×
[searchandfilter taxonomies="search"]

Protecting Remote Users From the Latest Barrage of Social Engineering Attacks

By Piyush Pandey • March 30, 2020

The rapid acceleration from on-location to remote workforce as part of the Coronavirus Pandemic response opened the door to malicious actors accelerating their phishing and social engineering attacks. Cybercriminals prey on user anxiety by embedding malicious files in COVID-19 themed emails. Remote work layered with user anxiety increases credential theft attack success rates, leaving organizations’ mission-critical applications and data at risk.

Start with Identity and Zero Trust

For years, security professionals have said that the perimeter is shifting away from traditional controls like firewalls and focusing on enforcing user access. As many organizations shift to fully remote. The Coronavirus shift toward a fully remote workforce for many organizations heightens the urgency over maintaining access governance controls that protect information.

Many organizations moved from partial remote workforce to fully remote workforce in the span of a week, or in some cases nearly overnight. This means more devices accessing an organization’s systems and software, but many without the required firewall protections or forced security patch updates done on-premises. Any one of those devices, if compromised by malware, can lead to a system-wide attack.

To rapidly accelerate security, organizations need to find a way to move towards a Zero Trust model, one that verifies and never trusts. This means knowing all the devices, users, applications, and data across the organization. Then, working towards creating the appropriate controls for each of those categories.

For organizations that have a matured cybersecurity posture, identifying people, hardware, and data may be faster since that information is already contained within risk assessments. To accelerate a Zero Trust strategy, organizations can leverage current identity and access controls and add context such as location, time of day, and application to limit user activity. By doing this, organizations can limit the impact of malware installed as part of a social engineering attack.

Embrace Adaptive Multi-Factor Authentication (MFA)

After setting contextual controls, organizations using adaptive MFA can apply those controls to modules within applications. MFA acts as the key that unlocks access to applications, but even within that access, organizations need to provide additional layers of access protection.

Organizations can use context, such as time of day or location, to trigger inter-application MFA. For example, if a user is trying to access a payroll module within an application from an anomalous location, adaptive MFA uses that context and requires the user to provide additional authentication information to prove their identity. By forcing this additional authentication, the adaptive MFA ensures that the user is who they say they are, rather than implicitly trusting the user.

This additional level of access security prevents malicious actors from leveraging stolen credentials throughout the organization’s Software-as-a-Service (SaaS) application. Cybercriminals may be able to gain entrance to the application itself, but the additional layer of security around sensitive data and applications that comes from using adaptive MFA means that the organization is adding another “gate” that needs to be unlocked, thus protecting the information by restricting abnormal access.

Incorporate Data Masking

Organizations often assume that encryption acts as an unfailing security technology. An incorrect implementation or attacker who can crack the algorithm puts the data at risk.

Incorporating data masking by applying contextual controls to what information is visible to a user acts as another layer of defense against stolen credential use. For example, assume a remote worker lives on the west coast of the United States. Incorporating geolocation as part of the user’s access and data visibility would give the user access and visibility into sensitive information as long as the person is in that geographic location. Applying data masking based on geographic location protects sensitive data even if a cyber attacker gains entrance to an application by making the sensitive data “invisible” to them. If a cybercriminal on the east coast of the United States gains entrance to the application with stolen credentials, then the cybercriminal would have access but not visibility to the information.

Many organizations may consider data masking a way to “protect from over-the-shoulder” risk when users are in public locations. However, even with the workforce nearly fully remote as a social distancing strategy, data masking can provide a much-needed additional level of defense.

Appsian Provides Defense in Depth at the Identity Perimeter

As organizations look to protect data from social engineering attacks, they need solutions that help protect the Identity perimeter. Adding additional layers of security at the network level may no longer work as more companies turn to remote work either as a preventative Coronavirus measure or in the longer term, to cut costs. 

Appsian’s suite of solutions enables organizations to accelerate their identity and access defense in depth strategies and secure their mission-critical ERP applications. Appsian delivers the control and visibility that traditional ERP applications like PeopleSoft and SAP (ECC or S4) inherently lack. With our Security Platform, organizations can create contextual access policies and fine-grained data security controls then monitor user access as a way to detect potential credential theft. 

