×
Security

[Podcast] Securing Access with PeopleSoft

By Michael Cunningham • May 12, 2021

Appsian’s Executive Director for Security Solutions, Greg Wendt, appears in the latest episode of IAM Pulse, a podcast from BIO-key International that discusses all things identity access management.

In this episode, Greg joins host Kimberly Johnson, BIO-key’s VP of Product Marketing, and Greg Browinski, Principal Software Developer at BIO-key International, to talk about making sure PeopleSoft is not isolated from your IAM strategy but instead seamlessly integrated into it.

Listen to the full episode here:

Episode Summary:

Most organizations are running hundreds, if not thousands of applications, with some running the critical operations of the business. This is the case with Oracle PeopleSoft, which runs inventory, financial services, and campus solutions for universities, colleges, and other institutions. However, it can be complicated when it comes to securing this application and break the mold of a company’s IAM strategy. Greg Wendt, Appsian’s Executive Director for Security Solutions, joins the podcast to discuss how to involve PeopleSoft with an IAM strategy.

Stay Updated

Data Privacy, Security

Are ERP Security and Compliance Risks Interfering with Your Digital Transformation?

By Michael Cunningham • April 7, 2021

Implementing enterprise resource planning (ERP) systems has always been both mission-critical and notoriously difficult. They must align with business processes, but the organization distributes those processes across multiple departments. Legacy ERP systems, often considered a large one-time investment, lack the flexibility necessary to scale with your business. As your organization began its digital transformation journey, cloud-based ERP seemed to be a solution to many of these problems. However, every benefit comes with a cost. Modernizing legacy ERP systems for security and compliance creates new challenges, particularly with distributed workforces.

Why is Modernizing ERP a Mission-Critical Business Goal?

Whether you wanted to modernize your ERP or not, you likely found yourself rapidly adopting to remote access requirements in 2020. In response to COVID-driven stay-at-home orders, companies needed to accelerate their digital transformation strategies. This move included ERP systems.

However, as you look toward a post-pandemic business model, you might be considering maintaining a hybrid workforce. Thus, modernizing your ERP is a mission-critical business goal for several reasons, including:

  • Ability to access from anywhere
  • Built-in Customer Relationship Management (CRM)
  • Lower capital expenditures with subscription models
  • Reduced total cost of ownership

According to HubSpot’s 2020 ERP Report, 34% of respondents said they were moving away from legacy systems, and 86% selected SaaS deployment models. However, that same report noted that 27% of respondents remaining on-premises cited security breach risk as their reason.

ERP Security and Privacy Controls are Notoriously Difficult to Implement

When undergoing digital transformation, organizations often struggle trying to secure their ERP systems. Most companies need to take a hybrid approach that connects their legacy on-premise deployment to their new SaaS applications.

Organizations struggle trying to prioritize and mitigate risks for several reasons. However, three fundamental challenges exist:

  • Data storage arrangements: Inability to control infrastructure increases data leakage and corporate espionage risks
  • Authentication: Continued brute force attacks and credential theft increase data security and privacy risks
  • Access controls: Complex identity and access relationships reduce the ability to control who accesses resources

Traditional on-premise ERP deployments used role-based access controls (RBAC) with static permissions lists. However, the inherently static nature means that these alone fail to protect data, particularly in remote or hybrid work environments.

For example, PeopleSoft’s security model assigns roles to user profiles. The user profile defines the data that the person can use. The permissions list is the set of pages the user can access and actions the user can take.

These controls protect data across on-premises deployments where the applications and users sit inside the organization’s network. Since remote access to on-premise ERP is dynamic, these legacy controls increase security and privacy risks when implemented for modernized ERP projects.

5 Strategies for Setting Security and Privacy Controls for a Hybrid ERP Deployment

Companies adopt digital transformation to leverage speed and agility, enabling them to scale operations. At the same time, they still need to maintain their on-premise systems. To protect information, organizations need dynamic and scalable access controls that align with their systems and business goals.

1. Identify Assets and Assess Risk

For effective access controls, the first step is to identify all data that you store, process, and transmit. Second, you need to assess the data’s criticality and risk level. Finally, you need to identify users who access information and assess the risk they post to the organization.

As part of this, you should consider:

  • Standard users
  • Privileged users
  • Users’ payment processing authority level
  • Financial information
  • Personally identifiable information
  • Sensitive corporate information

Once you assess user and data risk, you can create a plan that helps you migrate the information securely. When setting controls, you should limit access according to the principle of least privilege and create fine-grained access privileges.

2. Normalize Data Access Across Integrated Applications

With SaaS applications, organizations no longer need to commit to a single platform. They can pick and choose the applications that best meet their needs, which can mean integrating multiple vendors.

