×
[searchandfilter taxonomies="search"]

California Consumer Protection Act (CCPA) – Do You Have an Action Plan for your ERP?

By Scott Lavery • October 24, 2019

CCPA – A Quick Review

CCPA takes effect on January 1,2020. The spirit of CCPA revolves around consumers taking back control of their personal information – pushing data privacy to the forefront. According to the regulation, California citizens will have the right to know what personal data (PII) has been collected by a business. Consumers also have the right to say ‘No’ to the sale of their information and delete all data that an organization owns (related to them.) Once CCPA comes into effect, consumers can file lawsuits against companies for breaches.

After being implemented (on Jan 1, 2020), CCPA will also have a Look Back period – organizations will need to disclose how they have been collecting, using, storing, and sharing data over the past year. 

Consequences of Non-Compliance

In the case of non-compliance, organizations run the risk of facing hefty fines. CCPA imposes up to $2,500 per unintentional violation and $7,500 per each intentional violation. 

Preparing your ERP for CCPA in (2) Steps

To ensure compliance and avoid high penalties, organizations need to have additional mechanisms in place. Here are a couple tactical strategies organizations should consider to prepare their ERP systems for the 1/1/2020 deadline:

1.   Enhance Visibility into User Activity

CCPA requires organizations to have complete visibility into how their data is obtained, used, stored, and shared with third parties. Note the term: used. To achieve detailed visibility around data usage, organizations need to adopt a robust, real-time logging strategy. Logging user information (such as date of access, UserID, IP address, device, location of access, etc.) is crucial for understanding how data is being used within your organization.

Traditional ERP systems like PeopleSoft, SAP ECC and Oracle EBS do not provide this level of granularity. It is recommended that logging enhancement tools be scoped, as actionable insights that highlight who viewed what data field(s) are currently a blindspot inside these systems.

Logging data can be leveraged inside a SIEM to provide trends and analytics – making audit practices more efficient.

2.   Prevent Unnecessary Data Exposure for High Privilege Users

Today, CIO’s all over the country are leading efforts to define what constitutes PII, identifying where it resides and furiously writing policies to restrict access. When it comes to ERP systems, the static rules that govern access and data exposure can be limiting – this is especially true when it comes to the ability to mask or redact data fields.

User-centric vs. data-centric

Use Case: Should PII, like a user’s social security number be visible to even high privilege users? Is there a ‘business process’ reasons for that (or any personal info: marital status, home address, health insurance info, etc.) to be accessible by anyone except the individual who owns that PII?

These scenarios are difficult to manage in ERP systems because roles and privileges are user-centric, not data-centric. The distinction being a user centric role says a person (or group in most cases) can view something under any circumstances. And, data-centric means the nature of the data defines the access. People (and roles) may come and go, but the data remains the centerpiece of the policy.

Having the ability to mask any data field (via a data-centric policy) is the best way to ensure that access to PII is limited under the most strict of circumstances. After all, the principal of least privilege dictates that a user should only be accessing what’s truly necessary. Having your data exposure be defined by static user roles (and not the data itself) will inevitably lead to compliance problems.

Conclusion

Once an organization goes through the process of locating and defining their PII – the true compliance efforts begin! The (2) steps above provide helpful framing around how an organization should approach tactical ERP data compliance strategies. And Appsian can help!

CCPA and GDPR are the beginning of a series of compliance mandates expected to follow. Several states in the U.S. are drawing up their own mandates for data privacy. It’s a given that visibility into ERP data access is no longer an option but a necessity. Contact us to learn how you can fast track your preparation for compliance by enhancing your visibly and applying a data-centric ERP compliance framework.

Example CCPA Analytics Dashboard (powered by Appsian)
Use Cases Highlighted: PII access volume (by User ID) and Sensitive data access volume (by IP)

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

64% of SAP & Oracle ERP Customers have reported a Breach (in last 24 months)

By Scott Lavery • October 15, 2019

The numbers are out, and it’s more apparent than ever – your ERP system is most likely at risk. A recent study by Onapsis has revealed that two-thirds of businesses (relying on SAP and Oracle) have reported a breach in the last 2 years.