For more information about how Appsian can increase security at your identity perimeter, contact us today or schedule a demo

This article was originally published at TechSpective.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Remote Access: You Can’t Fight the Trend

By Scott Lavery • March 24, 2020

In September of 2001, I was conducting a comprehensive security audit of a major health care insurer. They were dealing with the early days of the HIPAA regulations and needed to assess data and application controls in their environments.

Then 9/11 happened. All air travel was suspended and major city centers such as NYC, Chicago, and Los Angeles removed all but essential personnel from many corporate offices.

The health care insurer, as well as many other organizations, decided to employ a rapidly evolving set of technologies around Virtual Private Networks (VPN), such as Citrix Remote Desktop, to support employees working from home. They had to focus on protecting the network perimeter because most of their applications were not designed with exposure to the outside world in mind.

We called it the “tootsie pop” defense. A hard candy shell (well, at the time anyway) represented by the network perimeter controls and the soft, chewy center were the applications and data storage platforms inside.

It was all they had available, and it worked to varying degrees. VPN technology was new and had yet to be as explored and exploited as it can be today.

Eventually, those remote workforce controls were relaxed, and employees started going back into the office. In fact, it was in the early to mid-2000s when companies like Yahoo and Microsoft began to require employees to be onsite. This was primarily a productivity initiative, but, as VPN use was reduced, it did serve to insulate many of those sensitive applications again.

Flash forward to today.

There are many factors driving the need to increase support of remote access. In our world, mobility is king. If I can watch movies or play games on my phone, why can’t I do my job from the same device? Another key factor is this new normal of social distancing and isolation in the face of the current medical environment.

Companies are sending everyone home. But they still have to maintain some semblance of business continuity.

So, are we better prepared to meet these remote access challenges than we were in 2001?

Absolutely.

Network protections are still a part of the solution. VPN platforms and their associated support for complex encryption can provide that relatively hard candy shell around the organization’s infrastructure.

However, today, in the mobile world we live in, identity is the new perimeter. Requiring users to authenticate at the network can be a costly and maintenance-intensive approach. Especially for organizations that support large and/or external user bases such as students or partners.

The ideal is to provide direct access to the applications they need. But, that’s not a very good idea if we maintain an application infrastructure that is truly a chewy center.

The great thing is that application security controls have evolved since 2001. Controls such dynamic data masking, targeted multi-factor authentication, and selective access based on use cases such as role, location of access, etc. have allowed us to harden up that chewy center. Another key evolution is in the area of access logging.

The trend towards remote access will only evolve as we recover from the current crisis. I believe organizations will focus on establishing the necessary network and application-level controls to create a “jolly rancher” defense versus “tootsie pop.”

I’m dating myself, so substitute “jolly rancher” with your favorite hard candy.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Five Tips to Make You a Work-From-Home Pro

By Chris Heller • March 20, 2020

The streets are empty, offices are closed, and your favorite bar around the corner is shut down until… well, we don’t know when. COVID-19 has taken us all by surprise and companies are implementing work-from-home policies at a rapid pace. 

Working from home can, at times, feel like a prison. If you’re one of the lucky ones, you have video conferencing and it isn’t overloaded (just yet.) Some of us are used to working from home or were already remote before the pandemic – others are working from home for the first time and have never experienced this lack of social interaction before. 

Here are a few work-from-home tips to consider: 

1) Stick to your schedule. 

It’s tempting when you first start working from home to sleep-in late. Don’t! Stick to your normal routine. If you normally go into the office from 9 am to 5 pm, be at your computer/iPad/phone/whatever from 9 am to 5 pm. Your body gets used to these habits and it’s important to still have some boundaries between your work life and home life.

2) Create a workspace. 

It feels like I’ve heard every sort of work-from-home space idea there is. Working from the bathtub has to be the most interesting, and equally the most concerning. The same way that our minds get used to a work schedule, we get used to a workspace. If we do work in our bed, our minds may struggle to leave work at “work” when we’re trying to sleep. If we do work on our couch, distractions to turn the tv on for a minute or rest your eyes can become consistent habits. Clear space on your kitchen table or make a standing desk out of your counter, anything to create a secondary location that you can use just for work. 

