×
[searchandfilter taxonomies="search"]

3 Reasons Why You Need a Comprehensive SAP Role Audit Before a S/4HANA Migration

By Esha Panda • July 21, 2021

As SAP ECC customers prepare for their migration to S/4HANA, they are assessing the pros and cons of this transition in terms of cost, compliance, and data security. A critical step in an S/4HANA migration involves a thorough SAP audit of the existing roles and authorizations and optimizing license spends for the current users. Organizations need to consider three key factors during a complete SAP audit for better role management before an SAP S/4HANA migration.

SAP Role Audits Can Optimize Your License Spend

Many organizations still view their SAP licensing as a black box. They are ready to spend millions of dollars on SAP without understanding which licenses are being consumed or which licenses are required for each user. A common mistake many organizations make without realizing it is misclassifying users due to the lack of visibility into the usage of each employee.

A comprehensive role audit in SAP can help classify all users, accounts, and roles and eliminate those not in use, including the following best practices for optimizing license spend before the SAP S/4HANA migration:

Combine Users Between SAP Systems 

Often, a single license is enough to access multiple SAP applications. Combining the same user across multiple applications frees up licenses that can be allocated to other users—preventing companies from paying double the amount.

Remove Inactive or Dormant Users

Certain users access the system only a few times a year, yet they are assigned Professional or Limited Professional License types. Since many corporations do not have visibility into the actual usage data for each role, account, or user, it is difficult to identify the inactive roles. By eliminating inactive and dormant users, organizations will be able to reallocate licenses to new users immediately, providing instant savings.

Classify All Users and Roles

Most SAP users utilize only a fraction of their allocated authorizations. Focusing on the actual usage of data based on the users’ roles ensures that companies will never be under or over licensed. In addition, by classifying all users, organizations can avoid the additional costs of Professional Licenses (used only by unclassified users).

SAP Role Audits Ensure Data Security Via Dynamic Access Controls

S/4HANA migration often opens up the “crown jewels” data to the security risks of the mobile world because the network firewall no longer protects it. You need to know what type of data is being exposed to your external users. That determines how you define the roles and how data is taken from the application and delivered to the users.

This requires applying protection to the user interface layer in terms of defining how you want the data to be viewed by different personas. Organizations conducting SAP audits need to enable dynamic access controls to gain visibility into:

  • Where is a user coming from?
  • What data are they trying to access?
  • What device are they using?
  • Is that device being used by the right person?
  • What data are they trying to extract onto their device?

Periodic reviews and audits of the roles ensure that only the correct user having the proper roles can view the sensitive data that is otherwise encrypted or masked. For example, not every HR employee should have the role or access rights to view employees’ payroll data.

SAP Role Audits Are an Opportunity to Verify SoD Compliance

Organizations migrating to S/4HANA need to leverage SAP access controls or security monitoring solutions to perform periodic role and user analysis. The data collected during this audit can also help verify SoD compliance. Segregation of Duties conflicts, especially in financial and procurement transactions, are a significant reason for audit failures. Role audits could be used as an opportunity to collaborate with your organization’s compliance team to ensure that you’re securing your data and adhering to mandatory compliance requirements across your SAP ecosystem.

How Appsian’s ProfileTailor GRC Helps with SAP Role Audits

Migrating to S/4HANA remains a long and complicated process for organizations. The first big step is an exhaustive audit of the new and existing roles to facilitate effective role management in the SAP system. Role management offers access simulation capabilities, enabling administrators and role owners to perform a “what if” analysis at various stages of a role’s life cycle management and support compliant user provisioning. In addition, the system provides mechanisms for role design to reduce SoD conflicts and improve administration efficiency in SAP and other ERP and business applications. This usually includes a mechanism for transporting new or updated role definitions into appropriate application environments.

Appsian Security helps businesses with its ProfileTailor GRC Solution, ensuring cross-platform ERP data security, compliance, and SAP license optimization. It delivers unprecedented visibility of real-time authorization usage, helping companies optimize their spending before migrating to S/4HANA.