The numbers are indeed concerning and reveal one common theme – “out-of-the-box” ERP security controls (and audit mechanisms) do not provide the adequate controls and visibility necessary to protect PeopleSoft/SAP ERP data. Organizations should assume that it’s only a matter of time before a breach reaches their forefront.

So, why are ERP breaches becoming increasingly common? Where do existing, “out-of-the-box” security mechanisms lack?

Lack of Insight into User Activity

What is a traffic reporter’s best friend? A camera. Why? Because traffic is compiled of a multitude of vehicles moving in unison – until they are not! If a stall or backup is happening, traffic reporters rely on highway cameras to understand the origins of the incident – and to properly diagnose how long the delay might be for everyone else.

Keeping with the traffic theme… the level of visibility in legacy ERP systems resembles that of a tunnel (with only 2 cameras) – you watch the cars go in and you watch them come out – but what happens in the tunnel? You simply don’t know!

This level of visibility was once acceptable, but the rise in phishing tactics and the introduction of new data privacy mandates (ex. GDPR and CCPA) have put an emphasis on understanding precise data access and usage.  Only knowing when a credential logs in – and then logs out (without understanding what happens “inside the tunnel”) has become a significant liability.

Is it possible that bad actors know they are not being watched? Yes, and the numbers (presented by Onapsis) reflect this new reality.

Slow Detection of Breaches (Time is $$$!)

The longer it takes to track down a breach, the riskier (and more expensive) it gets. According to an IBM study, companies take up to 206 days to identify a breach. After detection, remediation takes 73 days (avg.)

What difference does early detection make? – $1.23 million. That’s right – the study observes that companies who could detect a data breach in less than 200 days, saved more than $1 million on the total cost of the breach. Time indeed is money!

Surprisingly though, many organizations are yet to adopt a way to detect an ERP system intrusion quickly.

Infrequent Audits

Frequent audits can help reduce the risk of a security incident and prompt immediate action (should an incident arise.) But are companies performing enough audits? In the survey conducted by Onapsis, “78% of respondents audit their ERP apps every 90 days or more.” Given the implications of a breach (unexpected downtime, compliance risk, and even diminished brand confidence), organizations must perform regular audits. 

Conclusion

The IDC survey raises important questions related to breaches and security. It is now apparent that ERP system breaches are on the rise, and organizations have (2) choices – either accept their breach fate, OR seek solutions to integrate modern data security strategies into their legacy ERP systems.

Contact us to learn how granular security solutions can be integrated in your existing systems! Now is the time to be proactive!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Why Contextual Access Controls are Essential for On-Premise ERP Applications

By Scott Lavery • October 11, 2019

Gartner describes context-aware security as the use of supplemental information to improve security decisions at the time they are made. “Context” meaning the location of access, time, device type, URL, etc. In today’s “always connected” environment, where access to business systems is expected to be ubiquitous – contextual variables have become the key driver behind uncovering suspicious activity that would have otherwise gone unnoticed. 

Mobile “Context” Has Expanded the Scope of Access

While mobile ERP access means added flexibility – this flexibility comes with a higher risk of exposure. It’s important to understand that the ever-changing “context of access” is where the risk of unwanted data exposure ultimately lies.

Context can take many shapes – for example: accessing from a Starbucks on an unknown network, accessing from a foreign country while on a business trip, accessing from your phone that you just left in the back of the Uber while on your way to the airport! (yes, guilty.) In a mobile world, context of access changes every minute – this creates significant risk, as it would be right to assume that you don’t want your high privilege users accessing sensitive company data from places where their session could be compromised.

Sadly, traditional ERP systems are not equipped to handle that variable risk. Why? Because ERP roles and permissions are static – meaning that if you’re a high privilege user in your office, you’re a high privilege user at Starbucks, in a foreign country and on that forgotten phone that could be scooped up by the next Uber rider.