3) Communicate with your team (well). 

If you’ve never worked from home, you likely had the ability to walk down the hall or simply turn your head to ask a question. I saw the message “I wonder how many meetings become emails now” all over social media last week. Utilize all of your tools, not just email. If your company has Microsoft Teams/Slack for messaging, use it to stay in touch and send your updates. If you have video conferencing, have your meeting with the cameras on just to have that in-person feeling. 

For those that work from home, it’s important to communicate not only with your coworkers, but your boss as well. Let them know what you’re working on and how you’re utilizing your time. If your boss has never worked from home either, they may be concerned that your work could suffer. Keep them informed with how your progress is and what you need from them, just like you should be doing in your office. 

4) Take care of your appearance. 

Growing up I played hockey and every gameday we would dress up and say “look good, feel good, play good.” We didn’t always win, but there’s something about feeling your best that puts you in the right frame of mind. I don’t mean to say you should dress in a suit to work from your home office, but at least come presentable to your “office.” If you’re doing a video call, opening your email, or just sitting at your desk you want to set yourself up for success. Prepare for your day just like you would any other day. 

5) Take breaks. 

When you work in an office, breaks are built into your day whether we know it or not. My good/bad habit when working from home is that when I sit down at my desk, I don’t get up for hours at a time. I’m glued to my screen with no distractions. At work, you get up to grab a drink and have a conversation with your deskmate on the way. Maybe you’re in a “cool office” and your office plays a game of ping pong once a day. Whatever your “break” is in the office, you need one when working from your home office too.

Try walking to get your mail, go outside for five minutes and just breathe in the fresh air, or really anything else that gets you up from your chair (or if you’re lucky away from your standing desk). It doesn’t (and shouldn’t) be long, but make sure you still are moving some. 

Hopefully these 5 tips help you become a work-from-home work pro during this COVID-19 pandemic. Stay safe and be sure to keep checking the CDC’s guidelines, found here

Interested in what we do at Appsian? Click here

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Remote Access to PeopleSoft a Requirement? Here’s (3) Success Stories to Consider

By Scott Lavery • March 18, 2020

With the workforce disruption caused by Coronavirus (COVID-19),enabling remote access to ERP applications like Oracle PeopleSoft has become a business requirement. This has resulted in organizations that fear disruptions to business continuity, rushing to scope additional security solutions. Many are turning to the early adopters of remote PeopleSoft access to better understand the gaps in PeopleSoft’s security model, the implications of exposure to the internet, and the mitigation steps required to maintain security.

Hackensack Meridian Health (HMH), identified authentication vulnerabilities in PeopleSoft’s username and password security model:

Thus, resulting in the scoping of a Single Sign-On and Multi-Factor Authentication (MFA) project. Both solutions required a Security Assertion Markup Language (SAML) integration with HMH’s respective identity provider, Duo Security. The project enabled hospital staff to quickly access business-critical functions, including medical supply ordering, scheduling, and billing. All of which had a positive impact on HMH’s ability to take care of their patients. The project resulted in HMH winning Oracle Innovator Awards in 2018 and 2019. 

Cornell University wanted to enhance the logging capability for PeopleSoft Campus Solutions:

Their goal was to record user activity while performing various transactions to improve security and incident response. Cornell University proceeded to scope solutions that would enhance their visibility without hindering system performance. Once a 3rd party logging solution was installed, Cornell University was enabled to allow access to remote students, employee and staff while maintaining granular levels of visibility. This proved critical when subsequent security incidents required rapid investigation.

The State of North Dakota identified the need to enable remote access to employees state-wide:

IT leaders sought to equip PeopleSoft Human Capital Management (HCM) and Financials with advanced features to dynamically limit data exposure and increase visibility of user activity. After deploying a 3rd party solution for dynamic data masking and location-based security, the State of North Dakota was able to accurately align the risk level of user access with the exposure of sensitive data. Providing a clear path to enable secure, remote access to users.