As you build out your application stack, you need to maintain appropriate access controls. This can be difficult when vendors define access rights differently. Many organizations worry that normalizing access data requires an expensive, labor-intensive overhaul of their Identity and Access Management programs.

However, if you focus on visibility instead of connectivity, you can leverage automated tools that help you see into user access. Tracking user access in a single location, despite disparate access definitions, enables you to protect data security and privacy even across different application vendors like SAP and PeopleSoft.

3. Use Context

A primary benefit of hybrid on-premise and cloud ERP systems is the ability for people to work wherever they want. However, that same flexibility drives many of the security and privacy risks companies face.

Adding context to your access permissions is another way to secure data. After setting your role-based controls, you should consider adding context such as time of day, geographic location, and IP address. With these attribute-based access controls (ABAC), you can more granularly define how users interact with data, making it easier to detect anomalies.

4. Enable Step-Up Multi-factor Authentication

ABAC also enables you to use step-up multi-factor authentication (MFA). Step-up authentication is a process where users need to re-authenticate into an ERP application when they attempt a privileged function or transaction. ABAC enables you to trigger step-up MFA when your system detects an abnormal attribute, often one associated with credential theft.

For example, one of your users always logs in from California, USA. If the user tries to access the ERP’s payment module from Ontario, Canada, the system will notice that this is an outlier, an abnormal attribute for this user. The system can require re-authentication, additional proof that the person is who they say they are. If this is a cybercriminal leveraging stolen credentials, then the step-up authentication acts as an additional security and privacy control, preventing unauthorized access.

5. Continuously Monitor Behavior Around Data Access and Usage

Modernizing your ERP security and privacy controls also includes continuously monitoring for anomalous and suspicious activity. Gaining a granular view into data access and use is a way to proactively mitigate risks that can arise in a remote workforce accessing ERP solutions.

Continuously monitoring access can help you gain insight into employee productivity, cybersecurity risks, and insider fraud. Tracking when and how employees use data gives you a way to set baselines for “normal” activity—any deviations from this warrant further investigation.

For example, a user consistently accesses your ERP between 8 am and 5 pm from a location in the United States. If the user suddenly accesses the system at 2 am, the anomalous activity could indicate fraud. Even if you’re using step-up MFA to prevent that activity, you still need to investigate the event. While it may be someone with insomnia, it can also be an employee trying to steal information or money.

Appsian Enables ERP Security and Compliance for Your Digital Transformation

Modernizing your legacy ERP application doesn’t mean you have to “sacrifice” the same granular levels of control and visibility as a cloud application to enforce data security, privacy, or compliance policies. Taking a proactive approach to ERP security and data privacy during your company’s digital transformation can mitigate risks before they turn into realities.

Appsian has been enhancing on-premise ERP environments for more than ten years, and we’d love the opportunity to learn more about your digital transformation project so we can help you manage your ERP data security and compliance needs. Contact us today.

Stay Updated

Security

Advancing SAP Security and Risk Management with Least Privilege 2.0

By Ryan Quinonez • April 2, 2021

The ERP security landscape is drastically evolving and traditionally on-premise applications such as SAP ECC and S/4HANA are falling behind. Dynamic risks posed by remote access, changing compliance requirements, and the rising number of user-centric threats have highlighted a gap in controls. The ways users access SAP has changed, and because of this, it’s time to reevaluate your security model and how the concept of Least Privilege is being enforced.

The Traditional Approach to Least Privilege in SAP is Insufficient

The Principle of Least Privilege aims to minimize risk by limiting the number of privileges given to a user based on what privileges are job-related or necessary to complete a task—reducing the opportunities for improper uses of privilege to occur.

In SAP, this has traditionally guided role design from a functional perspective. For example, an HR Manager role may have privileges such as maintaining HR master data, processing payroll, or modifying pay rates – but should not have access to transactions outside their line of work (ex. creating, maintaining PO’s).

The approach was sufficient when user access was limited to a physical office, during normal business hours, and on a secure network. However, we all know this has changed. Remote work and cloud-hosted applications have expanded the scope of access, and with it, shifted the risk landscape. Context such as the what, when, where, and how a user interacts with SAP must be considered in addition to functional access rights.

Unfortunately, this leads us to the Achilles heel in SAP security: static, role-based access controls (RBAC). Risk is dynamic. RBAC is not. Without the ability to consider contextual factors beyond a user’s role and privileges, organizations are actually constraining their ability to enforce PoLP.

