can quickly receive the information required to fully enable forensic investigations.
Uncover Hidden Business Risks: Appsian360 helps you detect and respond to fraud, theft, and errors by employees and third parties (vendors, consultants, etc.). Companies can maintain a complete view of sensitive business transactions, and what (specific) users are doing.
Monitor Employee Productivity: Appsian360 helps you maintain oversight as users process and execute business transactions. You can use these insights to ensure efficient staffing and identify potential bottlenecks in critical HR, payroll, and finance activities.
Understand Data Access & Usage with More Clarity Than Ever Before
Organizations can no longer rely on having a lot of data. They need to start triangulating and developing context around the data they’re getting and how it’s being used. Appsian360 provides real-time data access and usage visibility previously unavailable to SAP and Oracle ERP customers.
To see how data security and compliance threats that were once considered “the price of doing business” are no match for the watchful eye of Appsian360, join us for a virtual demonstration on Thursday, August 13. You can register here: https://www.appsian.com/visibilty-using-appsian360/.
Contact us today for a personalized demo and find out how Appsian360 can fill critical visibility gaps for your organization.
A critical SAP vulnerability (CVE-2020-6287 or RECON) was recently discovered by Onapsis that gives attackers TOTAL control of vulnerable business applications. It allows hackers to gain unauthenticated access to SAP and then create new user accounts with admin (superuser) privileges. With these privileges, a malicious attacker can do limitless amounts of damage, including stealing data, changing bank account numbers, fully sabotaging systems, and more.
RECON Shares Similarities to a Familiar Foe – 10KBLAZE
The RECON vulnerability puts the confidentiality, integrity, and availability of SAP ERP data and processes at risk, which is very similar to the 10KBLAZE exploit from 2019. What do these two exploits have in common? Simple, they are leveraging a lack of visibility and control to be successful. There is a reason that these exploits focus on the creation of admin accounts – because once you’re an admin (legitimate or not), you have the keys to the castle.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators of SAP products to:
- Analyze systems for malicious or excessive user authorizations.
- Monitor systems for indicators of compromised accounts resulting from the exploitation of vulnerabilities.
- Monitor systems for suspicious user behavior, including both privileged and non-privileged users.
- Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.
- Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
The key recommendations align to the need for monitoring – monitoring systems, monitoring transactions, monitoring the creation of accounts, and (most importantly) monitoring data access and usage. This is where many SAP ERP customers will struggle as attaining fine-grained controls and visibility are complex, even prohibitive at times, with native functionality. This is precisely where Appsian can help.
A Second Layer of Defense: Fine-Grained Control and Visibility
RECON and 10KBLAZE highlight that a single, static layer of security within SAP is inadequate to combat modern-day threats. Appsian enables SAP ERP customers to layer their defenses using a comprehensive suite of fine-grained, risk-aware access controls, and continuous monitoring of data access and usage.
Here are Appsian’s recommendations to minimize your attack surface and the risks posed by RECON – and future vulnerabilities like it (in addition to recommended security patches.)
Attribute-Based Access Controls (ABAC) Are Essential in a Dynamic Environment
RECON and 10KBLAZE take advantage of vulnerabilities in the open, internet-facing components of SAP (think remote access). The Appsian Security Platform (ASP) uses attribute-based access controls (ABAC) to implement data-centric, “risk-aware” controls. ABAC prevents specific transactions like user provisioning when access originates from untrusted IP addresses (or IP addresses outside your whitelist), certain geographic locations, outside work hours, mobile devices, and many other contextual attributes. Bottom line – Appsian can stop the creation of a user account (or changes in privileges) if access is coming from outside the corporate network. Fine-grained policies can be implemented to block high-risk activity, such as those matching the RECON attack patterns.
Visibility into Data Access and Usage is Essential for Combatting Configuration Gaps
Both RECON and 10KBLAZE center around the unauthorized creation of high privileged user accounts. Appsian360, the latest real-time analytics solution by Appsian, captures and visualizes data access and usage, which is essential for monitoring user provisioning activity like user creation/deletion and role/profile changes. Appsian360 can detect and alert organizations at the point of initial account creation, minimizing the damage by reducing how long a threat goes undetected.
Appsian360 can also detect suspicious transaction activity if the compromised and illegitimate accounts are not addressed at the point of creation. Furthermore, this creates an audit trail that acts independently from existing SAP logs and can expedite breach forensics activities.
