Appsian’s Executive Director for Security Solutions, Greg Wendt, appears in the latest episode of IAM Pulse, a podcast from BIO-key International that discusses all things identity access management.
In this episode, Greg joins host Kimberly Johnson, BIO-key’s VP of Product Marketing, and Greg Browinski, Principal Software Developer at BIO-key International, to talk about making sure PeopleSoft is not isolated from your IAM strategy but instead seamlessly integrated into it.
Listen to the full episode here:
Most organizations are running hundreds, if not thousands of applications, with some running the critical operations of the business. This is the case with Oracle PeopleSoft, which runs inventory, financial services, and campus solutions for universities, colleges, and other institutions. However, it can be complicated when it comes to securing this application and break the mold of a company’s IAM strategy. Greg Wendt, Appsian’s Executive Director for Security Solutions, joins the podcast to discuss how to involve PeopleSoft with an IAM strategy.
Implementing enterprise resource planning (ERP) systems has always been both mission-critical and notoriously difficult. They must align with business processes, but the organization distributes those processes across multiple departments. Legacy ERP systems, often considered a large one-time investment, lack the flexibility necessary to scale with your business. As your organization began its digital transformation journey, cloud-based ERP seemed to be a solution to many of these problems. However, every benefit comes with a cost. Modernizing legacy ERP systems for security and compliance creates new challenges, particularly with distributed workforces.
Whether you wanted to modernize your ERP or not, you likely found yourself rapidly adopting to remote access requirements in 2020. In response to COVID-driven stay-at-home orders, companies needed to accelerate their digital transformation strategies. This move included ERP systems.
However, as you look toward a post-pandemic business model, you might be considering maintaining a hybrid workforce. Thus, modernizing your ERP is a mission-critical business goal for several reasons, including:
According to HubSpot’s 2020 ERP Report, 34% of respondents said they were moving away from legacy systems, and 86% selected SaaS deployment models. However, that same report noted that 27% of respondents remaining on-premises cited security breach risk as their reason.
When undergoing digital transformation, organizations often struggle trying to secure their ERP systems. Most companies need to take a hybrid approach that connects their legacy on-premise deployment to their new SaaS applications.
Organizations struggle trying to prioritize and mitigate risks for several reasons. However, three fundamental challenges exist:
Traditional on-premise ERP deployments used role-based access controls (RBAC) with static permissions lists. However, the inherently static nature means that these alone fail to protect data, particularly in remote or hybrid work environments.
For example, PeopleSoft’s security model assigns roles to user profiles. The user profile defines the data that the person can use. The permissions list is the set of pages the user can access and actions the user can take.
These controls protect data across on-premises deployments where the applications and users sit inside the organization’s network. Since remote access to on-premise ERP is dynamic, these legacy controls increase security and privacy risks when implemented for modernized ERP projects.
Companies adopt digital transformation to leverage speed and agility, enabling them to scale operations. At the same time, they still need to maintain their on-premise systems. To protect information, organizations need dynamic and scalable access controls that align with their systems and business goals.
1. Identify Assets and Assess Risk
For effective access controls, the first step is to identify all data that you store, process, and transmit. Second, you need to assess the data’s criticality and risk level. Finally, you need to identify users who access information and assess the risk they post to the organization.
As part of this, you should consider:
Once you assess user and data risk, you can create a plan that helps you migrate the information securely. When setting controls, you should limit access according to the principle of least privilege and create fine-grained access privileges.
2. Normalize Data Access Across Integrated Applications
With SaaS applications, organizations no longer need to commit to a single platform. They can pick and choose the applications that best meet their needs, which can mean integrating multiple vendors.
As you build out your application stack, you need to maintain appropriate access controls. This can be difficult when vendors define access rights differently. Many organizations worry that normalizing access data requires an expensive, labor-intensive overhaul of their Identity and Access Management programs.
However, if you focus on visibility instead of connectivity, you can leverage automated tools that help you see into user access. Tracking user access in a single location, despite disparate access definitions, enables you to protect data security and privacy even across different application vendors like SAP and PeopleSoft.