This gap leads to a variety of risks, including data exfiltration, fraud & theft, policy violations, and compliance risks. It’s time for companies to take their SAP security to the next level. It’s time for Least Privilege 2.0.

Appsian’s Approach to Least Privilege 2.0

As noted earlier, a key to minimizing SAP risk exposure is context. To integrate context into controls, SAP customers can leverage attribute-based access controls (ABAC) and business rules that extend SAP’s existing authorization model.

With the Appsian Security Platform, organizations can enable security policies that align controls with real-world scenarios by considering the context. Dynamic authorizations at both the data and transaction level can be implemented to fine-tune your security measures and align exposure to your organization’s risk appetite.

Least Privilege 2.0 means going beyond static roles and privileges, allowing companies to achieve:

  • Dynamic access controls to understand if a transaction should be performed remotely and incorporating attributes such as user, resource, action, and environment characteristics to limit access to and within SAP data.
  • Risk-aware process controls to ensure that established business policies are enforced and prevent violations from happening in the first place
  • Fine-grained data protection to determine if a user really needs access to a particular set of sensitive data and capture granular insights to uncover user activities and transaction details.

This supplemental attribute-based authorization layer enables rapid, wide-reaching changes without the need to redesign individual roles. For example, organizations can now dynamically protect data with:

Policy-Based Data Masking
Limit the exposure of PII and other high-risk information with dynamically enforced data masking throughout SAP. Policy dictates at runtime whether a user has full access to data within a transaction, limited access via full/partial mask on sensitive fields, or is blocked entirely.

Data Exfiltration Controls
Stop data leakage from both privileged accounts and normal end-users by ensuring data can only leave SAP in secure environments. Access to transactions that export data to downloadable files can be blocked in high-risk scenarios.

Let Appsian Show You How to Address Risk in SAP with Least Privilege 2.0

As business processes in SAP evolve and grow more complex, your organization’s capability to mitigate access risks must also evolve. Appsian can help you leverage Least Privilege 2.0 to extend your SAP security controls to address gaps in coverage and minimize your accepted risk. Get in touch with the experts at Appsian today to schedule a demo and learn how we can help.

Stay Updated

Data Privacy

Key Strategies for Improving ERP Data Privacy and Compliance

By Michael Cunningham • March 30, 2021

With 2020 nearly three months behind us and the rollout of COVID-19 vaccines picking up speed, organizations are looking hopefully to 2021 and beyond. Optimism aside, a hard truth about 2021 is that remote work and ERP access are here to stay. Organizations must put a mission-critical emphasis on ERP data privacy, security, and access governance policies. Here are some key strategies to consider as you strive to improve your ERP data privacy and compliance in 2021 and beyond.

ERP Data Privacy Starts with Knowing Your Data

The obvious first step to any kind of ERP data privacy is knowing exactly what data you have. Think of it this way: you can’t protect what you don’t know. This data inventory, if you will, should align with the basic data privacy guidelines set out by regulations like GDPR, CCPA, SOX, and a growing number of others. Companies should have an understanding of what sort of personal data is collected, how that data is accessed, where and how it is stored, what is it used for, if it is shared with another organization or group, and how long is it kept before being disposed of.

Apply Dynamic Access Governance Policies for ERP Data Access

Now that you’ve identified and categorized your data, it’s time to establish who has access to it, when they can access it, from where, on what device, and how often. The problem is that legacy ERP applications like SAP (ECC and S/4HANA), Oracle PeopleSoft, and Oracle EBS use static role-based access controls (RBAC) to govern access. These roles have reached their limitations in a dynamic workplace because static roles do not leverage contextual attributes.

To create a more dynamic and robust cybersecurity and data privacy program, you can enable dynamic access controls (often called ABAC) to support your RBAC controls by incorporating additional contexts, such as geolocation, time of day, and transaction type. Combining ABAC and RBAC, you can establish rules that grant access to ERP applications and transactions only if the person meets certain contextual criteria. When defining risk through the lens of the context of a user’s access, dynamically enforcing governance is a crucial data privacy objective and investment.

Leverage Dynamic Controls to Enforce Policies

Once dynamic governance policies are in place, organizations can enforce those policies by leveraging dynamic technology. Specifically, here’s how Appsian can help you gain control and visibility of data access and usage without sacrificing productivity.

Avoid Unnecessary Data Exposure with Dynamic Data Masking
An essential requirement of data privacy is ensuring that users accessing ERP applications, either in an authorized or unauthorized manner, do not have needless access to valuable data through various pages, reports, or queries. Appsian can reduce the exposure of sensitive data with dynamic data masking for sensitive fields. You can also leverage click-to-view functionality to protect against unnecessary exposure while logging intentional access to sensitive information.