Unintentional Data Leakage is a Threat in Mobile Enviornments

Even the most well-meaning insiders (employees) can leak data accidentally. For example, mobile access means the use of personal devices for work (this is inevitable.) Many personal devices are shared amongst family members and have automatic backup systems. Without even realizing it, sensitive data (accessed from a personal device) can be included in a cloud backup – now that data resides in personal storage and is completely outside an organization’s scope of visibility forever.

Why Contextual Access Controls are Necessary for ERP Systems Today

Many assume the greatest data risks are network-centric – that assumption isn’t wrong. The biggest, most headline-grabbing data breaches have typically been large scale incidents were millions of records were exposed. Organizations have implemented sophisticated firewalls and network access controls to keep themselves out of the headlines, but data risks are becoming increasingly ‘user-centric’ – phishing/spear-phishing being the most pervasive.

Phishing/Spear Phishing has proven to be most effective on users who are working outside the office – for example: quickly checking email in between offsite meetings, working from home late at night (or early morning), or any other scenarios where a user’s surroundings provide just enough distraction to fall for a phishing email.

This begs the question – if enabling mobile access increases risk, then shouldn’t organizations integrate controls that dynamically enforce policies when risk is deemed “high?” After all, your internet browser alerts you when you access a website that isn’t secure.

The addition of contextual controls allows organizations to align their business policies with their security policies – until the introduction of Appsian’s Security Platform these functions had been siloed, only interacting during threat remediation.

Conclusion

The idea of implementing contextual access controls is certainly not new. Cloud Access Security Brokers have been enabling organizations to have greater control and visibility into their cloud applications – however, traditional, on premise ERP applications have not been included in these strategies. ANY organization that is looking to expand access and expose ERP transactions to the open internet must adopt contextual access policies in order to combat the threats that mobile access creates. Contact us to learn how you can implement a contextual access policy in your organization.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Zero Trust Security: What it is and Where to Begin

By Scott Lavery • September 26, 2019

What is Zero Trust Security?

Zero Trust security is based on the principle of ‘never trust, always verify’. First introduced by Forrester Research, a Zero Trust approach requires all users to be properly authenticated before granting access, irrespective of the location or device being used to access.  

It’s easy to understand why Zero Trust is becoming increasingly popular. Organizations are adopting flexible policies like BYOD, remote access is becoming common and attempts to breach data are getting more sophisticated by the day. In a landscape where identity has become the new perimeter, organizations must accept that the concept of authentication has evolved beyond remembering a username and password.

Main Features of Zero Trust Security:

Verify Every User/Device

The Zero Trust model assumes that malicious actors can (and do) exist inside an organizations, as well as consist of hackers looking to breach systems from external locations. Hence, no device or user must be trusted by default.  

Principle of Least Privilege (POLP)

The POLP model requires that a user is provided only the minimum set of privileges to perform their task. This way, an organization can minimize the risks of two primary data threats – privilege abuse and credential compromise. 

Privilege abuse is the second most common data threat in an organization. Typically, it is a result of inadequate access controls being in place. Users are granted “more-than-necessary” access rights, and the organization fails to monitor the activity of these accounts.

Meanwhile, credential compromise is known to be the root cause behind 74% of all data breaches. A hacker gains access to user accounts through a brute force attack, or phishing, and can then steal data.   

Additional Security Steps

One of the main principles of the Zero Trust model is to include additional authentication steps to limit the possibility of a successful “credential-based” attack.

Today, organizations have increased the adoption of additional, stepped-up authentication layers (apart from ID/password) to securely grant access to users. For instance, the 2019 Duo Trusted Access Report, states that over the last four years (2015 to 2019), customers are more often using biometrics as a second authentication factor to access applications.

Leverage Context When Granting Access to Data

Securing data is as crucial as controlling the access to enterprise applications. A Zero Trust policy ensures data access is granted to users on a contextual basis. This could include a variety of factors – location of access, the device used, time of the request, and such others. 

