[searchandfilter taxonomies="search"]

Material Weakness Series Part 2: Ineffective Data Field Level Controls

In the first article of our material weakness series, we addressed what a material weakness is and how an ineffective access control weakness can be resolved. This article will look at another critical control weakness that can occur at the data field level.

What are Data Field Level Controls?

Field-level security settings, or field permissions, are intended to control whether a user can see, edit, and delete the value for a particular field on an object. These are the ERP data security capabilities that allow organizations to protect sensitive fields such as a candidate’s social security number without having to hide the candidate object. However, when these field-level controls are not configured correctly, users may be able to see sensitive personally identifiable information required by compliance regulations like CCPA and GDPR to be safeguarded.

How to Resolve Data Field Control Weaknesses

Protecting data at the field level is crucial from a data integrity and data privacy point of view. Here are six steps you can take to enhance field-level controls within your ERP applications:

Implement the Zero-Trust security model that enforces the principle of never trust, always validate.
Effectively using Multi-Factor Authentication (MFA) and enforcing MFA at various layers – login, critical transaction level, and critical data field level to enable layers of security.
Implement layered security, also known as defense in depth (DiD), in overlapping layers of controls that typically provide the three control capabilities needed to secure assets: prevention, detection, and response. While no individual security control is guaranteed to stop 100% of the cyber threats, layered security provides mitigations against a wide variety of threats while incorporating redundancy or compensating controls in the event of a control failure.
Transition from static security found in Role-Based Access Control (RBAC) security models to a dynamic security model like Attribute-Based Assess Control (ABAC) that enables the enforcement of policy requirements into the access controls at the transaction and data level.
Design dynamic security controls capabilities to improve their ability to identify, detect, prevent, and respond to anomalies and threats.
Perform periodic control assessments to validate the effectiveness of the existing controls.

Protecting Data Fields with Appsian Security

The Appsian Security Platform has been designed specifically to address security and governance challenges that companies face within their ERP ecosystem. Appsian offers a range of solutions that enable you to implement Zero Trust security. From multifactor authentication at the login level to masking of sensitive data fields with the ability to reveal data only after authentication, Appsian provides complete control over data access and data exposure that goes beyond the initial access.

Appsian’s attribute-based access control also ensures that authorizations are not absolute. It considers the context of access when allowing or restricting data access even at the field level. For example, the click-to-view feature provides access to data while also maintaining a log of what sensitive data was accessed when and by whom. The Appsian Security Platform takes a layered approach to security within your ERP ecosystem to enable field-level controls that prevent, restrict, and monitor access and modification of any field data.

Take a first-hand look at how Appsian can enable field-level controls in your ERP applications without disrupting business operations. Schedule a demo with our ERP experts.

Next in the Series: Ineffective Transaction Level Controls

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Material Weakness Series Part 1: Ineffective Access Controls

This is the first article of a multi-part series featuring material weaknesses. Each piece will focus on one critical internal control weakness and provide solutions on how to resolve the weakness with granular security controls.

The purpose of an independent audit of a company’s financial reports, called a Financial Statement Audit, is to form an opinion by the independent auditor if the current and potential investors can rely upon the accuracy and completeness of the company’s financial statement. During this audit, the auditors will evaluate the design and operating effectiveness of the internal controls intended to manage the risks relevant to maintaining the accuracy and completeness of the financial reports. The auditor may identify deficiencies in the company’s internal control over financial reporting, which will be ranked from lowest to highest impact as Control Deficiency, Significant Deficiency, or Material Level Weakness.

What is a Material Weakness?

According to the PCAOB, a material weakness is “a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.” Companies with material weaknesses are required to report them in their public SEC filings in the period in which they were identified. There are multiple types of internal control weaknesses that could lead to a material weakness.

Access Control Weakness

Segregation of duty (SoD) security violations are among the most common examples of an access control issue in ERP applications that lead to an auditor reporting a material-level control weakness. The principle of SoD is based on appropriately segregating critical duties to more than one person. For example, a single person should not have the ability to create and approve vendors, nor should that same person have the ability to create and approve payments. These four access rights could easily lead to fraudulent activity.

Resolving SoD Security Violations with Appsian

The avoidance of SoD security violations within your ERP application starts with an effective user-provisioning process that enables organizations to proactively analyze the role assignments to verify that no SoD violation exists before authorizing the access assignment. Unfortunately, most organizations use manual user provision processes that are tedious and error-prone.

Appsian automates your user-provisioning, de-provisioning, and access recertification process and enables real-time detection and prevention of SoD violations. The Appsian Security Platform also continuously monitors user behavior and authorization usage. This allows organizations to de-provision unused authorizations and flag sudden deviations in user activity, thereby reducing the overall risk and enhancing threat detection.

Define Scope of Process

Choose what and whom to review. Activities, Authorizations, Roles, Employees and System
Commence Review

A list of authorizations is sent for approval then facilitated to the next level of approvers
Complete Review

Upon reaching a well-grounded decision, the next level of approvers are able to confirm with just one click
Seal the Process

Upon completing the process, the results are sent to the security managers to implement changes

Some of the other leading practices offered by Appsian to prevent SoD violations include:

Policy-Based Access Control
With policy-based access, organizations can go beyond roles to implement controls based on contextual attributes. A policy-based access control security model improves your policy enforcement capability at the SoD level.