With COVID-19 creating a myriad of questions and concerns for business leaders, PeopleSoft customers are encouraged to approach remote access projects carefully.

Let us know if we can help enable your journey. Contact us today!


Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Maintaining Business Continuity During Coronavirus (COVID-19): Securing Critical ERP Functions For Remote Access

By Piyush Pandey • March 16, 2020

As organizations prepare to protect their workforce from Coronavirus (COVID-19), they need to balance best health practices with best security practices. More companies are establishing remote work policies to create a social distance that decreases the spread of the virus. While this acts as a deterrent for further infection, remote work inherently increases the data security and privacy problems organizations already face. This is mostly due to the increasing attack surface that comes with remote access to critical business applications. Organizations are responding to this new threat by scoping strategies to limit access, create timebound access policies, and establish data visibility controls. If an organization can create a “remote workday” that allows them to secure remote access during the Coronavirus outbreak, then this increased attack surface should be mitigated. But is that nearly enough? 

How Organizations are Responding to CDC, OSHA, and HHS Coronavirus Guidance 

The Centers for Disease Control (CDC) issued a Coronavirus Interim Guidance for Businesses and Employers in March 2020 while the Occupational Safety and Health Administration (OSHA) and Health and Human Services (HHS) issued a joint guidance of their own. At their core, both guidance recommendations suggest social distancing as a basic infection prevention measure.  

Social distance, or separating people to limit the spread of infection, led many organizations to implement more flexible remote work strategies. OSHA/HHS specifically suggested: 

Employers should explore whether they can establish policies and practices, such as flexible worksites (e.g., telecommuting) and flexible work hours (e.g., staggered shifts), to increase the physical distance among employees and between employees and others.  

While this strategy decreases the spread of Coronavirus, it leaves IT and security teams in an unenviable position. Taking applications away from corporate networks/firewalls and exposing them to the internet can lead to many concerns – most of which surround the secure authentication of users. 

Prompting a Move Towards a Zero Trust Model 

Zero Trust acts as a best practices model when attempting to secure user authentication to critical systems. Thus, treating all users, both internal and external, as potential malicious actors – and not granting high-privilege access to anyone by default. While you may trust your employees, you also need to recognize the potential risk for credential theft (ex. phishing) that a remote workforce creates.  

For instance, someone working from home may have a home wireless connection that lacks encryption or other security protocols. While a VPN can provide some confidence, not all users may have the VPN on a home laptop or other personal device. After all, the fundamental risk created by remote access comes from personal devices accessing sensitive data. 

Using an adaptive multi-factor authentication (MFA) solution can help control access to sensitive information. For example, organizations using PeopleSoft can use an adaptive MFA solution that takes into account the context of access like location, device, or time of day. This solution becomes more effective when integrated at page, component, and field levels of particularly sensitive transactions and as users move between applications. With contextual controls as part of your remote workforce policy, you gain greater control over access to sensitive information such as payroll data, vendor payment data, or corporate financial information. A secondary benefit is a decrease in user friction, as remote users are only challenged when the context of their access deems it necessary. 

Simulate a “Workday” with Time-bound Controls 

Although organizations normally consider timebound controls part of their emergency access and firefighter access or joiner, mover, and leaver processes, they can also help simulate “workday” appropriate access for a remote workforce.  

As more remote users work from home, organizations should establish timebound access controls that limit access outside of a given “flexible workday.” For example, if your current flexible schedule allows employees to arrive at the office as early as 7 AM and leave as late as 7 PM, then you can establish timebound organizational access based on application criticality to simulate this.  

By disabling access between 7:01 PM and 6:59 AM, you limit the risks associated with credential theft and internal privilege misuse. Limiting access to certain times of the day means that you can worry less about the anomalous 2:00 AM access that might indicate a malicious actor with a stolen credential or a workforce member accessing information inappropriately.  