Add Stepped-Up Multi-Factor Authentication at the Transaction Level
Adding multi-factor authentication at the transaction level, as well as at the perimeter, ensures that users are not only authorized to access and view the data but perform the actual transaction based on their current context of access. This should be applied to highly sensitive transactions like editing a direct deposit account number, accessing compensation data, or running a report containing employee PII.

Strengthen Data Loss Prevention
Data exfiltration, whether malicious or accidental, typically originates from employees’ legitimate access to ERP applications and can be hard to prevent or detect with existing security capabilities. Using context-aware data loss prevention policies, Appsian can prevent users from executing transactions that download ERP data in high-risk scenarios, such as: after business hours, from untrusted locations, networks, or devices.

Enhance Visibility into ERP Data Access and Usage

Compliance mandates such as GDPR, CCPA, SOX, and others require organizations to maintain data access and usage details. Unfortunately, user behavior can be a mystery when relying on native ERP logging features to understand the “what, who, where, why, and how” around data access and usage. It’s a manual, time-consuming task. But not anymore.

Appsian360 provides granular, real-time visibility into user activity logging and analytics, delivering actionable insights to automate compliance audits. It allows organizations to continuously monitor data access and usage and proactively alerts security teams to anomalous activity, allowing them to quickly respond with full forensic information.

See for Yourself How Appsian Can Help Improve Your ERP Data Privacy & Compliance

Appsian can help companies ensure that their ERP data privacy, security, and access governance policies are aligned with today’s regulations and scalable to comply with future mandates. Contact us for a demonstration today.

Stay Updated

Data Privacy, Security

How Appsian Reduces Risk in SAP Procurement Transactions

By Michael Cunningham • March 24, 2021

The sheer breadth and complexity of the procurement process can make maintaining effective internal controls difficult. Organizations must implement business process controls to ensure that employees only have access to SAP procurement transactions appropriate to their role and that the activity within these transactions falls in line with their established business policies. Having tightly aligned controls that prevent policy violations in the first place is critical to reducing the level of accepted risk in procurement business processes.

And this brings us to a key challenge in SAP procurement processes. Relying solely on SAP’s static role-based access controls (RBAC) has its limitations. Without the ability to consider factors beyond a user’s role and privileges, preventive controls may be impractical in certain scenarios, forcing reliance on detection and remediation in hindsight.

Enforce SAP Procurement Transaction Policies with Dynamic Access Controls

With the dynamic nature of procurement processes, extending your business process controls strategy to include data-centric and context-aware functionality can significantly reduce your risk exposure. Organizations using SAP ECC and SAP S/4HANA can strengthen policy enforcement by leveraging dynamic, attribute-based access controls (ABAC). Appsian extends SAP’s existing security model by enabling a fine-grain approach that shrinks the gap between business goals and security controls.

Let’s look at some specific use cases across SAP procurement transactions to demonstrate how Appsian can reduce SAP business process risks in today’s dynamic access environment.

Dynamically Controlling Purchase Order Creation

Purchase order creation is an important procurement transaction that should be controlled by an assigned threshold level and approval limits. Appsian allows you to easily manage risks associated with the purchase order process by extending dynamic controls into SAP based on factors such as PO dollar amount, location, time of day, and more.

For example, let’s look at a couple of employees:

Employee Total PO Threshold Create POs when Remote?
George Up to $5,000 No
Gracie Up to $25,000 Yes. Between 8 am-5 pm

You can allow George only to create POs that do not exceed $5,000 in value. He is also blocked from creating POs outside of the corporate network. For Gracie, she has the company’s approval to create POs up to $25,000 and can do it when working remotely as long as it is during normal business hours of 8:00 am to 5:00 pm.

Dynamically Enforce Segregation of Duties

During the procurement business process, there is a need to control the PO’s life cycle using Segregation of Duties (SoD). That means the same person can’t perform PO creation and GR (Goods Receipt) posting followed by IR (Invoice Receipt) posting.

Segregation of Duties policies that rely on static role-based rules can create unwanted business risk because they lack visibility into attributes that define actual conflicts of interest. This gap also carries over into SoD audit logs, resulting in excessive false positives when SoD exceptions have been made.

Appsian allows you to stop unauthorized user activity in real-time using a data-centric approach to enforce SoD controls. Our preventive SoD controls correlate user, data, and transaction attributes, along with identified SoD conflicts, to block conflicting transactions at runtime – even if they have the role-based privileges to perform the transaction.

This approach can add flexibility to procurement processes by allowing users with SoD exceptions to perform conflicting transactions that do not pose actual SoD violations while preventing those that do. The preventive SoD controls can also act as a safeguard to stop any SoD violations that may originate from privilege creep, such as a user changing roles without prompt deprovisioning of old privileges.