Identity & Access Management (IAM)
Authorization, being an integral part of IAM, allows you to increase the effectiveness of your user-access management lifecycle process. By implementing dynamic MFA at the login, page, and data field level, you can ensure sensitive data and transaction changes are logged and protected.

Identity Governance & Administration (IGA)
With real-time user monitoring, you can remove unnecessary authorizations while gaining governance and oversight of all user access to increase your ability to detect and prevent SoD violations.

The Appsian Security Platform gives you complete visibility and control of your ERP applications from the inside to resolve critical material control weaknesses. See the Appsian Security Platform in action by scheduling a demo.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

[Video Interview] David Vincent Talks to Security Guy TV About Improvements in ERP Security, Risk, and Compliance

Appsian Security’s Vice President of Product Strategy and Customer Experience, David Vincent, recently appeared on Security Guy TV to talk about ERP Security, Risk and Compliance and what organizations can do to further protect their data & business transactions.

Appsian.com with David Vincent at #GSX #GSC2021, Orlando on SecurityGuyTV.com from Security Guy TV.

Interview topics include:

A brief overview of Appsian Security
The challenges that corporate compliance officers face. At the top of their list is keeping up with an ever-changing regulatory environment.
How system authentication has improved
General improvements in ERP security
How ERP security, risk & compliance “Policy Management” has improved
The control frameworks that organizations are using to implement more effective ERP security, risk, and compliance programs

To learn more about how Appsian Security can help you manage and reach your ERP security, risk, and compliance objectives around your various application environments, contact us for a demo today.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

6 Warning Signs Of Potential Insider Threat Activity And How To Detect Them

Data breaches caused by ransomware attacks, phishing scams, and state-sponsored hacker groups tend to grab the headlines. However, the reality is that insider threat activity causes 60% of these breaches. Moreover, while these threats are becoming more frequent – up 47% over the latest two-year period – and costly to organizations, it still takes organizations more than two months to discover and contain the average insider threat incident (an average of 77 days). And the longer an insider incident lingers, the more costly it becomes.

Why Insider Threat Activity is Difficult to Discover

A primary reason for the lengthy discovery time is that it is difficult to distinguish between regular user activity and the kind of user behavior indicating an insider attack. Complicating discovery further is that the insider in question usually has authorized access to the ERP system and knows how to bypass controls and violate security policies.

How can a company become more proactive at detecting insider threat activity rather than waiting (up to 77 days) to discover that an incident occurred? One solution is to continuously monitor user activity around data access and usage inside the ERP.

What are Potential Insider Threat Indicators?

When companies monitor for outlier and abnormal behavior patterns, they are more likely to detect possible malicious activities or compromised accounts, reducing the discovery and containment time and costs. Here are six user behaviors to monitor that could indicate potential insider threat activity.

1. Making Unauthorized Changes To Master Data
The exponential growth in data volume and usage in companies has led to storing sensitive master across multiple siloes. Any changes to master data, such as changes to payroll or adjusting a PO amount beyond limits, are worth paying attention to as possible indicators of insider threat activity. It is critical to know precisely who is accessing master data and how frequently.

2. Unusual Login Times And Off-Peak Activities

Watch out for users trying to log in outside of their regular working hours without proper authorization or a valid need to access the network at odd hours or from an unknown IP address. Of course, there could be a legitimate reason for this access, but this behavior is worth investigating. For example, does the employee genuinely need to access payroll information outside of office hours?

3. Repeated Failed Attempts At Logging Into Critical Applications

Organizations typically have a fixed set of users and roles that have access to sensitive data. Repeated failed attempts to access data, or complete transactions could be a warning sign that an insider is trying to access privileged information (e.g., PII, compensation data of others).

4. Erratic Behavior Of Privileged Accounts

Privileged users in companies have elevated access to sensitive data and transactions. Watch out for these users accessing particularly sensitive fields, including compensation data and executive payroll, and how frequently. These behaviors are usually a violation of a company’s security policies and protocols and can indicate behavior with malicious intent.

5. Questionable Query Running and Data Downloads

A key indicator of insider threat activity is running queries and downloading sensitive data to unauthorized devices. Companies should monitor instances of query running and download attempts of sensitive data onto unauthorized devices, from suspicious locations, or outside business hours. Additionally, when employees use unapproved workarounds for transferring potentially sensitive information to cloud storage accounts for easy access, it leaves vulnerable data and resources unsecured and vulnerable to hackers.

6. Unnecessary or Excessive Vendor Creation and PO Approvals

Employees using their credentials to create new vendors, purchase orders, requisitions, etc., are likely engaging in fraudulent activity that leads to data or financial theft. In addition, without proper internal controls in place, employees can use their credentials to violate segregation of duties for financial gain.