Want a secure and seamless transition to S/4HANA without spending a hefty sum on your licenses? Then, download our whitepaper, Critical Steps You Should Take Before Making the Move To S/4HANA, and reach out to schedule a demo with our SAP security experts.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Why Automation is Key to Resolving SoD Conflicts in SAP

By Shiv Sujir • July 16, 2021

Companies using SAP typically have some type of structured governance, risk, and compliance (GRC) strategy to manage their overall governance and enterprise risk management and meet compliance requirements. An essential component of any GRC strategy is detecting and resolving SAP segregation of duties (SoD) conflicts. 

SoD weighs heavily on financial management and reporting, especially for public companies or those receiving government funds. When unresolved SOD conflicts appear on audit reports, a company’s compliance with the Sarbanes Oxley Act (SOX) and data privacy regulations like GDPR are negatively impacted. 

Spreadsheets: The Traditional Approach to Managing Segregation of Duties 

For a long time, companies have relied on spreadsheets to track and maintain roles and authorizations granted to employees. While spreadsheets are great to get started on your compliance program, they can create several hurdles as your organization grows in size and complexity.  

  • Human Error: No matter how meticulous, humans are prone to making errors, especially when dealing with thousands of rows across multiple sheets and files. Every new change can trigger a cascade of changes which is hard to keep track of manually. 
  • Low Visibility: In most cases, it’s more than just one person working on the spreadsheet with no visibility into who is editing what and where. With multiple teams/members making changes, the probability of error also increases. 
  • Reporting Delays: Collating, validating, and analyzing data that is spread across various tabs and files requires a significant amount of man-hours. This results in reporting delays and after-the-fact detection of SoD conflicts. 
  • Lack of Audit Trails: Simply put, Excel sheets cannot maintain an audit trail. Even if you can track changes, getting into each version of the file to view changes is a long and laborious process.  
  • Limited Insights: Spreadsheets are static and do not have the ability to cross-reference data to provide actionable insights. Also, manually sifting through large volumes of data makes it difficult to detect behaviors that impact risk. 

The reasons mentioned above make it abundantly clear that the spreadsheet method of tracking and resolving SoD violations is slow, inefficient, and error-prone. With regulatory authorities imposing compliance mandates and hefty fines on companies that fail to meet audit requirements, there is an immediate need to update your approach to GRC with tools that are equipped for the job. 

Segregation of Duties Conflicts Are Not Static 

An increasing number of companies who use SAP are realizing that segregation of duties conflicts are a significant cause of audit failures. This is mainly because SAP authorizations are not static, and neither are SoD violations. As employee roles and duties change over time, it becomes difficult to keep track of authorizations and SoD rules that govern the limits of each role. For example, when a procurement team member who is authorized to approve new vendors retires, this role could be assigned to someone on the team who is authorized to issue purchase orders. This immediately creates a conflict of interest and results in an SoD violation.  

In large organizations, such violations happen regularly, and without the tools to detect and resolve them immediately, an audit failure is inevitable. To address this challenge, companies deploy simulation solutions that allow them to see if granting an authorization could cause an SoD conflict. However, these results are generally ignored since most simulation tools do not offer options to resolve the conflict. The reality is that holding up authorizations can directly impact the operational efficiency of the business, which usually wins over compliance requirements in the short term.  

Automation is the Key to Resolving SoD Conflicts 

To be able to proactively detect and prevent SoD violations, organizations need to go beyond simulation and invest in solutions that can constantly monitor SAP roles and authorizations. In fact, solutions that can go one step further and offer options for resolution will allow administrators to quickly take action without creating further conflicts. Appsian Security ProfileTailor GRC was designed keeping in mind the challenges faced by companies who struggle with meeting compliance due to SoD conflicts. With real-time automated monitoring capabilities, ProfileTailor GRC enables you to immediately detect and resolve SoD violations within a matter of minutes.  