Zero Trust: Where to Begin?

Monitor User Activity  

Organizations need to monitor and record user activity constantly. With the help of detailed records, security professionals will be better equipped to detect possible threats.

Granular, real-time logging solutions can help achieve this objective. Logging what data is being accessed and capturing the contextual parameters of access (ex. user IDs, the device of access, location, IP address, and more) can help make the response to a security incident faster and more accurate.

Such a solution would help achieve two goals – mitigating the risks of a data breach and establishing a compliance strategy around specific access use cases – as opposed to static, roles-based permissions.

Contextual Access

Contextual access requires the use of supplemental information to improve data security decisions. Often, these include – the time of access, location, device used, and such other factors. A contextual policy allows users to access based on these parameters. For instance, an employee tries to access sensitive company data outside the corporate network – even though the employee may have the desired privileges, access may be denied because of the unsecure network.  

An effective contextual access policy ensures users are granted privileges, at the right place and at the right time.  

Multi-Factor Authentication (MFA)

Credential theft is becoming increasingly common. According to a report, more than 80% of hacking-related data breaches happen because of stolen passwords. Hence, the traditional ‘password-only’ ways of authentication are no longer adequate. 

Organizations are gradually moving to Multi-Factor Authentication (MFA) – a more reliable way to secure data. MFA combines the use of two more of the following: 

  • Something that the user is (biometrics) 
  • Something that the user knows (password)  
  • Something that the user has (a one-time password – OTP, or a security token). 

Micro Segmentation

Securing a corporate network can be a challenging task; especially given the wide range of users and access points. To make this easier, organizations are dividing the network into smaller, manageable segments. Network segmentation allows limiting data access to a set of users within a segment, where a set of access rules governs each segment. Generally, users within the segments would be allowed the minimum required privileges to perform their tasks.

In case of a security incident, micro-segmentation ensures the risk is contained in a small part of the network, and does not spread beyond.    

Conclusion

Zero Trust was founded on the principle that any user or device can be compromised. However, an absolute zero level of trust is also not practical.  To perform efficiently, organizations have to strike a balance between granting and restricting access selectively. Leveraging context as your dynamic variable is recommended.

A Zero Trust security system is not just about implementing individual security technologies – it involves a systematic approach to data security. Contact us to get started on your Zero Trust security preparation. 

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Evaluating a PeopleSoft Single Sign-On (SSO) Solution: 6 Questions to Ask your Vendor

By Scott Lavery • September 6, 2019

What is Single Sign On in PeopleSoft?

PeopleSoft, an ERP application designed by Oracle, lacks native Security Assertion Markup Language (SAML) support. This makes it challenging for IT teams to include PeopleSoft under the umbrella of applications users can access via the enterprise’s Single Sign On (SSO) solution. However, SSO can be enabled in PeopleSoft with the help of a third-party integrator like Appsian. The SAML integration allows PeopleSoft customers to fully leverage SSO solutions like OKTA, Azure AD, Ping Identity, and more to deliver ease of access.

Single Sign-On (SSO) solutions have emerged as the gold standard in identity management. While poor password practices continue to prevail, the effectiveness of the ‘username and password’ as the main authentication model has deteriorated.

Password management can be a nightmare for IT, as it reduces department productivity and increases service costs. However, SSO solutions allow administrators to centralize identity management, as end-users utilize a single set of credentials to access every enterprise application.  

Establishing an SSO for PeopleSoft 

PeopleSoft applications are a vital part of an organization’s enterprise architecture, and unfortunately, integrating PeopleSoft into an enterprise SSO can present challenges. This has lead administrators to look to the market for help – and as you evaluate an SSO solution for PeopleSoft, you should ALWAYS ask these 6 questions – the answer will be the difference between project success and failure:

How does your product interact with PeopleSoft?   

To successfully implement an SSO solution, organizations first need to integrate all applications with a centralized ID provider. Most popular ID providers such as: Microsoft Azure Active Directory, OKTA, etc. use SAML – the open federation standard that allows identity providers (IdP) to communicate with enterprise applications.  