Limit Access to Sensitive Data by Masking with Conditions

Because the SAP procurement process touches different departments, it’s important to ensure that users do not have access to data or transactions outside of their roles and responsibilities. From protected PII to privileged financial information – this data carries risks that organizations must address.

Alas, there are no masking capabilities available out of the box in SAP. As a result, privileged users can access sensitive data fields even when access is unnecessary. This kind of unchecked data exposure leaves a massive threat surface that is vulnerable to exploitation and leakage.

Appsian’s Dynamic Data Masking provides SAP customers with fine-grained control over which sensitive data fields they can mask for specified users in the context of any situation. For example, you can decide to mask PII, account names, account numbers, etc., if access comes from an unmanaged device, unknown IP range, or outside typical working hours. Likewise, you can easily mask sensitive data in transactions where exposure is unnecessary for a certain role to do the task at hand.

Appsian: The Dynamic Approach to Reducing SAP Procurement Risks

Managing SAP procurement transactions exist in the overall category of reducing SAP business process risks. It’s a persistent challenge facing organizations of all sizes.

Contact the experts at Appsian today to learn how we can help you face this challenge head-on with our dynamic approach to managing your SAP business process controls.

Stay Updated

Security

How Appsian Improves SAP Segregation of Duties Violations Management

By Ryan Quinonez • March 22, 2021

From stopping fraud, theft, and errors to preventing SOX compliance violations, SAP Segregation of Duties (SoD) plays a lead role in minimizing business risk. Organizations must continuously iterate their internal controls to ensure their SoD strategy is effective; however, we all know this is easier said than done. 

Finite Resources & Manual Processes Can Only Address So Much

With existing capabilities, audit preparation and reporting are manually intensive processes that deliver an outdated snapshot of risk. Time and effort are wasted investigating immaterial events (i.e., false-positives, non-financial activity) because audit logs miss relevant details. Furthermore, manual analysis can be prone to errors, unscalable, and increasingly costly.

Due to resource-intensive audit processes, most organizations can only review a fraction of their SoD audit findings. This limited sample scope, typically between 3-8%, leaves the vast majority of risk unaddressed. While the sample may indicate control effectiveness, significant material risks may go undetected, and confidence will be curbed. 

Leveraging Technology to Reduce Your SAP SoD Risk Exposure

Existing SAP SoD audit logs will show transaction activity but lack the data-level granularity to identify and filter out false-positive SoD violations. Manual investigation and correlation must be performed to do this – adding overhead, slowing the reporting process, and making it more difficult to prove compliance. 

The bottleneck stems from technology and dictates unscalable processes. One approach to overcome this challenge is to adopt data-centric logging, which provides relevant details beyond roles and transactions – enabling customers to automate the majority of manual investigation and correlation efforts. From here, organizations can shift their valuable human resources towards remedial activities to further reduce SoD risks. 

How Appsian Improves SAP Segregation of Duties Violations Management

Delivering data-centric logs paired with contextual information, Appsian360 provides visibility into SoD violations with far greater detail than what is possible with existing transaction-level audit logs. This additional information enables customers to eliminate false-positives automatically, view actual SoD violations, and prioritize events based on relevant details (e.g., dollar amount, time/location performed, etc.)

Leverage data-centric visibility to streamline SAP Segregation of Duties:

  • Uncover 100% of SoD violations with data-centric continuous controls monitoring.
  • Capture actionable details that would previously require manual investigation.
  • Gain an always current view of SoD risks with continuous audit capabilities.
  • Prioritize investigation & remediation activity by eliminating wasted effort on immaterial events.
  • Simplify proving compliance with granular visibility and contextual information that is missing from existing audit logs.
  • Get a Demo of Appsian360 and See for Yourself

As the burden of SAP SoD compliance grows, organizations must look towards technology to help automate tedious manual processes and strengthen internal controls. At Appsian, we’ve built our solutions with this need in mind, delivering a platform that enables SAP customers to do more with less. Contact us today for a demo, and let’s explore how we can help your organization streamline SAP segregation of duties. 

Stay Updated

Data Privacy, Security

Implementing Dynamic SAP Data Masking in ECC & S/4HANA Using Appsian

By Scott Lavery • March 18, 2021

2020 brought about a reckoning for organizations that were slow to adopt strong data privacy and data loss prevention strategies. As users went remote, the networks and devices used to access SAP financial data became a liability – and organizations were sent scrambling for solutions to their newfound dynamic access demands.