Whether you have new employees needing authorizations, current employees changing positions or roles, or someone leaving the organization, ProfileTailor GRC will do the heavy lifting for you and provide you with an ongoing, fully automated, and integrated solution. 

Download our white paper Quickly Resolve Segregation of Duties Conflicts to learn how automation can help enable GRC in your organization. 

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

You’re Spending Too Much on Your SAP Licenses. Here’s Why!

By Shiv Sujir • July 13, 2021

There is no denying that SAP applications make it easy for large organizations in almost every industry to streamline their business processes. However, that ease doesn’t include SAP software license management, which by all accounts, is considered one of the most complex compared to other ERP vendors. This complexity results in companies buying more licenses than they need or inefficient management of their existing SAP license types, which significantly impacts the overall costs. Here’s why you end up spending more than you should on your SAP licenses (and a tool that can help you save some money).

Vague SAP License Descriptions

SAP license descriptions are not airtight, and it is mainly left to you, the customer, to decide the type and number of licenses you need. SAP licenses can be broadly categorized into three types.

  • Professional LicenseA named user with a Professional License can perform operational tasks and has administrative privileges that allow them to make changes to the system – usually assigned to employees who are heavy users. 
  • Limited Professional License: This license is ideal for employees who need to perform operational roles supported by the SAP software. It is a step down from the Professional License and is also cheaper.
  • Employee LicenseWith this license, users can perform tasks solely for their own use and not on behalf of anyone else. This license costs the least. 

An SAP license is always associated with a user who is called a named user. The ‘name’ in this context is not an actual user name but a unique ID linked to a license. There can only be one license associated with a named user at any given time. However, a named user can have multiple user names to access different SAP systems. 

This makes it increasingly complicated to assign the appropriate license type. For example, a single user could be using an ERP system for updating inventory, a second ERP system for monthly invoice approvals, and a third one for downloading reports. Which license would be applicable in such a case? Now imagine figuring out license types for thousands of employees accessing multiple systems. 

Improper User Classification 

User classification is a crucial exercise for SAP software license management that directly impacts your license cost and the recurring annual support fee. Most SAP customers classify their users with one of three parameters:  

  • Amount of ActivityThe amount of activity performed by the user can be one way to classify the user. SAP measures activity by ‘Dialogue Steps,’ which is the number of screens and keystrokes used. 
  • Number of Different Activities: Users can also be classified based on the number of activities or the different applications they access on a regular basis.  
  • Type of Activity or Activity GroupThe type of activity can be used as a yardstick for license purchases. Under this classification, users are grouped together based on the type of usage. This requires customers to assess the type of activities a user needs to perform and create groups. 

Though this classification process appears straightforward, several gray areas occur when put into practice. For example, when classifying users by their amount of activity, a user could be using the corporate phone directory in the SAP system 1,000 times, but that does not mean he needs a Professional License. Or let’s say an employee is accessing multiple systems but only to generate reports. Under the second classification, this user would be eligible for a Limited Professional license, whereas an Employee License would most likely suffice since the user is only viewing and downloading data. 

Classifying users as mentioned above makes logical sense, but large organizations need to invest a significant amount of time and resources for using these methods. Also, employee roles keep shifting, and usage may vary significantly over a given period. This makes classification difficult and impossible to maintain manually without errors. 

That’s why SAP customers rely on automated tools like Appsian Security ProfileTailor LicenseAuditor to identify users based on their activities and distribute SAP licenses types accordingly. SAP software license management and auditing tools also help achieve compliance and manage SAP usage.  

Knowledge Equals Savings

SAP licenses are a huge investment for any organization. Gaining a better understanding of your overall license status, usage, and spend not only helps you manage your current licenses but also allows you to negotiate a better deal. With SAP announcing the end of support for classic SAP applications like SAP ERP, SCM, SRM, CRM, and Business Suite by 2027, all customers will eventually have to migrate to SAP S/4HANA. By auditing your current SAP usage and forecasting future license requirements, you can ensure significant savings for your company as you go through with the migration.