Continuously Monitor User Access to Sensitive Information 

While most organizations monitor user access requests or user behavior, creating specific dashboards as part of Coronavirus remote workforce preparedness provides an additional layer of security. From a security standpoint, the biggest risk with remote workers is maintaining visibility into activity around sensitive data. Organizations need a way to view and monitor data access in real-time. Some of the key variables that should be tracked are geographic location of access, device used, and access volume on specific data fields (salary, social security, direct deposit, etc.) 

Lastly, you may want to consider monitoring failed authentication trends and triangulating them with geographic location. This data can quickly identify brute force attacks that may not be apparent at the application level – but may only be showing up as anomalies and errors taking place with your identity provider. 

Protecting Workforce Health While Maintaining Data Health  

As organizations face the distinct possibility of the Coronavirus requiring nearly all workforce members to do their jobs remotely, balancing data health and employee health becomes a concern. Fortunately, today’s advanced technologies provide a variety of solutions.  

The Coronavirus may be acting as a catalyst for organizations to change their approach to managing user access to sensitive information. Unfortunately, many companies that once required employees to work on-premise when they manage sensitive data are having to reconsider policies and scramble to maintain business continuity. 

How Appsian Can Enable Secure Telecommuting 

Appsian delivers the control and visibility that traditional ERP applications like PeopleSoft and SAP (ECC or S/4HANA) inherently lack. As access becomes increasingly mobile, having the ability to dynamically control access and gain deep visibility into user behavior is increasingly necessary. The Appsian Security Platform combines a sophisticated suite of solutions designed to enhance user authentication, apply contextual access policies, fine-grained data security controls and provide granular logging with real-time analytics. 

For more information about how Appsian can help accelerate your remote workforce access strategy, contact us today or schedule a demo

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Five Tips for Enabling Secure Mobile Access to PeopleSoft

By Scott Lavery • March 11, 2020

Enabling mobile access to PeopleSoft is a primary objective for many organizations. Naturally, there are security concerns when making transactions available on the internet. Here are (5) Best Practices you should consider

1) Identity and Access Management Must Be Enhanced

A username/password security model is not enough to effectively restrict unauthorized access. PeopleSoft passwords are inherently weak, easy to crack, and some users may have multiple passwords.

2) Align Authentication with an Identity Provider (IdP)

This is typically accomplished with an enterprise Single Sign-On that is natively integrated with an IdP. For PeopleSoft, your IdP is the best authentication database because it is centrally provisioned and governed by your corporate password mandates.

3) Always Utilize Multi-Factor Authentication

Multi-factor authentication (MFA) is an effective method for verifying identity. While having this functionality at login should be a standard part of a security posture, it is recommended that an adaptive MFA be utilized.

Adaptive MFA ensures that contextual attributes (ex. device, network, location) be the determining factor for deploying MFA challenges. This helps properly align levels of risk with access policies. Context of access varies in a mobile environment and your level of control should do the same.

4) Prevent the Unauthorized Exfiltration of Data

Data leakage is the #1 cause of breaches. Data exfiltration becomes a greater risk when access is remote – mostly because devices are no longer regulated. Limiting the running of reports and queries when access is remote will help ensure data is not exfiltrated on an unauthorized device.

In addition, implementing data masking on sensitive fields will help limit the exposure of sensitive data.

5) Enhance Your Visibility into Data Access

Simply put, if you are not logging access and usage data – then you’re at risk. Having visibility into user behavior is critical in order to detect and remediate a security threat.

Also, routine audits are critical for understanding what is happening inside your applications and if further steps need to be taken.

How Appsian Can Enable PeopleSoft for Mobile Access

Appsian delivers a sophisticated platform designed to give you complete control and visibility over your ERP data. We do this by strengthening your ability to: Authenticate Users, Manage Privileged Access, Limit Data Exposure, View User Activity, and Detect and Respond to Threats

Appsian has enabled more than 250 PeopleSoft customers worldwide to securely expand access to PeopleSoft.  Let us show you how we can maximize your investment in PeopleSoft!

Request Your Demonstration Today!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Responding to Coronavirus (COVID-19): How to Enable PeopleSoft for Secure Telecommuting

By Scott Lavery • March 9, 2020

With companies like Microsoft, Amazon, and Twitter encouraging workers to stay home, many wonder if this is the beginning of a “work-from-home revolution” with no end in sight. More organizations around the country are adopting remote work policies each day – with Congress being the latest addition. In fact, today, The House Administration Committee will launch a center to coordinate computers and phones into a telecommuting system.