Out-of-the-Box SAP Data Protection is Not Enough

In order to prevent data exfiltration and general over-exposure of enterprise data, the use of SAP data masking has grown in popularity. Unfortunately, customers have no out-of-the-box solutions for SAP data masking. In fact, the entire SAP security model hinges on static, role-based controls that offer little to actually protect the data inside the transactions that the access controls are designed to govern. In many cases, a user who has access to a transaction has access to a wide range of data within that transaction that simply isn’t necessary – providing opportunities for misuse.

To make matters more complicated, if an organization were to undergo a large-scale SAP data masking project, the sheer amount of custom development would prove to be a significant hurdle and nearly impossible to scale effectively.

Appsian Offers a Centralized, Scalable Alternative

To offer SAP ERP customers a scalable data masking solution, the Appsian Security Platform (ASP) features dynamic data masking capabilities that enable fine-grained control over which sensitive data fields customers can mask for any specified user and in the context of any situation. By implementing a full or partial mask to a data record, ASP minimizes the risk of a data breach and fulfills encryption and anonymization mandates imposed or implied by regulatory bodies. 

Unlike most off-the-shelf masking solutions, Appsian uses a single ruleset to define and mask data across the entire application:

  • Centralize SAP data masking enforcement with a single ruleset
  • Deploy dynamic policies that account for risk contexts such as location, IP address, time, data sensitivity, and more 
  • Protect sensitive data in production and non-production environments
  • Implement masking without requiring additional customizations to SAP
  • Filter out sensitive data at the presentation layer, resulting in no additional maintenance requirements for updates

Why Appsian is the Essential Dynamic SAP Data Masking Solution

Simply put, when you are trying to protect data without overly-restricting access, then there is no alternative to leveraging a dynamic SAP data masking solution. Because the context of access plays such a critical role in defining risk, being able to apply full or partial masks based on context is the only real way to balance data protection and productivity. 

In addition, Appsian uses a “one to many” approach for creating policy-based data masking rules. This enables customers to quickly scale SAP data masking without extensive development effort at implementation or reconfiguration efforts for policy updates. 

Example Use Cases for Dynamic SAP Data Masking

  1. Mask PII of Customers in SAP CRM Based on their residency
    GDPR Compliance – Ex: Mask PII Data if Customers’ Address is in the EU
  2. Mask & Lock Bank Account Fields After Hours
    Fraud & Theft – Ex: Insider Changing Data at Night Before Pay-Run 
  3. Obscure Data Fields in Transactions that are Unnecessary for a Role 
    Data Minimization – Ex: Customer Support Seeing Financial Spend, Pricing Info
  4. Prevent Remote Access of Unpublished Financial Information
    Risk Mitigation – Ex: Mask Data when Access Occurs After Hours or Remote

Get a Demo of Appsian’s Dynamic SAP Data Masking and See for Yourself!

As business processes become more complicated, your ability to protect data must evolve as well. Fortunately, Appsian offers the fastest, most cost-effective approach for SAP data masking. Contact us today and get a demo! And find out how you can be applying dynamic data masking rules within only 4-6 weeks!

Stay Updated

Security

It’s Time to Include Data in the ERP Security Conversation

By Scott Lavery • March 11, 2021

ERP security had traditionally focused on vulnerability testing for ERP applications, whether hosted on-premise or in the cloud. Given the sensitive nature of ERP transactions, frequently checking applications, databases, and servers for vulnerabilities through routine assessments had long been considered best practice. It makes sense that application vulnerabilities are considered a top threat vector because ERP applications were long touted for their highly customizable nature. Customizable because every organization’s business requirements are different – which means security settings and access controls need to be highly customizable. 

All of this customization was in-service to governing user access to the application – a real “outside looking in” approach. But if you’re constantly looking “out” for threats, how do you protect against the ones that are already “in?”

Is Traditional ERP Security Actually Protecting Data?

While you might be checking for conflicts in your configuration settings, ensuring you’re up-to-date on vendor patches, and executing manual audits every once in a while, you should ask yourself, “am I actually protecting my ERP data?” Sure, preventing intrusions is passively protecting ERP data. But at the end of the day, if you spend your time hardening the walls of your fortress, you’re really only protecting the perimeter of your fortress – not what’s inside. Cybercriminals have identified this disconnect and now spend their time exploiting user credentials to infiltrate systems to steal and manipulate data. Cybercriminals have adjusted. Now it’s time organizations do the same with their ERP applications, and ultimately – their ERP data. 