3. Use Context
A primary benefit of hybrid on-premise and cloud ERP systems is the ability for people to work wherever they want. However, that same flexibility drives many of the security and privacy risks companies face.
Adding context to your access permissions is another way to secure data. After setting your role-based controls, you should consider adding context such as time of day, geographic location, and IP address. With these attribute-based access controls (ABAC), you can more granularly define how users interact with data, making it easier to detect anomalies.
4. Enable Step-Up Multi-factor Authentication
ABAC also enables you to use step-up multi-factor authentication (MFA). Step-up authentication is a process where users need to re-authenticate into an ERP application when they attempt a privileged function or transaction. ABAC enables you to trigger step-up MFA when your system detects an abnormal attribute, often one associated with credential theft.
For example, one of your users always logs in from California, USA. If the user tries to access the ERP’s payment module from Ontario, Canada, the system will notice that this is an outlier, an abnormal attribute for this user. The system can require re-authentication, additional proof that the person is who they say they are. If this is a cybercriminal leveraging stolen credentials, then the step-up authentication acts as an additional security and privacy control, preventing unauthorized access.
5. Continuously Monitor Behavior Around Data Access and Usage
Modernizing your ERP security and privacy controls also includes continuously monitoring for anomalous and suspicious activity. Gaining a granular view into data access and use is a way to proactively mitigate risks that can arise in a remote workforce accessing ERP solutions.
Continuously monitoring access can help you gain insight into employee productivity, cybersecurity risks, and insider fraud. Tracking when and how employees use data gives you a way to set baselines for “normal” activity—any deviations from this warrant further investigation.
For example, a user consistently accesses your ERP between 8 am and 5 pm from a location in the United States. If the user suddenly accesses the system at 2 am, the anomalous activity could indicate fraud. Even if you’re using step-up MFA to prevent that activity, you still need to investigate the event. While it may be someone with insomnia, it can also be an employee trying to steal information or money.
Modernizing your legacy ERP application doesn’t mean you have to “sacrifice” the same granular levels of control and visibility as a cloud application to enforce data security, privacy, or compliance policies. Taking a proactive approach to ERP security and data privacy during your company’s digital transformation can mitigate risks before they turn into realities.
Appsian has been enhancing on-premise ERP environments for more than ten years, and we’d love the opportunity to learn more about your digital transformation project so we can help you manage your ERP data security and compliance needs. Contact us today.
The ERP security landscape is drastically evolving and traditionally on-premise applications such as SAP ECC and S/4HANA are falling behind. Dynamic risks posed by remote access, changing compliance requirements, and the rising number of user-centric threats have highlighted a gap in controls. The ways users access SAP has changed, and because of this, it’s time to reevaluate your security model and how the concept of Least Privilege is being enforced.
The Principle of Least Privilege aims to minimize risk by limiting the number of privileges given to a user based on what privileges are job-related or necessary to complete a task—reducing the opportunities for improper uses of privilege to occur.
In SAP, this has traditionally guided role design from a functional perspective. For example, an HR Manager role may have privileges such as maintaining HR master data, processing payroll, or modifying pay rates – but should not have access to transactions outside their line of work (ex. creating, maintaining PO’s).
The approach was sufficient when user access was limited to a physical office, during normal business hours, and on a secure network. However, we all know this has changed. Remote work and cloud-hosted applications have expanded the scope of access, and with it, shifted the risk landscape. Context such as the what, when, where, and how a user interacts with SAP must be considered in addition to functional access rights.
Unfortunately, this leads us to the Achilles heel in SAP security: static, role-based access controls (RBAC). Risk is dynamic. RBAC is not. Without the ability to consider contextual factors beyond a user’s role and privileges, organizations are actually constraining their ability to enforce PoLP.
This gap leads to a variety of risks, including data exfiltration, fraud & theft, policy violations, and compliance risks. It’s time for companies to take their SAP security to the next level. It’s time for Least Privilege 2.0.
As noted earlier, a key to minimizing SAP risk exposure is context. To integrate context into controls, SAP customers can leverage attribute-based access controls (ABAC) and business rules that extend SAP’s existing authorization model.
With the Appsian Security Platform, organizations can enable security policies that align controls with real-world scenarios by considering the context. Dynamic authorizations at both the data and transaction level can be implemented to fine-tune your security measures and align exposure to your organization’s risk appetite.