Prepare Yourself for the Next Critical SAP Vulnerability – Layer Your Defenses (While and After you Patch Your Applications)
RECON isn’t the first critical vulnerability to affect SAP, nor will it be the last. While there are security patches available to keep their ERP systems safe, these can take time (and resources) to implement, which results in significant downtime of production systems. Furthermore, the time to apply the patches depends on the complexity and the components involved. By all means, stay up to date on system updates, but bugs like RECON and 10KBLAZE serve as a reminder that patches aren’t enough to protect critical SAP data.
Talk to the SAP Security Experts at Appsian today to discuss how your organization can address the risks posed by RECON and other vulnerabilities.
A critical SAP vulnerability (CVE-2020-6287 or RECON) was recently discovered by Onapsis that gives attackers TOTAL control of vulnerable business applications. The RECON vulnerability allows hackers to penetrate SAP systems and create new users with administrative privileges, allowing them to manage (read/modify/delete) every record/file/report in the system.
The RECON bug is one of those rare vulnerabilities that received a maximum of 10 out of 10 rating on the CVSSv3 vulnerability severity scale, so it is crucial that organizations move quickly to apply patches.
Remote and unauthenticated attackers can exploit the vulnerability to create a new SAP admin user, bypassing access and authorization controls and gaining full control of the SAP system. Exploitation will impact the confidentiality, integrity, and availability of SAP applications. With an admin-level user account at their disposal, an attacker can:
- Steal personal identifiable information (PII) from employees, customers, and suppliers
- Read, modify or delete financial records
- Change banking details (account number, IBAN number, etc.)
- Administer purchasing processes
- Disrupt the operation of the system by corrupting data or shutting it down completely
- Perform unrestricted actions through operating system command execution
- Delete or modify traces, logs and other files
The RECON Attack Path
The RECON vulnerability is easy to exploit and resides in the LM Configuration Wizard component of the SAP NetWeaver Application Server (AS) JAVA. The LM Configuration Wizard of SAP NetWeaver AS JAVA does not perform an authentication check, allowing an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user. This compromises the Confidentiality, Integrity, and Availability of the system.
The vulnerability not only compromises the security of the NetWeaver Java applications but can also be used to exfiltrate credentials to an ABAP system through the ABAP secure storage and potentially lead to the exposure of ERP data-sensitive PII and financial information.
SAP Guidance: Apply the Patch or Enable a Workaround
The critical nature of this vulnerability caused the Cybersecurity and Infrastructure Security Agency (CISA) to strongly recommend organizations immediately apply patches, as noted in SAP Security Note #2934135.
If you cannot apply the patch, then at least disable the tc~lm~ctc~cul~startup_app application, as described in SAP Security Note 2939665. Note 2939665 is a workaround and a defense-in-depth, but not a solution.
Further Risk Mitigation Measures
Being up to date on the patches will help mitigate the vulnerability. Still, because of the number of security patches released in recent years, several customers are behind on these as the application of these patches requires downtime of the production systems. Moreover, the time to apply the patches depends on the complexity and the components involved. It can require a significant amount of time and effort, especially if the systems are a couple of patches behind.
All this ends up increasing the risk and the timeframe for which the systems are exposed. Having application security in the form of multi-factor authentication or additional policy-based controls and logging will help mitigate the risks and control sensitive data exposure in mission-critical systems.
Talk to the SAP Security Experts at Appsian today to discuss how your organization can address the risks posed by RECON and other vulnerabilities.
Every organization using SAP ERP applications faces the unique challenge of maintaining a strong security posture while enabling productive business processes. Throw in the uncertainty of today’s rapidly changing environment, and you can bet that IT professionals and business stakeholders are facing misalignment between IT controls and business rules and objectives.
To discover how organizations are evolving their security and risk management practices, Appsian commissioned a survey of nearly 200 senior stakeholders using SAP applications through an independent market research firm. We compiled the results of our survey into the SAP Security Report: Executive Perspective on SAP Business Risk Management.
We found that this rapid state of change in today’s environment has brought about a new normal for acceptable risk in SAP – but not by choice. While some organizations are adopting new processes and technology to address risk, legacy strategies are holding back many in their path towards efficiently managing ERP data risks.
We also uncovered four key takeaways from the respondents:
1. Business Process Risks Are Slipping Through the Cracks
Executive confidence is wavering in an organization’s ability to detect business risks from fraud, theft, and human error. While concern is generally high, a lack of consistent visibility into these business processes highlights a gap that many have yet to address.
2. IT Leaders Are Concerned About Excessive User Privileges
Excessive user privileges continue to be a top concern of leadership – and for good reason. Users have the keys to your kingdom, and with this, pose a heightened risk if their accounts are compromised or if they engage in malicious activity.
3. Misalignment is Hurting Confidence in SAP Security
Tight alignment between SAP security controls and business goals and objectives is paramount to secure, compliant, and efficient business processes. However, many respondents signal that the two are not aligned effectively.