The Information Security Conversation is Going Below the Network & Application Layer

Information security professionals have long been adept at protecting enterprise data and not just network and application perimeters. The abundance of cloud applications has allowed access controls and visibility to go to the next level. Concepts like zero trust and least privilege all require information security policies that are not reliant on arbitrary roles and privileges but on inspecting who a user is, where they are coming from, on what device, and any other attribute. Just because they are allowed access to a network or application does not grant them privileges to data.

If this is where the information security conversation is going, why is ERP security still focused on the perimeter? Shouldn’t the focus be on ERP data security?

How to Shift the Conversation to ERP Data Security

Many would say that ERP security remains a perimeter conversation because such a large part of the ERP market uses on-premise applications. This dates back to the inception of ERP when the appeal was mostly around customizing your business transactions to your processes. This would be accurate – but as business became more complex, organizations became more entwined with their legacy applications. However, that doesn’t mean that on-premise applications (and ERP applications only hosted in the cloud) must remain isolated from a unified “ERP Data Security” conversation. 

Here Are a Few Recommendations for Beginning an ERP Data Security Conversation:

  • Integrated Identity & Access Management (IAM) – Integrating enterprise solutions meant for identity and access management (ex. SSO & MFA) provides a perfect opportunity to govern access to data versus only governing access to an application. An integration would enable policies to be written that deploy authentication measures based on what someone is attempting to access. This is also referred to as “step-up authentication” or zero trust. Of course, an integration layer is required, which is exactly why Appsian developed the necessary integration connections that organizations can use to natively integrate their IAM solutions with their legacy ERP applications (i.e., Oracle PeopleSoft & E-Business Suite).
  • Attribute-Based Access Controls (ABAC) – Traditional ERP governance revolves around role-based access controls. Pre-defined and sometimes over-simplified buckets that dictate what users can and can’t do. Role-based access controls (RBAC) are artifacts of traditional ERP security strategies that have been identified as problematic and flawed when data protection is the objective. This is not to say that RBAC doesn’t have its place but as a sole governance measure? Absolutely not. Many would say that the rapid move to remote work following COVID-19 was the death blow to RBAC because so much of its effectiveness hinges on network and application security layers. Both of which enter a grey area when sensitive financial transactions and data can be accessed remotely.

To help organizations manage, and more importantly, mitigate the risk of remote access to financial applications like SAP ECC, S/4HANA, & E-Business Suite, Appsian has developed Attribute-Based Access Controls that organizations can use to grant, modify, or restrict access to data. Governance policies can be dynamically enforced based on the context of user access – or attributes of user access.

  • Data Level Visibility is Critical – ERP applications are no stranger to activity logging. However, current logging is primarily in-service to troubleshooting system issues and receiving basic insight on authentication and page access. This is why auditing an ERP application requires manual pulling and triangulation of reports from multiple sources. It’s an obstacle most have to accept, and because of this, they only audit sporadically.

To gain visibility and insight into how data is being accessed and used, Appsian developed Appsian360. Appsian360 represents a powerful combination of comprehensive user activity logging and analytics – all designed to detect and alert to anomalous behavior. Whether it’s access from a foreign country, the same user frequently downloading certain reports, or specific PO or account numbers receiving frequent access, Appsian360 is designed to give ERP customers the data level visibility needed to automate critical security, compliance, and audit functions.

Appsian Helps Enable ERP Data Security

Just because your organization is using a legacy ERP application does not mean that you cannot employ the same granular levels of control and visibility as a cloud application. Appsian has been enhancing on-premise ERP environments for over 10 years, and we’d love the opportunity to learn more about your ERP data security objectives. Contact us today!

Stay Updated

Data Privacy, Security

How Remote Work Has Accelerated ERP Data Privacy Challenges

By Michael Cunningham • February 26, 2021

If 2020 was the year of hastily enabling secure remote access to ERP applications, then 2021 will be the year when organizations realize that remote ERP access is here to stay – and long-term data privacy, security, and access governance strategies will be missioncritical. Securing ERP data has always been important in principle, but the mass migration to requiring remote access (in perpetuity) has kicked off a heightened emphasis on the topic. 

Amongst a sea of learnings from the pandemic is that 2020 was the “coming of age” for ERP data privacy and the challenges it createdMany organizations were forced to learn the hard way that sensitive ERP data (business data and PII) are top targets for malicious activity and some of the most difficult assets for organizations to secure. Especially data in legacy business applications. 

Let’s look back at the Year of the Pandemic and examine some of the data privacy events and trends we observed that will serve as guideposts for making ERP data privacy a mission-critical priority in 2021.   

Variations in Access Presents Greater Data Privacy Challenges 

It’s clear that working remotely is here to stay. A Gartner HR survey reveals that 41% of employees are likely to work remotely at least some of the time post-pandemic. Tech giants like Facebook, Salesforce, Twitter, and more, announced that they would continue to offer remote work and possibly move to entirely remote models permanently.  