As organizations rush to adjust to this new work culture, they must consider PeopleSoft from (2) perspectives: maintaining secure user authentication and maintaining data security. After all, telecommuting means perimeter firewalls and corporate networks are not leveraged as originally intended.

Is PeopleSoft only available on your network? Now what?!?

With many organizations opting not to expose PeopleSoft self-service transactions to the internet, a workforce thats now required to telecommute would bring business to a screeching halt. This can be devastating to operations when you consider the myriad of financial, HCM, and essential student/faculty/staff (for Campus Solutions customers) transactions taking place each day.

Halting transactions isn’t an option, so Appsian recommends PeopleSoft customers consider these areas as they transition to a telecommuting work culture:

How are you authenticating user identity?

Are you leveraging your corporate Identity Provider to authenticate PeopleSoft users? If not, understand that PeopleSoft usernames and passwords are a major liability and hackers can crack them with ease. Also, brute force attacks are much more effective when the strength of passwords is not regulated by your IdP.

Are you using a single authentication step?

Is the username/password model your sole authentication strategy? Do you have the ability to force MFA challenges, especially if users are accessing from an unknown network or device? Implementing an MFA for PeopleSoft is not just recommended, but essential for preventing unauthorized access. Plus, it greatly mitigates the damage of phishing attacks.

What is your breach remediation strategy?

Logging and analyzing user behavior is critical for maintaining network security, but are you able to identify malicious behavior inside your PeopleSoft applications? If mobile access is enabled, the result is an extended threat surface. It is recommended to enhance how you log user activity.

Bottom line is we recommend you evaluate your strategies now and determine the best path for maintaining business continuity. There are key authentication challenges to consider and the experts at Appsian are here to discuss your initiatives.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

2020’s Top ERP Security Challenges: It’s All About the Data!

By Scott Lavery • December 19, 2019

As we enter the new year, the criticality of securing sensitive data will continue to mold and transform the structure of security strategies across enterprises, resulting in a heightened focus on access controls, visibility solutions, and (generally) data-centric ERP investments. With numerous data privacy regulations on the horizon, the cost of data breaches will be more catastrophic for businesses. In 2020, enterprises must invest in proactive strategies that combat the dynamic threats targeting an organization’s most sensitive data.

Enterprises can expect the trend of increased data breaches in ERP systems to continue to rise in 2020

Since ERP was first designed as an application product, ERP systems have been incapable of evolving alongside an organization’s maturing IT environment – and are unable to integrate with advanced security initiatives. It is, and will remain very challenging to keep ERP systems up-to-date and due to the business criticality of these applications – enterprises are wary of switching them out entirely.

In order to secure ERP systems in 2020, business owners must realize the criticality of their businesses’ usability of ERP apps. It is the business owner who is more familiar with the users, and as Gartner concluded, ‘it is the user – not the provider – who fails to manage the controls used to protect an organization’s data.’ With the growing number of connected applications running across the company, such as payment and HR apps, business owners need to evolve their ERP systems and go beyond firewalls.

In 2020, there will be a CIO responsibility shift from “systems technology experts” to “data experts”, as security increasingly becomes more of a data-level function

As enterprises become more and more aware that the security of sensitive ERP data is a high priority, especially with the rise in data privacy regulations such as CCPA – there will be a rise in Chief Data Officer roles as well as a shift in the roles of CIO’s from focus on systems to a focus on data. This shift will cause many challenges though, as the majority of CIO’s do not specialize in the systems aspect of ERP. Yet, the rise in data-centric compliance initiatives, as well as the deployment of fundamental security tools such as multi-factor authentication and SSO across the enterprise, will ease the transition from a systems-centric CIO to a data-centric CIO.

Additionally, from an organizational perspective, we can expect more CIO and CISOs at the board level as organizations continue to mature and invest further in security and understand the varying operational budgets.