4. Limited Visibility & Complex Controls Are Hindering Progress
Organizations are facing the limitations of their existing technology and processes. Solving this will require a new approach to overcome complexities in controls and limited visibility into their business-critical applications.
Want to gain a better understanding of how organizations are evolving their ERP security and risk management practices? Curious about the kinds of risks organizations are most concerned about, and how they view and prioritize user and system visibility, access control, oversight, and accountability?
Download your free copy of the SAP Security Report today and take a deeper dive into these findings.
Time is almost up for companies scrambling to get their data privacy strategies in compliance with the California Consumer Protection Act (CCPA). Beginning as early as July 1, 2020, the California Attorney General’s office can start enforcing the CCPA and handing out penalties of up to $2,500 per violation or up to $7,500 per intentional violation.
So, when exactly, will the CCPA become law? On June 1, 2020, the California AG took the final step before the regulations become enforceable by submitting the final text of the CCPA Regulations to the California Office of Administrative Law (the “OAL”). The OAL has 30 working days–plus an additional 60 calendar days related to the COVID-19 pandemic–to review the submission and approve it to become an enforceable law. Doing the math, the California AG can begin enforcing violations as early as July 1 or as late as September 1, 2020.
Strategies for Improving ERP CCPA Compliance
Companies using PeopleSoft, SAP ECC, S/4HANA and Oracle EBS are likely facing additional compliance challenges due to inherent limitations built into these legacy ERP systems. Let’s look at a couple of tactics for enhancing your ERP systems to improve compliance with CCPA and establishing the capabilities to prepare for the uncertainty around data privacy.
1: Enhance Visibility into User Activity
The CCPA requires organizations to implement appropriate security measures around personal data and satisfy data subject access requests (DSARs). That means businesses must know what personal data they store and the user activity going on around it. However, traditional ERP systems do not provide the required level of granularity.
To achieve detailed visibility around data usage, organizations need to expand their native logging capabilities by adopting a strategy that focuses on data access and usage. Meaning, organizations must capture contextual details like date of access, UserID, IP address, device, location of access, actions performed, etc.
This is information that is critical for compliance reporting and understanding how data is being used within your organization.
2: High Privilege Access Should be the Highest Priority for Strengthening DLP
When it comes to ERP systems, the static rules that govern access can be limiting because roles and privileges are user-centric, not data-centric. User-centric roles say a person (or group in most cases) can view something under any circumstances, while data-centric means the nature of the data defines the access. This gets organizations in trouble time and time again from a DLP perspective because high privilege users always have the ability to see more data than they actually need (to do their job.) This makes non-compliance with CCPA almost inevitable. Overexposure of data is your biggest enemy and governing access by static rules (aka ‘all or nothing access rules’) creates an enormous liability.
Implementing data-centric policies (typically through attribute-based access controls) ensures that a user can only access data deemed necessary and job-related. This is because the data itself is governing access – not a user role. For example, access to certain high-risk transactions can be restricted based on a user’s location – or access can be granted, but with masked data fields. With every variation of context, attribute-based access controls can pivot and adjust accordingly. By reducing the threat surface, companies can reduce the risk of data leakage and mitigate compromised access damages.
3: Use Real-Time Analytics and Data Visualization (SEIM) to Expedite Incident Response Time
Integrated and real-time analytics displayed on dashboards were always a “nice-to-have” feature for security teams; however, keeping CCPA deadlines of breach identification and reporting in mind, data visualization has become a must-have feature. These advanced dashboards equip security professionals with real-time snapshots of data usage. The drill-down capabilities allow for enhanced data discovery and exploration to expedite breach detection and response, helping organizations stay compliant with CCPA and other existing and upcoming regulations.
Ready or Not, CCPA Enforcement Has Arrived
If you’ve not wrapping up your CCPA compliance efforts by now, there’s no better time than the present to start (or continue down that road). Appsian can help you fast track your compliance efforts by enhancing your visibly and applying a data-centric ERP compliance framework.
The last thing any company wants is to discover that they’re out of CCPA compliance only when there’s a breach of the regulation.
Contact us to learn how Appsian can help you address your end-to-end security and compliance needs.
In these less than ordinary times, organizations are dealing with disruption at a frequency higher than ever before. An unfortunate side-effect of this COVID crisis has been its impact on employees. Whether furloughed, laid off, or set to take on broader responsibilities, change is happening. And naturally, these changes must be reflected in your ERP applications’ access policy management.
The uptick in user provisioning is placing additional pressure on SAP security and IAM teams, already burdened with securing remote access to applications for people working from home. These days, you have to wonder if IT professionals are feeling like they’re chasing something they can’t keep up with. And that leads to problems.