Appsian Security ProfileTailor LicenceAuditor provides control over your SAP licensing by combining user inspection, user behavior-analysis methods, and best practices. The solution enables you to effectively utilize your licenses by offering a clear view of licensing possibilities for optimized models and savings of 50%-90% per classified license. 

To learn more about SAP software license management, read our complete guide 5 Simple Ways to Reduce Your SAP License Spending.  

Or contact us today for a ProfileTailor LicenceAuditor demonstration. 

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

[Customer Story] Collin County, Texas, Uses Appsian’s MFA Solution to Improve PeopleSoft Security

By Esha Panda • June 25, 2021

Collin County, like all counties in Texas, is considered an extension of state government. Located just north of Dallas, Collin County (the County) provides various government services to its more than 1,000,000 residents. The County’s security team is responsible for enabling secure yet convenient access to appropriate information and services to their on-premise installation of PeopleSoft. Unfortunately, as is often the case with legacy, on-premise PeopleSoft installations, convenient access can lead to security gaps.

What Challenges Made Collin County Search for A PeopleSoft MFA Solution?

The security team at Collin County was observing vulnerabilities in their network regarding potentially unknown people accessing bank account routing numbers. These security gaps made their network prone to phishing attacks by external hackers who could access their network through compromised employee credentials. The attackers also could change the bank account numbers on the direct deposit page so every time the payroll ran, they could deposit the employee paychecks into offshore accounts. Collin County wanted to improve their PeopleSoft data security posture and reached out to Appsian Security to equip them with an MFA solution that could seamlessly integrate into their existing applications without additional servers or customizations.

Collin County Plugged Their Security Gaps with an Adaptive MFA Solution

Following a strategic decision by their Chief Information Security Officer to strengthen data security and protect their network from phishing attacks, the IT leaders at Collin County set out to upgrade and modernize their HCM applications with advanced features to improve data security and block external threats. Using the Appsian Security Platform (ASP), they deployed multi-factor authentication along with logging & analytics to achieve the desired results.  

Appsian’s adaptive MFA solution seamlessly integrated with Collin County’s HCM applications without causing additional friction for the users. The County deployed multi-factor authentication to challenge users to reconfirm identity at the page/component level and secured administrative access to PeopleSoft by requiring MFA from everywhere, including in-house. They also secured remote access for banking transactions and improved employees’ payroll data security by successfully detecting and blocking external threats. In addition to multi-factor authentication, Collin County was able to secure sensitive information and PII in nonproduction environments, such as dev, test, and train, by leveraging ASP’s data masking functionality.

End-to-End PeopleSoft Data Security and Compliance with the Appsian Security Platform

Appsian’s PeopleSoft customer base includes multiple state governments and local municipalities, like Collin County, looking for a single platform to strengthen Identity and Access Management, Data Security, and Compliance, including:

  • Native SAML/ADFS Compatibility And PeopleSoft MFA Integration– Integrating single sign-on and multi-factor authentication natively with PeopleSoft and your identity provider improves security and convenience. Integrated MFA also enables step-up authentication, so users can be forced to re-authenticate when accessing highly sensitive transactions.
  • Contextual Access Control For Greater Security – Reduce the attack surface with a dynamic rules engine that applies the contextual variables of a user’s access and defines privileges in real-time. Implement least privilege to limit access to modules/transactions, dynamically mask sensitive data, enforce step-up MFA, and more.
  • Real-Time Analytics For Improved Response Times – Enhanced PeopleSoft logging capabilities capture all user activity at the field, page, and component levels and combines them with contextual user data. Real-time visualized dashboards allow you to quickly spot suspicious activity and drill down to root out issues.

