Gartner describes context-aware security as the use of supplemental information to improve security decisions at the time they are made. “Context” meaning the location of access, time, device type, URL, etc. In today’s “always connected” environment, where access to business systems is expected to be ubiquitous – contextual variables have become the key driver behind uncovering suspicious activity that would have otherwise gone unnoticed.
While mobile ERP access means added flexibility – this flexibility comes with a higher risk of exposure. It’s important to understand that the ever-changing “context of access” is where the risk of unwanted data exposure ultimately lies.
Context can take many shapes – for example: accessing from a Starbucks on an unknown network, accessing from a foreign country while on a business trip, accessing from your phone that you just left in the back of the Uber while on your way to the airport! (yes, guilty.) In a mobile world, context of access changes every minute – this creates significant risk, as it would be right to assume that you don’t want your high privilege users accessing sensitive company data from places where their session could be compromised.
Sadly, traditional ERP systems are not equipped to handle that variable risk. Why? Because ERP roles and permissions are static – meaning that if you’re a high privilege user in your office, you’re a high privilege user at Starbucks, in a foreign country and on that forgotten phone that could be scooped up by the next Uber rider.
Even the most well-meaning insiders (employees) can leak data accidentally. For example, mobile access means the use of personal devices for work (this is inevitable.) Many personal devices are shared amongst family members and have automatic backup systems. Without even realizing it, sensitive data (accessed from a personal device) can be included in a cloud backup – now that data resides in personal storage and is completely outside an organization’s scope of visibility forever.
Many assume the greatest data risks are network-centric – that assumption isn’t wrong. The biggest, most headline-grabbing data breaches have typically been large scale incidents were millions of records were exposed. Organizations have implemented sophisticated firewalls and network access controls to keep themselves out of the headlines, but data risks are becoming increasingly ‘user-centric’ – phishing/spear-phishing being the most pervasive.
Phishing/Spear Phishing has proven to be most effective on users who are working outside the office – for example: quickly checking email in between offsite meetings, working from home late at night (or early morning), or any other scenarios where a user’s surroundings provide just enough distraction to fall for a phishing email.
This begs the question – if enabling mobile access increases risk, then shouldn’t organizations integrate controls that dynamically enforce policies when risk is deemed “high?” After all, your internet browser alerts you when you access a website that isn’t secure.
The addition of contextual controls allows organizations to align their business policies with their security policies – until the introduction of Appsian’s Security Platform these functions had been siloed, only interacting during threat remediation.
The idea of implementing contextual access controls is certainly not new. Cloud Access Security Brokers have been enabling organizations to have greater control and visibility into their cloud applications – however, traditional, on premise ERP applications have not been included in these strategies. ANY organization that is looking to expand access and expose ERP transactions to the open internet must adopt contextual access policies in order to combat the threats that mobile access creates. Contact us to learn how you can implement a contextual access policy in your organization.