Least Privilege 2.0 means going beyond static roles and privileges, allowing companies to achieve:
This supplemental attribute-based authorization layer enables rapid, wide-reaching changes without the need to redesign individual roles. For example, organizations can now dynamically protect data with:
Policy-Based Data Masking
Limit the exposure of PII and other high-risk information with dynamically enforced data masking throughout SAP. Policy dictates at runtime whether a user has full access to data within a transaction, limited access via full/partial mask on sensitive fields, or is blocked entirely.
Data Exfiltration Controls
Stop data leakage from both privileged accounts and normal end-users by ensuring data can only leave SAP in secure environments. Access to transactions that export data to downloadable files can be blocked in high-risk scenarios.
As business processes in SAP evolve and grow more complex, your organization’s capability to mitigate access risks must also evolve. Appsian can help you leverage Least Privilege 2.0 to extend your SAP security controls to address gaps in coverage and minimize your accepted risk. Get in touch with the experts at Appsian today to schedule a demo and learn how we can help.
With 2020 nearly three months behind us and the rollout of COVID-19 vaccines picking up speed, organizations are looking hopefully to 2021 and beyond. Optimism aside, a hard truth about 2021 is that remote work and ERP access are here to stay. Organizations must put a mission-critical emphasis on ERP data privacy, security, and access governance policies. Here are some key strategies to consider as you strive to improve your ERP data privacy and compliance in 2021 and beyond.
The obvious first step to any kind of ERP data privacy is knowing exactly what data you have. Think of it this way: you can’t protect what you don’t know. This data inventory, if you will, should align with the basic data privacy guidelines set out by regulations like GDPR, CCPA, SOX, and a growing number of others. Companies should have an understanding of what sort of personal data is collected, how that data is accessed, where and how it is stored, what is it used for, if it is shared with another organization or group, and how long is it kept before being disposed of.
Now that you’ve identified and categorized your data, it’s time to establish who has access to it, when they can access it, from where, on what device, and how often. The problem is that legacy ERP applications like SAP (ECC and S/4HANA), Oracle PeopleSoft, and Oracle EBS use static role-based access controls (RBAC) to govern access. These roles have reached their limitations in a dynamic workplace because static roles do not leverage contextual attributes.
To create a more dynamic and robust cybersecurity and data privacy program, you can enable dynamic access controls (often called ABAC) to support your RBAC controls by incorporating additional contexts, such as geolocation, time of day, and transaction type. Combining ABAC and RBAC, you can establish rules that grant access to ERP applications and transactions only if the person meets certain contextual criteria. When defining risk through the lens of the context of a user’s access, dynamically enforcing governance is a crucial data privacy objective and investment.
Once dynamic governance policies are in place, organizations can enforce those policies by leveraging dynamic technology. Specifically, here’s how Appsian can help you gain control and visibility of data access and usage without sacrificing productivity.
Avoid Unnecessary Data Exposure with Dynamic Data Masking
An essential requirement of data privacy is ensuring that users accessing ERP applications, either in an authorized or unauthorized manner, do not have needless access to valuable data through various pages, reports, or queries. Appsian can reduce the exposure of sensitive data with dynamic data masking for sensitive fields. You can also leverage click-to-view functionality to protect against unnecessary exposure while logging intentional access to sensitive information.
Add Stepped-Up Multi-Factor Authentication at the Transaction Level
Adding multi-factor authentication at the transaction level, as well as at the perimeter, ensures that users are not only authorized to access and view the data but perform the actual transaction based on their current context of access. This should be applied to highly sensitive transactions like editing a direct deposit account number, accessing compensation data, or running a report containing employee PII.
Strengthen Data Loss Prevention
Data exfiltration, whether malicious or accidental, typically originates from employees’ legitimate access to ERP applications and can be hard to prevent or detect with existing security capabilities. Using context-aware data loss prevention policies, Appsian can prevent users from executing transactions that download ERP data in high-risk scenarios, such as: after business hours, from untrusted locations, networks, or devices.