Contact Appsian’s PeopleSoft experts today to learn how the Appsian Security Platform can help you establish an MFA solution and a strong ERP data security posture.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

How SAP Customers Use Data Masking to Manage Global Business Risks

By Michael Cunningham • June 2, 2021

Here are two use cases that might sound familiar… 

While organizations spend millions combatting external threats, for example, hacking, phishing, and ransomware, we at Appsian Security have found most data security use cases are focused on data governance across the enterprise. Simply put, what can someone access depending on where they’re located, what business unit they belong to, or even what time of day it is? Ensuring SAP data security policies are followed without over-restricting access or hurting productivity is a serious juggling act. Sadly, most organizations get it wrong. Fortunately, the solution can come down to a concept as simple as data masking – what, when, and how?  

I had the opportunity to learn about two specific use cases (from Appsian customers) and how they used dynamic data masking to protect sensitive data—all without adding bottlenecks or complexity to their organization.  

Transportation Company Use Case    

While many industries struggled through the COVID-19 pandemic, a transportation and rail company based in Canada thrived. This was due to being a critical delivery component for many supply chains. The company had to transform its office-based workers into a flex-work model (hybrid workforce) and hire additional employees for fieldwork. The hybrid workers needed to continue their day-to-day managerial tasks, which contained sensitive information that the company was not comfortable exposing outside its secure corporate office. Securing access to this data was further complicated by remote workers traveling from city to city and logging into the self-service SAP modules on mobile devices from wherever they had a Wi-Fi connection.  

The company turned to Appsian to enable a dynamic data masking solution by leveraging contextual access controls that determined which sensitive data fields and Tcodes employees could access based on attributes such as location, IP address, time, data sensitivity, and more.

International Consumer Packaged Goods Use Case    

Where one company was dealing with multiple employee/user locations, an international consumer packaged goods company was dealing with multiple office locations around the world, each with its own installation of SAP. The company needed the means to protect sensitive personal data (stored in 1 of 5 unique SAP systems) while abiding by each location’s unique PII protection requirement (GDPR, PIPA, LGPD, etc.).   

For this unique situation, the company needed a centralized data masking solution that could follow each location’s unique governance policies. All while being flexible enough to manage scenarios involving multiple locations and protecting sensitive data in production and non-production environments.   

For example, a US-based employee could access the SAP system in the South American office. Yet, the dynamic policy could mask certain pieces of information or Tcodes because of the user’s nationality. The user’s location is from a legitimate IP address, but their nationality forbids them from accessing certain personal or sensitive information due to international regulations or company policies—even if that user can access that information in their own instance of SAP.    

Protecting SAP Data with a Dynamic Data Masking Solution   

The key to a successful dynamic data masking solution is the use of contextual access control policies (ABAC). ABAC allows companies to work in conjunction with existing roles-based controls (RBAC). Without it, neither one of these companies could successfully enable data masking without extensive customization, resulting in an unscalable ad-hoc solution.    

Appsian Security Platform’s (ASP) dynamic data masking capabilities provide fine-grained control over which sensitive data fields can be masked for any specified user in the context of any situation. For example, ASP allowed both companies to:   

  • Centralize data masking enforcement throughout ECC and S/4HANA with a single ruleset.   
  • Deploy dynamic policies that account for risk based on the context of access, such as location, IP address, time, data sensitivity, and more.   
  • Protect sensitive data in production and non-production environments.   
  • Align SAP data masking controls with existing governance (corporate) policies.     
  • Mask sensitive PII based on the data subjects’ residency (country/nationality).    
  • Mask data fields in transactions (Tcodes) that are unnecessary for a role.   

Contact the SAP experts at Appsian and see for yourself how ASP can improve SAP data security and reduce compliance risk with a fully dynamic data masking solution.   

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Zero Trust is a Centerpiece of President Biden’s Latest Executive Order on Cybersecurity

By Scott Lavery • May 17, 2021

On May 12th, President Biden signed an Executive Order to help improve the nation’s cybersecurity posture and strengthen Federal networks. This order was preceded by several high-profile attacks like SolarWinds and most recently, the Colonial Pipeline – both of which highlighted key deficiencies in the federal government’s ability to detect, respond, and ultimately communicate about cybersecurity threats.