Many off-the-shelf SSO vendors claim to support PeopleSoft. However, they ignore the fact that PeopleSoft applications do not natively support SAML. With a conventional SSO solution, PeopleSoft applications are likely to stay alienated from the rest of the organization’s business applications. Organizations must ensure that their SSO provider addresses the SAML problem upfront. Or it can lead to a ripple of problems with the implementation (ex. inflated budget, time lines, complexity, etc.) 

Is there a need for customizations?   

Exclusive to PeopleSoft, most SSO providers are required to build an extensive framework of customizations. Customizations demand extra resources and prolong the implementation timeline – thus, increasing the project liability. Even after that, custom SSO solutions can be insecure, fragile, lack functionality for some transactions and be prone to problems that are difficult to troubleshoot. Moreover, building and maintaining a customized framework requires both coding and PeopleTools expertise – which is a rare skill combination. Alternatively, PeopleSoft customers can seek a configurable SSO based on logic workflows built outside of the PeopleCode. 

Are there additional hardware/server requirements?   

In most cases, organizations will be required to purchase additional hardware to support the customizations designed to simulate communication between PeopleSoft and their respective Identity Provider. The procurement of new infrastructure (reverse proxy servers) is not ideal and can result in unexpected project budget overruns. 

Does the solution support deep embedded links? 

One of the primary benefits of an SSO solution is allowing users to bypass login with the use of deep links or embedded links. These links, when sent to a user, can take them to a specific transaction using the previously authenticated SSO session. Thus, saving time and increasing user satisfaction and productivity. However, most off-the-shelf SSO providers don’t support this functionality. With increasing remote access on mobile devices, deep-link navigation can be important to usability and engagement. For instance, a user can go straight to an intended transaction by following a link (sent via email, text, etc.) even if they are required to authenticate an SSO session on a device they don’t use frequently.  

How does the solution impact PeopleTools Lifecycle Management? 

PeopleSoft’s native functionality is continuously evolving with every single image released via the PeopleSoft Update Manager (PUM). These updates include frequent changes in the authentication model, which means that a customized solution would demand excessive upgrade and alteration with each update. The constant need for upkeep can adversely affect the adequate use of customer resources and time, making room for an increased scope of errors and subsequent troubleshooting. 

What if we decide to switch an ID provider? 

One of the most important decisions organizations need to make while choosing an SSO solution, is the flexibility of adaptation if and when they decide to switch IDPs. Ideally, organizations must look for a configurable SSO instead of a coded (customized) one. Reason being, when an organization plans to switch to a new ID provider, a custom solution would require building a whole integration framework. Therefore, a custom SSO can prove to be tedious and time-consuming, unlike a configurable SSO that can allow a seamless switch. 

Appsian’s PeopleSoft SSO Connector  

Designed to create a simple, extensible, and easy-to-maintain approach to the implementation of modern authentication, Appsian’s PeopleSoft SSO Connector is the only turnkey solution for native SAML-compatibility in PeopleSoft – enabling customers to:

  • Leverage existing investment in SSO solutions with PSFT 
  • Authenticate PSFT sessions via SAML-based Identity Providers 
  • Access PeopleSoft via deep link navigation  
  • Support multiple IdPs concurrently 
  • Deploy SSO for PeopleSoft in as quick at 7 days  
  • Implemented without additional hardware or custom coding  

To learn more, Request a Demo with a PeopleSoft security expert or write to us at [email protected] 

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

How to Make ERP Compliance Audits Cheaper and Faster

By Scott Lavery • August 20, 2019

Organizations are facing growing challenges in order to meet the data privacy compliance requirements associated with mandates like The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) (taking effect in 2020.) Apart from these, several U.S state-specific regulations are expected to go into effect in the coming months.