A key challenge uncovered when the pandemic forced a rapid transition to remote workforces was most organizations had data privacy and governance policies that didn’t account for variations in user access. Especially those using legacy ERP applications like SAP (ECC & S/4HANA), PeopleSoft, and Oracle EBS. After all, these applications were originally designed so users could get easy access to data inside the firewall. They were never designed for a dynamic access environment 

The fact of the matter is the roles and privileges that governed access to these systems depended on managed devices, corporate firewalls, and in many cases – 9:00 to 5:00 access demands. Remove those variables and enable access from anywhere, on any device, and at any time – and those strict privacy and governance policies were replaced by “wild west” levels of access risk. 

Instead of needing to be in a specific physical location, users can access an organization’s sensitive data from anywhere. The physical and network controls that protected IT infrastructures and data privacy no longer provide the same level of confidence. Changing how companies do work requires them to change how they secure data and re-evaluate their data privacy and access governance strategies.  

When it Comes to ERP Data Privacy – Identity is the New Perimeter 

With organizations continuing to support remote access to ERP applications, they need to design policies and practices that define how data is accessed, viewed, and used – as well as the technology they’ll need to implement and enforce those policies.   

A key investment is implementing dynamic capabilities to already established identity and access management (IAM) solutions. In other words, providing the ability to minimize risk by dynamically providing access based on the context of a user’s access.   

Applying dynamic IAM and access governance supports traditional role-based controls but accounts for the variations in a user’s access that may indicate risk.  

Further examples would be: 

  • Integrating an MFA on a sensitive transaction or data field and requiring a user to re-authenticate 
  • Deploying MFA if a user is accessing from an unmanaged device. Also known as zero-trust authentication 
  • Reducing levels of access privilege for super users if their access is coming from an unknown IP range. Also known as applying the principle of least privilege 
  • Applying dynamic data masking that masks all PII, account numbers, etc., if access is coming from an unmanaged device, unknown IP range, or outside typical working hours. 

 The sooner organizations realize that their perimeter is only as strong as their ability to manage user access – the better off they’ll be! 

Data Privacy Regulations Mixed with Remote Access Will Only Make Compliance More Challenging 

Today’s everchanging data privacy landscape is a reminder that organizations should always be diligent about what kinds of data they are collecting, how it’s being stored, and most importantly – have the visibility to understand exactly how that data is being accessed. For example, is access suddenly coming from a hostile foreign country, or are certain data records/reports being accessed at a higher-than-normal frequency? Ask yourself, just because someone can access sensitive data, does it mean they should? 

Successful organizations will invest in technologies that monitor user behavior around data access and usage, capturing contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information that is paramount for compliance reporting and effectively responding to audit findings. 

Hodgepodge of State-Level Data Privacy Regulations Sow Confusion 

Up to now, the standard-bearer for data privacy regulations in the United States was California’s CCPA. In 2021, the number of state-level data privacy regulations is likely to increase, which is bound to further complicate matters by creating multiple compliance requirements.  

Virginia is poised to become the second state to enact a data privacy bill, while lawmakers in Washington state, New York, Oklahoma, and Utah are currently weighing proposals. Meanwhile, Californians voted to approve the California Privacy Rights Act (CPRA), a series of changes made to the existing California Consumer Privacy Act (CCPA). 

This hodgepodge of domestic data privacy regulations should motivate organizations to get data privacy, security, and access governance strategies in place, ensure documentation, and prepare for both financial penalties and civil actions. If 2020 was any indication (GDPR fines rose by nearly 40%), companies are likely to see more frequent and more significant fines for non-compliance in 2021. 

Having Weak ERP Data Privacy Policies Will Become Expensive 

COVID raised the awareness of ERP data privacy as companies struggled last year to continue with normal business operations in a remote environment. These struggles forced many leaders to establish privacy and compliance frameworks and implement the technology to support them. However, this is just the beginning.  

With 2020 being a record year for data breaches – along with an ever-growing list of data privacy regulations that carry monetary fines for non-compliance – the writing is on the wall. Organizations will not be able to call themselves victims if their decades of accumulated PII and business data get exploited or breached. The monetary consequences that come from these incidences can have catastrophic effects—both against your bottom line and reputation.   

Contact Appsian to learn how we can help you align your legacy ERP applications with today’s data privacy and compliance demands. Effectively scale your efforts for future mandates.

Stay Updated

Request a Demo

Start your free demo

"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"

Trusted by hundreds of leading brands