One of the main contentions was around modernizing and implementing stronger cybersecurity standards. Highlighted specifically, was the need to implement zero trust security models and use multifactor authentication (MFA):

The Executive Order helps move the Federal government to secure cloud services and a zero trust architecture and mandates deployment of multifactor authentication and encryption with a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.

What is Zero Trust?

In short, Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters, and instead must verify anything and everything trying to connect to their systems before granting access. Zero Trust is a topic we at Appsian have written about many times, including here.

What is Zero Trust in Practice?

Applications that leverage role-based access controls make enforcing Zero Trust very complicated. Simply because role-based access controls use a static rule set to govern access – and those access privileges do not change dynamically with varying contexts of access. Whether a user is accessing from an unknown network, device, location, outside business hours, etc. – their “originally granted” access privileges remain intact. This is the foundation of risk that Zero Trust is meant to mitigate.

In practice, Zero Trust would require the use of context-aware controls for authentication. Controls that are able to identify contextual variables and apply an additional authentication step prior to granting access to an application or data within the application. So, even if a user’s role-based control said they were allowed to view something, an additional authentication step would be required if any of the contextual variables were indicative of risk. The user is never trusted by default – they must re-authenticate if necessary.

How Does Zero Trust Relate to ERP?

ERP applications like PeopleSoft, SAP ECC, and Oracle EBS were designed years (decades) before Zero Trust was recommended. Meaning, the native architecture does not allow for the seamless integration of multifactor authentication solutions that can A) be integrated at the field/transaction levels of workflows or B) deploy MFA dynamically with each unique context of access. In essence, traditional ERP applications create a significant challenge for Zero Trust.

Appsian Enables Zero Trust in ERP

Requiring dynamic MFA that is integrated inside ERP applications is one of the most common use cases our security platform solves. For over 10 years, Appsian has been working to develop native integrations between Oracle and SAP ERP applications and some of the top MFA providers in the market including Duo, Bio-Key, RSA, Symantec, SecureAuth, and more.

For a demonstration, please reach out to us today! Appsian can help you remain aligned with information security best practices across your ecosystem.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

[Podcast] PeopleSoft Access Security

By Michael Cunningham • May 12, 2021

Appsian’s Executive Director for Security Solutions, Greg Wendt, appears in the latest episode of IAM Pulse, a podcast from BIO-key International that discusses all things identity access management.

In this episode, Greg joins host Kimberly Johnson, BIO-key’s VP of Product Marketing, and Greg Browinski, Principal Software Developer at BIO-key International, to talk about making sure PeopleSoft is not isolated from your IAM strategy but instead seamlessly integrated into it.

Listen to the full episode here:

Episode Summary:

Most organizations are running hundreds, if not thousands of applications, with some running the critical operations of the business. This is the case with Oracle PeopleSoft, which runs inventory, financial services, and campus solutions for universities, colleges, and other institutions. However, it can be complicated when it comes to securing this application and break the mold of a company’s IAM strategy. Greg Wendt, Appsian’s Executive Director for Security Solutions, joins the podcast to discuss how to involve PeopleSoft with an IAM strategy.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Uniting Appsian & Xpandion (GRC): Thoughts from Xpandion CEO, Moshe Panzer

By Michael Cunningham • May 5, 2021

Taken from Moshe Panzer’s May 4th blog post on xpandion.com:

For 14 years, Xpandion has been on a mission: to help organizations create better alignment between user permissions, authorizations, and security best practices. Xpandion’s innovation originated from our deep roots in SAP and developed alongside the market’s enterprise business processes that steadily increased in complexity. This challenge ushered in the creation of ProfileTailor Dynamics, a platform that combines authorization management and segregation of duties (SoD). The goal was to simplify GRC.

Further product development would focus on the entire authorization workflow – from authorization request to provisioning/de-provisioning to authorization monitoring – as it became clear that our customers were also challenged with bottlenecks in the authorization process. Our customers embraced this holistic solution but quickly requested the same functionality be cross-application (E.g., Microsoft Dynamics, Oracle EBS, Active Directory, SalesForce).