Compliance mandates such as GDPR, CCPA, SOX, and others require organizations to maintain data access and usage details. Unfortunately, user behavior can be a mystery when relying on native ERP logging features to understand the “what, who, where, why, and how” around data access and usage. It’s a manual, time-consuming task. But not anymore.
Appsian360 provides granular, real-time visibility into user activity logging and analytics, delivering actionable insights to automate compliance audits. It allows organizations to continuously monitor data access and usage and proactively alerts security teams to anomalous activity, allowing them to quickly respond with full forensic information.
Appsian can help companies ensure that their ERP data privacy, security, and access governance policies are aligned with today’s regulations and scalable to comply with future mandates. Contact us for a demonstration today.
The sheer breadth and complexity of the procurement process can make maintaining effective internal controls difficult. Organizations must implement business process controls to ensure that employees only have access to SAP procurement transactions appropriate to their role and that the activity within these transactions falls in line with their established business policies. Having tightly aligned controls that prevent policy violations in the first place is critical to reducing the level of accepted risk in procurement business processes.
And this brings us to a key challenge in SAP procurement processes. Relying solely on SAP’s static role-based access controls (RBAC) has its limitations. Without the ability to consider factors beyond a user’s role and privileges, preventive controls may be impractical in certain scenarios, forcing reliance on detection and remediation in hindsight.
With the dynamic nature of procurement processes, extending your business process controls strategy to include data-centric and context-aware functionality can significantly reduce your risk exposure. Organizations using SAP ECC and SAP S/4HANA can strengthen policy enforcement by leveraging dynamic, attribute-based access controls (ABAC). Appsian extends SAP’s existing security model by enabling a fine-grain approach that shrinks the gap between business goals and security controls.
Let’s look at some specific use cases across SAP procurement transactions to demonstrate how Appsian can reduce SAP business process risks in today’s dynamic access environment.
Purchase order creation is an important procurement transaction that should be controlled by an assigned threshold level and approval limits. Appsian allows you to easily manage risks associated with the purchase order process by extending dynamic controls into SAP based on factors such as PO dollar amount, location, time of day, and more.
For example, let’s look at a couple of employees:
|Employee||Total PO Threshold||Create POs when Remote?|
|George||Up to $5,000||No|
|Gracie||Up to $25,000||Yes. Between 8 am-5 pm|
You can allow George only to create POs that do not exceed $5,000 in value. He is also blocked from creating POs outside of the corporate network. For Gracie, she has the company’s approval to create POs up to $25,000 and can do it when working remotely as long as it is during normal business hours of 8:00 am to 5:00 pm.
During the procurement business process, there is a need to control the PO’s life cycle using Segregation of Duties (SoD). That means the same person can’t perform PO creation and GR (Goods Receipt) posting followed by IR (Invoice Receipt) posting.
Segregation of Duties policies that rely on static role-based rules can create unwanted business risk because they lack visibility into attributes that define actual conflicts of interest. This gap also carries over into SoD audit logs, resulting in excessive false positives when SoD exceptions have been made.
Appsian allows you to stop unauthorized user activity in real-time using a data-centric approach to enforce SoD controls. Our preventive SoD controls correlate user, data, and transaction attributes, along with identified SoD conflicts, to block conflicting transactions at runtime – even if they have the role-based privileges to perform the transaction.
This approach can add flexibility to procurement processes by allowing users with SoD exceptions to perform conflicting transactions that do not pose actual SoD violations while preventing those that do. The preventive SoD controls can also act as a safeguard to stop any SoD violations that may originate from privilege creep, such as a user changing roles without prompt deprovisioning of old privileges.
Because the SAP procurement process touches different departments, it’s important to ensure that users do not have access to data or transactions outside of their roles and responsibilities. From protected PII to privileged financial information – this data carries risks that organizations must address.
Alas, there are no masking capabilities available out of the box in SAP. As a result, privileged users can access sensitive data fields even when access is unnecessary. This kind of unchecked data exposure leaves a massive threat surface that is vulnerable to exploitation and leakage.