In the coming year, we can expect more enterprises adopting Privileged access management (PAM) as a key IT security project as well as effective access controls due to heightened third-party risk

PAM is the first, fundamental level of data protection, privacy and compliance when logging and auditing are concerned, and with more and more data privacy regulations on the horizon, PAM will become a key IT security project in the coming year. Additionally, given that the majority (83%) of organizations engaging with third parties to provide business services identified risks, organizations must hold all third parties at greater liability and bound them by their contracts as to data protocols if breached in 2020.

Users will increasingly demand ERP access beyond their corporate networks core transactions will need to face the open internet

As organizations continue to make (and demand) employees be more productive, employees will (in turn) insist that their ERP transactions are available from any location, at any time. In order to maintain high levels of security, ERP transactions have traditionally been available (only) behind corporate firewalls. However, this model immediately causes user push-back, especially as more organizations rely on mobile workforces to scale and keep business running in the coming years. When enterprises insist that employees only execute their ERP transactions when they have access to a corporate network, users will inevitably avoid it which will cause increased strain on an organization across functions.

Therefore, in 2020, we can expect more organizations to invest in solutions that focus on enhancing access controls and logging. More and more organizations will begin to understand the importance of expanding access as a table stakes initiative as productivity requirements shift, demanding users to be as mobile as possible.

What are your ERP security and compliance goals for 2020?

The security experts at Appsian would love to help ease the journey toward a fully secure and compliant ERP system. Email us at [email protected] to learn how we do it!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Why Dynamic MFA is the Key to Strict ERP Security. Without Causing User Friction

By Scott Lavery • November 14, 2019

Cats & dogs, oil & water…

Apparently, these groups don’t get along. You can definitely add Security Admins & Business Users to that list. The reasons are (sort of) obvious, but only if you point them out. Simply put, one group restricts access and the other group demands access. I understand this is an over-simplification. At the end of the day, if user or corporate data is compromised, everyone gets upset. However, from a tactical standpoint, these two groups are trying to accomplish goals simultaneously and inevitably get in each other’s way.

The friction between business users and security policies typically occurs during the authentication process. For example, when a user is asked to enter login credentials or go through an MFA challenge. While this may seem innocuous, it should be noted that friction (over time) builds and builds – and if a user does not see the benefits in the extra authentication step(s), they are likely to abandon whatever business transaction they’re trying to access. And, abandonment certainly does not promote productivity!

…and, here in lies the true conflict between security and productivity

Securing data that resides in ERP applications has all the makings of a classic conflict between security and business user productivity. All the security focus is on login screen authentication – and traditional, on-premise ERP applications (SAP, PeopleSoft, Oracle EBS) are filled with sensitive data with limited ways to implement fine-grained controls. The result is Security Admins have no choice but to be overly-strict with their security policies (ex. requiring MFA at each login) – causing users to push back and possibly abandon critical business transactions.

This is where Appsian comes in… enabling dynamic MFA

Appsian enables organizations to implement adaptive, data-centric ERP security policies. Meaning, if fine-grained control is what you’re looking to accomplish – then, Appsian gives you the ability to align specific security policies to specific data elements/transactions. Being specific mitigates user friction, and here is why…

Not all sessions/transactions are risky

Question: Should you have to pass an MFA challenge if you’re working on your company-issued computer and logged on to your corporate network? What is the likelihood the context of that access is fraudulent?

Users appreciate when risk level aligns with security measures

Users don’t like their data compromised either, and when they are executing transactions that are deemed ‘high risk’ (ex. change direct deposit, update benefits, update W-4) a user should expect stepped-up security challenges.

When security aligns to the context of access – security and business policies live in harmony!

It’s corny, but its true. By aligning security to specific data elements and transactions, business processes and security policies become aligned and everyone gets what they want. Users are only challenged when necessary and Security Admins can feel their polices are properly focused.

Users can be fully productive and feel confident their data is safe and secure. True love!

Want to learn more about implementing dynamic MFA for ERP systems? Then Let’s Talk!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Request a Demo

Start your free demo

"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"

Trusted by hundreds of leading brands