Joiners, Movers, and Leavers
The user provisioning process typically encompasses three phases: joiners, movers, and leavers. In short, they are three separate scenarios – when employees are onboarded, when they switch positions/departments internally, and when employees leave the organization. Given COVID, leaving the organization could mean either termination or furlough.
If overburdened IT and security teams cannot address provisioning promptly, organizations are leaving themselves open to an onslaught of risk in times where cyber-attacks are peaking and employees are already feeling stressed out.
Thanks to an enlarged threat surface from remote access, a compromised account can cause considerable damage before it is detected. Excessive privileges only multiply this risk. Alternatively, strained and disgruntled employees with excessive privileges may be tempted by fraud, especially in cases where segregation of duties (SoD) should be in play. If an employee was given extra responsibilities that necessitated new roles, potential conflicts might be overlooked.
Three Tips for Improving SAP Access Policy Management
Setting the roles is only one step. You don’t want to give everybody the same kind of visibility or access to data, depending on their role. This is a great time to invest in data security technology and establish more granular access policies. Here are three tips for improving your SAP access policy management:
1: Leverage Attribute-Based Access Controls (ABAC) to Simplify User Provisioning
Organizations with similar roles spanning multiple business units turn to role derivatives to ensure access is segmented appropriately. While effective from a control perspective, managing these roles can prove burdensome as the number of role derivatives multiply with each branch-off.
For example, a manufacturing organization has 50 functional roles shared by users across 10 different plants. Using role derivatives, they would end up managing 500 different roles to ensure access is segregated appropriately. The sheer scale can be overwhelming to your SAP security team to begin with – and now we’re adding in all the joiners, movers, and leavers from COVID-induced workforce changes.
The purpose of roles is to be scalable! We want access policies that are one-to-many, not one-to-one. To gain back simplicity and lighten the load on your IAM teams, organizations can extend their existing role-based access control (RBAC) model with attribute-based access controls (ABAC). ABAC allows you to easily bring fine-grained “attributes” into your authorization decisions. In the example above, one could go from managing 500 role derivatives down to 50 roles and 1 supplemental ABAC policy that can consider the differing factor, a user’s assigned plant code, to automatically segregate their access appropriately.
2: Reduce Your Attack Surface with Fine-Grained Entitlements
The Principle of Least Privilege is a crucial tenet in information security. The goal is to minimize risk by providing users with the minimum level of access needed to perform a task at hand. This is the purpose of existing role-based access controls – e.g., an HR manager should not have access to finance transactions because it is out of their scope. However, this does nothing to protect data within their scope. Should the HR manager have access to social security numbers or compensation data at all times? After hours? Remote? The answer is likely, no.
Organizations can reduce their amount of accepted risk by applying granular business policies and access controls to strengthen data-level and transaction-level security. Leveraging ABAC, you can enforce risk-aware controls to place limitations on what users can access within your application, from where, when, how they can access, and what they can do with data. ABAC provides an additional level of security by incorporating additional context like geolocation, time of day, and IP address. This ensures appropriate user access and prevents users from having more access than they need. Want sensitive data masked when access is outside your network? Done. Want to block high-risk transactions after hours? Easy.
3: Manage the Identity Lifecycle with User Activity Monitoring
Organizations should always engage in some kind of user activity monitoring, regardless of the number of joiners, movers, and leavers they’re dealing with. But this monitoring must extend beyond time-consuming and potentially expensive manual audits. You want to make sure the access control policies you’ve established are working and that you’re watching for anomalies. Some user activity to consider monitoring includes:
- Identifying high-privilege user activity and critical transactions while closely monitoring and auditing on a regular basis
- Continuously monitoring access across peer group activity for visibility into who changed what in regard to roles and permissions
- Setting risk-aware alerts such as location of user, device accessing network, etc. This monitoring is vital for streamlining threat detection and alleviating the manual process typically required for threat response
Assign Ownership and Responsibility Over User Provisioning
While you’re monitoring user activity, don’t forget to put some eyes on your IT and security teams. You’ll want to assign ownership and responsibility to whoever responds to access requests and reviews temporary team member access. Keep good records as to why approvals are made or changed. You’ll want to approach this in a way that is easily audited. (Tip: email is not that process).
There are many moving parts and people that IT staff and security teams must manage. Leveraging tools that can improve an organization’s SAP access policy management will go a long way towards protecting important data and easing the burden on stressed IT and security teams.
Schedule a demonstration today and learn how Appsian can mitigate SAP business risks with ABAC and User Activity Monitoring.