Appsian’s Dynamic Data Masking provides SAP customers with fine-grained control over which sensitive data fields they can mask for specified users in the context of any situation. For example, you can decide to mask PII, account names, account numbers, etc., if access comes from an unmanaged device, unknown IP range, or outside typical working hours. Likewise, you can easily mask sensitive data in transactions where exposure is unnecessary for a certain role to do the task at hand.
Managing SAP procurement transactions exist in the overall category of reducing SAP business process risks. It’s a persistent challenge facing organizations of all sizes.
Contact the experts at Appsian today to learn how we can help you face this challenge head-on with our dynamic approach to managing your SAP business process controls.
From stopping fraud, theft, and errors to preventing SOX compliance violations, SAP Segregation of Duties (SoD) plays a lead role in minimizing business risk. Organizations must continuously iterate their internal controls to ensure their SoD strategy is effective; however, we all know this is easier said than done.
With existing capabilities, audit preparation and reporting are manually intensive processes that deliver an outdated snapshot of risk. Time and effort are wasted investigating immaterial events (i.e., false-positives, non-financial activity) because audit logs miss relevant details. Furthermore, manual analysis can be prone to errors, unscalable, and increasingly costly.
Due to resource-intensive audit processes, most organizations can only review a fraction of their SoD audit findings. This limited sample scope, typically between 3-8%, leaves the vast majority of risk unaddressed. While the sample may indicate control effectiveness, significant material risks may go undetected, and confidence will be curbed.
Existing SAP SoD audit logs will show transaction activity but lack the data-level granularity to identify and filter out false-positive SoD violations. Manual investigation and correlation must be performed to do this – adding overhead, slowing the reporting process, and making it more difficult to prove compliance.
The bottleneck stems from technology and dictates unscalable processes. One approach to overcome this challenge is to adopt data-centric logging, which provides relevant details beyond roles and transactions – enabling customers to automate the majority of manual investigation and correlation efforts. From here, organizations can shift their valuable human resources towards remedial activities to further reduce SoD risks.
Delivering data-centric logs paired with contextual information, Appsian360 provides visibility into SoD violations with far greater detail than what is possible with existing transaction-level audit logs. This additional information enables customers to eliminate false-positives automatically, view actual SoD violations, and prioritize events based on relevant details (e.g., dollar amount, time/location performed, etc.)
Leverage data-centric visibility to streamline SAP Segregation of Duties:
As the burden of SAP SoD compliance grows, organizations must look towards technology to help automate tedious manual processes and strengthen internal controls. At Appsian, we’ve built our solutions with this need in mind, delivering a platform that enables SAP customers to do more with less. Contact us today for a demo, and let’s explore how we can help your organization streamline SAP segregation of duties.
2020 brought about a reckoning for organizations that were slow to adopt strong data privacy and data loss prevention strategies. As users went remote, the networks and devices used to access SAP financial data became a liability – and organizations were sent scrambling for solutions to their newfound dynamic access demands.
In order to prevent data exfiltration and general over-exposure of enterprise data, the use of SAP data masking has grown in popularity. Unfortunately, customers have no out-of-the-box solutions for SAP data masking. In fact, the entire SAP security model hinges on static, role-based controls that offer little to actually protect the data inside the transactions that the access controls are designed to govern. In many cases, a user who has access to a transaction has access to a wide range of data within that transaction that simply isn’t necessary – providing opportunities for misuse.
To make matters more complicated, if an organization were to undergo a large-scale SAP data masking project, the sheer amount of custom development would prove to be a significant hurdle and nearly impossible to scale effectively.
To offer SAP ERP customers a scalable data masking solution, the Appsian Security Platform (ASP) features dynamic data masking capabilities that enable fine-grained control over which sensitive data fields customers can mask for any specified user and in the context of any situation. By implementing a full or partial mask to a data record, ASP minimizes the risk of a data breach and fulfills encryption and anonymization mandates imposed or implied by regulatory bodies.
Unlike most off-the-shelf masking solutions, Appsian uses a single ruleset to define and mask data across the entire application:
Simply put, when you are trying to protect data without overly-restricting access, then there is no alternative to leveraging a dynamic SAP data masking solution. Because the context of access plays such a critical role in defining risk, being able to apply full or partial masks based on context is the only real way to balance data protection and productivity.