The impact of these regulations is significant. Organizations must now keep track of where and how they obtain personally identifiable information (PII) from the moment they obtain, through the life of retention. They are also required to maintain records of data processing, consent forms and many other documents. All of these factors are naturally increasing the time to successfully complete an audit – all while new mandates are simultaneously minimizing the time allotted to complete the same audit. This new regulatory environment is putting pressure on organizations to find new strategies for managing and reporting on PII access and usage. Needless to say, the PII once gathered with precision and coveted as a valuable asset has now become a liability with a distinct holding cost.

Are companies truly equipped to handle Data Privacy Compliance requirements?

The answer is, no. Recently, many companies have come under fire for data breaches.

Marriott is facing a hefty fine of $123 million for a data breach in 2018. British Airways too faces a $230 million under GDPR (for weak data security policies resulting in a breach.) While this accounts for 1.5% of British Airways’ annual revenue, regulatory fines can go up to 4% of an organization’s annual revenue.

How to Manage ERP Audits when the Deck is Stacked Against You  

Traditional, on-premise ERP systems were not built with logging capabilities that aligned to understanding PII usage. Logs were meant to troubleshoot, find system errors and ensure applications were running properly. The PII inside the system was not a factor and understanding access and usage was irrelevant.

Now that organizations will be forced to perform audits more frequently, in a more precise manner and leveraging ERP systems that require the triangulation of multiple reports (exponentially increasing audit times) to just get a basic understanding of usage – the overall cost of an audit has skyrocketed.

ERP Compliance Audits Can Actually be Cheaper and Faster than Once Believed

With this new data regulatory landscape in mind, organizations must look to enhance their audit capabilities by turning their attention to logging strategies dedicated to data usage (not just system performance.)

Appsian’s Security Platform for PeopleSoft and SAP takes data access into account, by adding granular logging capabilities that track user behavior and data access and then aggregates trends into easy-to-consume analytics dashboards. All designed to provide the same snapshot into usage that once took weeks to aggregate manually with traditional logging capabilities – but with Appsian, can now take a matter of minutes.

With Appsian, your ERP audit strategies can now scale to match the time and resource allocation demanded by new and upcoming data privacy mandates. And because these strategies can be integrated into traditional ERP systems, that may (at one time) been viewed as an audit liability, the life of your legacy ERP system can be extended – thus, maximizing your ROI and not being forced into an expensive and resource-draining rip and replace project.

To learn more about Appsian and how our Security Platform can help your organization prepare for data compliance audits, Contact Us.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

BYOD & Allowing Mobile ERP Access: Evaluating Potential Risks

By Scott Lavery • August 8, 2019

Organizations are rapidly shifting to workplaces without boundaries – teams are globally dispersed and companies are adopting work-from-home and BYOD (Bring Your Own Device) policies. This desired flexibility has become table stakes for organizations looking to recruit and retain top talent.

Because this means employees are accessing company data outside of the company’s secure network – traditional measures to secure data (ex. firewalls, perimeter network security, etc.) are no longer adequate. According to a survey conducted by Black Hat, 73% of respondents said that conventional perimeter security firewalls and anti-viruses are now obsolete.

As such, the role of the CISO has become more complex. They now face the task of securing data on networks and devices outside their traditional scope of control.

BYOD & PeopleSoft Fluid UI

The PeopleSoft Fluid user interface was introduced as Oracle’s strategic initiative to deliver a modern, mobile user experience. Once enabled, users can access PeopleSoft applications on a smartphone, tablet, (along with) desktop. However, enhanced mobility and usability have ushered in new concerns related to maintaining data security, as users are accessing self-service applications away from their corporate networks.

Expanding access to sensitive data beyond the secure network increases the risk of a data breach – and hackers are well-aware. Hackers are researching and targeting key stakeholders, knowing that a username and password is all they need to gain access to data.

With this in mind, below are some of the threats associated with implementing BYOD policies:

Unauthorized Access

The downside of a BYOD policy is that access cannot be controlled or managed centrally by an administrator. When access is ultimately controlled by the mobile device itself, the theft or compromise of a mobile device can increase risk exponentially. In the case of a device theft (ex. a phone or laptop stolen out of a coffee shop or vehicle, etc), the organization would have no defense if an ERP password were saved in the device’s password manager – and you know it always is!