In addition, we developed tools designed to further streamline and optimize the authorization process: Role Advisor, Conflict Resolver, Role Remover, and Role Splitter. All designed to reduce the authorization workflow process from months to minutes.

The ERP Market’s Evolving Security & Compliance (GRC) Requirements

While we are proud of what we’ve accomplished, we couldn’t help but realize that the ERP community faced security and compliance challenges we could not solve. Primarily, the limitations of native identity governance, access control, and business process controls that become a requirement once access beyond the firewall became commonplace. In short, remote access demands created risks that the ERP community was simply not prepared for.

Joining Forces with Appsian

With this in mind, we are excited to be joining forces with the global leader of ERP data security, Appsian. Like Xpandion, Appsian is a best-of-breed technology and firmly rooted in ERP. The Appsian Security Platform enables organizations to tightly integrate their identity and access management solutions, employ attribute-based access controls, expand their use of data masking, and provide critical security analytics around ERP data access and usage. In essence, Appsian is an extremely comprehensive ERP data security solution, and their technology is unmatched in the market.

By joining the Appsian family, Xpandion will provide the holistic GRC technology currently missing from the Appsian platform.

The future is bright, and we’re thrilled for what is to come!

For more information about Xpandion, visit www.xpandion.com

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Are ERP Security and Compliance Risks Interfering with Your Digital Transformation?

By Michael Cunningham • April 7, 2021

Implementing enterprise resource planning (ERP) systems has always been both mission-critical and notoriously difficult. They must align with business processes, but the organization distributes those processes across multiple departments. Legacy ERP systems, often considered a large one-time investment, lack the flexibility necessary to scale with your business. As your organization began its digital transformation journey, cloud-based ERP seemed to be a solution to many of these problems. However, every benefit comes with a cost. Modernizing legacy ERP systems for security and compliance creates new challenges, particularly with distributed workforces.

Why is Modernizing ERP a Mission-Critical Business Goal?

Whether you wanted to modernize your ERP or not, you likely found yourself rapidly adopting to remote access requirements in 2020. In response to COVID-driven stay-at-home orders, companies needed to accelerate their digital transformation strategies. This move included ERP systems.

However, as you look toward a post-pandemic business model, you might be considering maintaining a hybrid workforce. Thus, modernizing your ERP is a mission-critical business goal for several reasons, including:

  • Ability to access from anywhere
  • Built-in Customer Relationship Management (CRM)
  • Lower capital expenditures with subscription models
  • Reduced total cost of ownership

According to HubSpot’s 2020 ERP Report, 34% of respondents said they were moving away from legacy systems, and 86% selected SaaS deployment models. However, that same report noted that 27% of respondents remaining on-premises cited security breach risk as their reason.

ERP Security and Privacy Controls are Notoriously Difficult to Implement

When undergoing digital transformation, organizations often struggle trying to secure their ERP systems. Most companies need to take a hybrid approach that connects their legacy on-premise deployment to their new SaaS applications.

Organizations struggle trying to prioritize and mitigate risks for several reasons. However, three fundamental challenges exist:

  • Data storage arrangements: Inability to control infrastructure increases data leakage and corporate espionage risks
  • Authentication: Continued brute force attacks and credential theft increase data security and privacy risks
  • Access controls: Complex identity and access relationships reduce the ability to control who accesses resources

Traditional on-premise ERP deployments used role-based access controls (RBAC) with static permissions lists. However, the inherently static nature means that these alone fail to protect data, particularly in remote or hybrid work environments.

For example, PeopleSoft’s security model assigns roles to user profiles. The user profile defines the data that the person can use. The permissions list is the set of pages the user can access and actions the user can take.

These controls protect data across on-premises deployments where the applications and users sit inside the organization’s network. Since remote access to on-premise ERP is dynamic, these legacy controls increase security and privacy risks when implemented for modernized ERP projects.