In addition, Appsian uses a “one to many” approach for creating policy-based data masking rules. This enables customers to quickly scale SAP data masking without extensive development effort at implementation or reconfiguration efforts for policy updates.
As business processes become more complicated, your ability to protect data must evolve as well. Fortunately, Appsian offers the fastest, most cost-effective approach for SAP data masking. Contact us today and get a demo! And find out how you can be applying dynamic data masking rules within only 4-6 weeks!
ERP security had traditionally focused on vulnerability testing for ERP applications, whether hosted on-premise or in the cloud. Given the sensitive nature of ERP transactions, frequently checking applications, databases, and servers for vulnerabilities through routine assessments had long been considered best practice. It makes sense that application vulnerabilities are considered a top threat vector because ERP applications were long touted for their highly customizable nature. Customizable because every organization’s business requirements are different – which means security settings and access controls need to be highly customizable.
All of this customization was in-service to governing user access to the application – a real “outside looking in” approach. But if you’re constantly looking “out” for threats, how do you protect against the ones that are already “in?”
While you might be checking for conflicts in your configuration settings, ensuring you’re up-to-date on vendor patches, and executing manual audits every once in a while, you should ask yourself, “am I actually protecting my ERP data?” Sure, preventing intrusions is passively protecting ERP data. But at the end of the day, if you spend your time hardening the walls of your fortress, you’re really only protecting the perimeter of your fortress – not what’s inside. Cybercriminals have identified this disconnect and now spend their time exploiting user credentials to infiltrate systems to steal and manipulate data. Cybercriminals have adjusted. Now it’s time organizations do the same with their ERP applications, and ultimately – their ERP data.
Information security professionals have long been adept at protecting enterprise data and not just network and application perimeters. The abundance of cloud applications has allowed access controls and visibility to go to the next level. Concepts like zero trust and least privilege all require information security policies that are not reliant on arbitrary roles and privileges but on inspecting who a user is, where they are coming from, on what device, and any other attribute. Just because they are allowed access to a network or application does not grant them privileges to data.
If this is where the information security conversation is going, why is ERP security still focused on the perimeter? Shouldn’t the focus be on ERP data security?
Many would say that ERP security remains a perimeter conversation because such a large part of the ERP market uses on-premise applications. This dates back to the inception of ERP when the appeal was mostly around customizing your business transactions to your processes. This would be accurate – but as business became more complex, organizations became more entwined with their legacy applications. However, that doesn’t mean that on-premise applications (and ERP applications only hosted in the cloud) must remain isolated from a unified “ERP Data Security” conversation.
Here Are a Few Recommendations for Beginning an ERP Data Security Conversation:
To help organizations manage, and more importantly, mitigate the risk of remote access to financial applications like SAP ECC, S/4HANA, & E-Business Suite, Appsian has developed Attribute-Based Access Controls that organizations can use to grant, modify, or restrict access to data. Governance policies can be dynamically enforced based on the context of user access – or attributes of user access.
To gain visibility and insight into how data is being accessed and used, Appsian developed Appsian360. Appsian360 represents a powerful combination of comprehensive user activity logging and analytics – all designed to detect and alert to anomalous behavior. Whether it’s access from a foreign country, the same user frequently downloading certain reports, or specific PO or account numbers receiving frequent access, Appsian360 is designed to give ERP customers the data level visibility needed to automate critical security, compliance, and audit functions.
Just because your organization is using a legacy ERP application does not mean that you cannot employ the same granular levels of control and visibility as a cloud application. Appsian has been enhancing on-premise ERP environments for over 10 years, and we’d love the opportunity to learn more about your ERP data security objectives. Contact us today!
If 2020 was the year of hastily enabling secure remote access to ERP applications, then 2021 will be the year when organizations realize that remote ERP access is here to stay – and long-term data privacy, security, and access governance strategies will be mission–critical. Securing ERP data has always been important in principle, but the mass migration to requiring remote access (in perpetuity) has kicked off a heightened emphasis on the topic.
Amongst a sea of learnings from the pandemic is that 2020 was the “coming of age” for ERP data privacy and the challenges it created. Many organizations were forced to learn the hard way that sensitive ERP data (business data and PII) are top targets for malicious activity and some of the most difficult assets for organizations to secure. Especially data in legacy business applications.