Solution:

Organizations can minimize the risk of unauthorized access attempts by implementing a multi-factor authentication system. A single device no longer becomes the gateway to an application, as an MFA dictates that there are three forms of authentication: something you know (user name and password, typically), something you have (a phone that can receive app-based or SMS confirmation requests, for example) and something you are (the rapidly evolving arena of biometrics). MFA requires the use of at least two of these authentication methods before allowing access.

Accidental Data Leakage:

Carelessness and negligence by users are some of the leading causes of accidental data leakage. The BYOD trend can potentially multiply these risks, as users are continually using their devices to send and receive information over email, text, IM, and other means. Data becomes more vulnerable to hackers when shared over a non-secure network.

Collaboration tools that leverage mobile apps, like Slack are becoming common in the workplace, meaning communication amongst employees is becoming more frequent, rapid, and (generally) more casual – all of which differ from the style adopted by traditional email correspondence. This casualness can lead to employees sharing sensitive information across an unknown network – leading to opportunities for data to leak out inadvertently.

Corporate email solutions can scan for credit card numbers, social security numbers and other data formats that can be indicative of sensitive information – however, these mobile collaboration tools lack the same capability.

In addition, devices purchased for personal use (ex. a personal laptop or desktop) and used on occasion for professional work tasks – many of which have automatic cloud back-up mechanisms – can lead to information inadvertently leaking away from the originating device and into a content management system. Cloud storage systems are frequently hacked, so a sensitive report getting into the wrong hands can lead to damaging results.

Solution:

Enabling contextual access controls can differentiate the privileges of a user when they are working away from a secure, corporate network. Using this solution, users are granted limited access to sensitive transactions based on their location or privileges. As a best practice, leveraging the principle of ‘least privilege’ can limit the risk of users accidentally leaking data.

Summary

Enabling BYOD has inherent benefits – employees are happier, more productive, and an organization is able to expand the reaches of their business practices – but enabling a BYOD strategy should come with caution.

It is important to understand that ERP applications like PeopleSoft and SAP were designed long before BYOD practices existing and do not have the native controls to keep up with the evolving security risks that accompany BYOD strategies.

If you’re interested in learning more about enhancing your ERP data security posture in the wake of expanded access and BYOD, you can Contact Us and we’d be happy to walk you through how you can fills these security gaps.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Data Security Penalties Get Real….Real Expensive

By Scott Lavery • August 5, 2019

How companies approach data security controls is changing. Segregation of Access (SoAx) is now just as critical as Segregation of Duties (SoD). Who sees sensitive data is just as important as who changes it.

And just to make sure organizations take access controls seriously, regulations such as GDPR are inflicting major penalties for breaches of private data. And soon, it won’t just be about breaches, it’ll also be about fines being levied for data security audit failures.

When GDPR was enacted, there was alot of confusion around the penalties that would be associated with the exposure of sensitive data. Many companies took a wait and see approach in lieu of enacting data protection measures. Especially around legacy applications, such as ERP systems, where the keys to a company’s kingdom are typically stored.

Why?

Couple of reasons. Most companies don’t even have a handle where their sensitive data is even stored. And, in addition, most companies don’t focus on regulatory controls until the penalties are real.

GDPR penalties are real. The penalties associated with many of the state-driven data privacy regulations are real. And now we have some guinea pig companies that show just how real they are.

GDPR was enacted in May of 2018. It took a year before the Information Commissioner’s Office (ICO) nailed a company for a breach of sensitive data.

In 2019, British Airways was hit with a proposed fine of $230m for the exposure of sensitive information. Less than a week later, a second culprit was reported. The ICO has proposed a $124m fine to be assessed to the Marriott hotel chain related to the exposure of sensitive data in over 339 million guest records.

But that’s a European regulation that doesn’t apply to us.