5 Strategies for Setting Security and Privacy Controls for a Hybrid ERP Deployment

Companies adopt digital transformation to leverage speed and agility, enabling them to scale operations. At the same time, they still need to maintain their on-premise systems. To protect information, organizations need dynamic and scalable access controls that align with their systems and business goals.

1. Identify Assets and Assess Risk

For effective access controls, the first step is to identify all data that you store, process, and transmit. Second, you need to assess the data’s criticality and risk level. Finally, you need to identify users who access information and assess the risk they post to the organization.

As part of this, you should consider:

  • Standard users
  • Privileged users
  • Users’ payment processing authority level
  • Financial information
  • Personally identifiable information
  • Sensitive corporate information

Once you assess user and data risk, you can create a plan that helps you migrate the information securely. When setting controls, you should limit access according to the principle of least privilege and create fine-grained access privileges.

2. Normalize Data Access Across Integrated Applications

With SaaS applications, organizations no longer need to commit to a single platform. They can pick and choose the applications that best meet their needs, which can mean integrating multiple vendors.

As you build out your application stack, you need to maintain appropriate access controls. This can be difficult when vendors define access rights differently. Many organizations worry that normalizing access data requires an expensive, labor-intensive overhaul of their Identity and Access Management programs.

However, if you focus on visibility instead of connectivity, you can leverage automated tools that help you see into user access. Tracking user access in a single location, despite disparate access definitions, enables you to protect data security and privacy even across different application vendors like SAP and PeopleSoft.

3. Use Context

A primary benefit of hybrid on-premise and cloud ERP systems is the ability for people to work wherever they want. However, that same flexibility drives many of the security and privacy risks companies face.

Adding context to your access permissions is another way to secure data. After setting your role-based controls, you should consider adding context such as time of day, geographic location, and IP address. With these attribute-based access controls (ABAC), you can more granularly define how users interact with data, making it easier to detect anomalies.

4. Enable Step-Up Multi-factor Authentication

ABAC also enables you to use step-up multi-factor authentication (MFA). Step-up authentication is a process where users need to re-authenticate into an ERP application when they attempt a privileged function or transaction. ABAC enables you to trigger step-up MFA when your system detects an abnormal attribute, often one associated with credential theft.

For example, one of your users always logs in from California, USA. If the user tries to access the ERP’s payment module from Ontario, Canada, the system will notice that this is an outlier, an abnormal attribute for this user. The system can require re-authentication, additional proof that the person is who they say they are. If this is a cybercriminal leveraging stolen credentials, then the step-up authentication acts as an additional security and privacy control, preventing unauthorized access.

5. Continuously Monitor Behavior Around Data Access and Usage

Modernizing your ERP security and privacy controls also includes continuously monitoring for anomalous and suspicious activity. Gaining a granular view into data access and use is a way to proactively mitigate risks that can arise in a remote workforce accessing ERP solutions.

Continuously monitoring access can help you gain insight into employee productivity, cybersecurity risks, and insider fraud. Tracking when and how employees use data gives you a way to set baselines for “normal” activity—any deviations from this warrant further investigation.

For example, a user consistently accesses your ERP between 8 am and 5 pm from a location in the United States. If the user suddenly accesses the system at 2 am, the anomalous activity could indicate fraud. Even if you’re using step-up MFA to prevent that activity, you still need to investigate the event. While it may be someone with insomnia, it can also be an employee trying to steal information or money.

Appsian Enables ERP Security and Compliance for Your Digital Transformation

Modernizing your legacy ERP application doesn’t mean you have to “sacrifice” the same granular levels of control and visibility as a cloud application to enforce data security, privacy, or compliance policies. Taking a proactive approach to ERP security and data privacy during your company’s digital transformation can mitigate risks before they turn into realities.

Appsian has been enhancing on-premise ERP environments for more than ten years, and we’d love the opportunity to learn more about your digital transformation project so we can help you manage your ERP data security and compliance needs. Contact us today.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Request a Demo

Start your free demo

"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"

Trusted by hundreds of leading brands