Let’s look back at the Year of the Pandemic and examine some of the data privacy events and trends we observed that will serve as guideposts for making ERP data privacy a mission-critical priority in 2021.
It’s clear that working remotely is here to stay. A Gartner HR survey reveals that 41% of employees are likely to work remotely at least some of the time post-pandemic. Tech giants like Facebook, Salesforce, Twitter, and more, announced that they would continue to offer remote work and possibly move to entirely remote models permanently.
A key challenge uncovered when the pandemic forced a rapid transition to remote workforces was most organizations had data privacy and governance policies that didn’t account for variations in user access. Especially those using legacy ERP applications like SAP (ECC & S/4HANA), PeopleSoft, and Oracle EBS. After all, these applications were originally designed so users could get easy access to data inside the firewall. They were never designed for a dynamic access environment.
The fact of the matter is the roles and privileges that governed access to these systems depended on managed devices, corporate firewalls, and in many cases – 9:00 to 5:00 access demands. Remove those variables and enable access from anywhere, on any device, and at any time – and those strict privacy and governance policies were replaced by “wild west” levels of access risk.
Instead of needing to be in a specific physical location, users can access an organization’s sensitive data from anywhere. The physical and network controls that protected IT infrastructures and data privacy no longer provide the same level of confidence. Changing how companies do work requires them to change how they secure data and re-evaluate their data privacy and access governance strategies.
With organizations continuing to support remote access to ERP applications, they need to design policies and practices that define how data is accessed, viewed, and used – as well as the technology they’ll need to implement and enforce those policies.
A key investment is implementing dynamic capabilities to already established identity and access management (IAM) solutions. In other words, providing the ability to minimize risk by dynamically providing access based on the context of a user’s access.
Applying dynamic IAM and access governance supports traditional role-based controls but accounts for the variations in a user’s access that may indicate risk.
Further examples would be:
The sooner organizations realize that their perimeter is only as strong as their ability to manage user access – the better off they’ll be!
Today’s ever–changing data privacy landscape is a reminder that organizations should always be diligent about what kinds of data they are collecting, how it’s being stored, and most importantly – have the visibility to understand exactly how that data is being accessed. For example, is access suddenly coming from a hostile foreign country, or are certain data records/reports being accessed at a higher-than-normal frequency? Ask yourself, just because someone can access sensitive data, does it mean they should?
Successful organizations will invest in technologies that monitor user behavior around data access and usage, capturing contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information that is paramount for compliance reporting and effectively responding to audit findings.
Up to now, the standard-bearer for data privacy regulations in the United States was California’s CCPA. In 2021, the number of state-level data privacy regulations is likely to increase, which is bound to further complicate matters by creating multiple compliance requirements.
Virginia is poised to become the second state to enact a data privacy bill, while lawmakers in Washington state, New York, Oklahoma, and Utah are currently weighing proposals. Meanwhile, Californians voted to approve the California Privacy Rights Act (CPRA), a series of changes made to the existing California Consumer Privacy Act (CCPA).
This hodgepodge of domestic data privacy regulations should motivate organizations to get data privacy, security, and access governance strategies in place, ensure documentation, and prepare for both financial penalties and civil actions. If 2020 was any indication (GDPR fines rose by nearly 40%), companies are likely to see more frequent and more significant fines for non-compliance in 2021.
COVID raised the awareness of ERP data privacy as companies struggled last year to continue with normal business operations in a remote environment. These struggles forced many leaders to establish privacy and compliance frameworks and implement the technology to support them. However, this is just the beginning.
With 2020 being a record year for data breaches – along with an ever-growing list of data privacy regulations that carry monetary fines for non-compliance – the writing is on the wall. Organizations will not be able to call themselves victims if their decades of accumulated PII and business data get exploited or breached. The monetary consequences that come from these incidences can have catastrophic effects—both against your bottom line and reputation.
Contact Appsian to learn how we can help you align your legacy ERP applications with today’s data privacy and compliance demands. Effectively scale your efforts for future mandates.
"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"
Trusted by hundreds of leading brands