We hear that alot. So, let’s talk about some of the recent US-based breaches and their associated penalties.

In 2013, Yahoo was fined $35m by the SEC and paid an additional $50m in a class action suit for a major exposure of customer data.

In 2015, health insurer Anthem was fined $16m for violating HIPAA regulations and allowing the breach of over 79 million customer records. And that was in addition to the $112m they paid to settle a national class action suit.

In 2017, a breach of Target’s customer information was settled for a $18m fine.

Uber, in 2018, was fined $148m for a major breach of driver and rider records. An unusually large fine for that time that was increased due to their efforts to cover up the breach.

The key takeaway is that, while some of those US fines are relatively low when compared to the GDPR offenders, that is changing. With the introduction of the California Consumer Privacy Act and other state initiatives, fines are being structured to follow the GDPR model. That is they will be calculated as a percentage of an organization’s revenue.

All of sudden that $18m that Target paid blows up to hundreds of millions of dollars.

Still want to take a wait and see approach?

Contact us to see how Appsian can help you address your data security controls.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

PeopleSoft RECONNECT 19 Recap: Fluid Remains the HOTTEST Topic

By Scott Lavery • August 2, 2019

As the premier deep-dive PeopleSoft-focused event of the year, PeopleSoft Reconnect (presented by Quest Oracle User Group) has always touted itself as “created for PeopleSoft users… by PeopleSoft users.” This year’s conference (held in Rosemont, Illinois) did not disappoint.

Appsian was proud to be a conference sponsor, along with provide content, as our PeopleSoft User Experience experts presented sessions on improving PeopleSoft Security and Creating a Modern User Experience Across all PeopleSoft versions. The sessions were hugely successful, with an estimated 75% of conference attendance. During the session, many of the questions pertained to security concerns and the meeting of user experience expectations, as organizations continue to upgrade to PeopleSoft 9.2 and adopt Fluid UI – all in service to staying on Oracle support and maximizing their current ERP investment.

According to Scott Hirni, Director of User Experience Strategy and Solutions at Appsian (who has previously worked with PeopleSoft for 18+ years), “Fluid adoption and on-going enablement was among the top concerns for attendees.” While Fluid adoption is a top project in the PeopleSoft community, it was clear that not all PeopleSoft customers are able to leverage Fluid to its full potential.

Here are a few observations:

  • 75% of organizations we spoke to at RECONNECT haven’t attempted to roll out Fluid – despite being on version 9.2
  • 25% have started, but have required ongoing guidance
  • Most attendees expressed that they were in the process of identifying the key business drivers for implementing Fluid
  • Many questions arose about what to do with existing customizations while implementing Fluid

Inspired by Scott’s presentation at RECONNECT 19, here’s a quick look at the roadmap for customers looking to roll out Fluid.

  • Identify business drivers i.e. key functional areas that need optimization and would benefit from a Fluid implementation project
  • Review the list of already delivered Fluid screens and Classic retirement dates to prioritize rollout accordingly
  • Assess the version perquisites of to handle your existing PeopleSoft customizations
  • Prepare for UX changes and user adoption challenges that come with the new UI

The bottom line is, Appsian absolutely recommends upgrading to 9.2 and adopting Fluid as the best way to fully leverage your PeopleSoft investment. Staying current with Oracle maintenance and embracing the many advantages that come with a 9.2/Fluid adoption are critical, but we certainly understand that large-scale projects come with uncertainty and questions. With that in mind, Appsian has developed a strategic UX transformation plan that helps PeopleSoft customers analyze their business needs and assess how Fluid UI can help achieve their efficiency goals.

Not sure where to start? Leverage Appsian’s FREE PeopleSoft Fluid Assessment that includes:

· Complementary Onsite Workshop

· Strategic Analysis/Transaction/Use Case Mapping

· Fluid Rollout Plan

· Business/Institutional Alignment

To claim your FREE Fluid assessment you can also write to us at [email protected]

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Request a Demo

Start your free demo

"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"

Trusted by hundreds of leading brands