Detect and Prevent Insider Threats with Data-Centric Security

An essential first step to tackling insider threats is closely monitoring user behavior around data access and usage. With continuous monitoring, security and compliance leaders can drill into specific activity and know exactly the context of data access and usage: who is doing what, where, and why. With that level of in-depth, contextual information, any red flag incidents can undergo a rapid response plan.

The next step is to prevent insider threat activity by adopting a layered, data-centric security model that includes –

Enhanced access controls with dynamic authorization policies
Expanded use of data masking to all fields considered personally identifiable
Stepped-Up Multi-Factor Authentication to prevent unauthorized access

We have helped several organizations detect and defend against insider threats by applying continuous data access and usage monitoring at a granular level combined with a data-centric security approach. Contact us to chat with an Appsian Security expert today.

Related Reading: These behaviors usually align with one of these five categories of insider threats.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Preventing Risk from Privileged User Accounts: SAP, Oracle EBS & PeopleSoft

Organizations that use ERP applications like SAP, PeopleSoft, Oracle EBS, etc., manage thousands of users. Most of these users have limited roles that only allow them to perform their job-related tasks. But there exists a subset of users/accounts who are granted a wide spectrum of authorizations because their role entails managing the application itself: privileged users.

From an operations point of view, these roles are essential for the day-to-day functioning of the application to support the business. However, from a security perspective, the level of access and authorization granted to these privileged user accounts increases the overall risk exponentially. In fact, Forrester estimates that 80% of data breaches have a connection to compromised privileged credentials, such as passwords, tokens, keys, and certificates.

Who are Privileged Users?

Privileged users are users who are assigned roles and authorizations to perform functions that go beyond regular business transactions. These users include database administrators, network engineers, application developers, or third-party consultants. Their user accounts possess enhanced permissions that allow them to access sensitive data or modify key system functions. Also referred to as Superusers, some of the overarching privileges extended to them include:

Full authorization to read, write and execute
Creation or installation of files or software
Modification of files and settings
Deletion of users and data

Security Implications of Privileged User Accounts

Privileged users have a high level of access which means they will always be a target for attackers. If these accounts are compromised, it will lead to attackers gaining the same level of access.

Once inside, attackers can move from system to system undetected without leaving any digital footprint, making it harder to detect and stop. In addition, the attackers could gain access to an organization’s sensitive and confidential data, including company trade secrets.

If misused, either because of an error or with malicious intent, privileged user accounts can also inflict grave damage to a system or organization. Companies may have adequate security to prevent external threats, but privileged users are already inside the system. They can create backdoors, delete or modify data, override security settings, and more without detection.

According to the IBM 2020 Cost of Insider Threat Report, the average cost of an insider threat almost triples from $3M to $8.7M if the incident involves an imposter or thief who steals credentials and the costliest type of credential theft involves the theft of privileged users’ credentials.

Mitigating Privileged User Risk

Privileged users are granted greater access rights for a reason. They maintain and update applications that are critical for business operations. They are also responsible for a range of functions that require access to multiple servers, modules, and/or databases. This access also significantly increases the organization’s overall risk. However, this “privilege” can be counterbalanced with security measures that do not overly restrict them from performing their tasks.

Enforce Least Privilege Access

Many ERP applications provide role-based access controls and role-based authorizations. This means any user who logs in with valid credentials is granted all roles and authorizations assigned to that account. Thus, when a privileged user’s credentials are compromised, the attacker essentially becomes a privileged user giving them unchecked access.

However, by implementing attribute-based access controls (ABAC) through a dynamic policy engine, access can be allowed based on contextual attributes like location, time range, days, security clearance level, IP address, and more. For example, restricting privileged users to access only via your secure network ensures attackers cannot log in through an unknown network – significantly mitigating your risk while alerting you to failed access attempts.

Enforce Segregation of Duties (SoD)

Privileged user roles and authorizations should be regularly audited to ensure that they only have authorizations that are needed to perform their jobs. If the privileged user has not utilized a particular role within a specific timeframe, organizations should consider removing those privileges from the user. Since the user has never performed such functions before, they would not miss those privileges.

Even in cases where special privileges have been granted to perform specific tasks, a time limit should be set after which access is automatically revoked. These steps ensure that privileged users only have the necessary access at any given time and limit the organization’s overall risk.

Implement Step-Up MFA For Privileged Users

While your organization may have MFA at the login level, deploying step-up authentication for sensitive transactions at the page and data field level ensures that access to data and transactions is allowed only after the user has re-authenticated themselves.

Adding additional layers of authentication not only improves your security posture but also creates logs that can be monitored for suspicious activities. For example, a privileged user who is authorizing payment transactions can be easily identified during an audit since the user does not belong to the payroll or procurement team.

Behavior-based Profiling

Monitoring administrator accounts can help identify when one is compromised. However, large organizations may have hundreds of privileged users, and manual monitoring is virtually impossible. This is why Appsian Security’s unique algorithm combines multiple data sources to create a joint profile for each employee, including privileged users. The solution uses this business profile as the basis for optimization and as the behavior baseline.

This method is subsequently used to analyze irregular behavior, unused activities and authorizations, recommended authorizations for roles, and unoptimized license types. Privileged users who deviate from their normal usage can be easily monitored. For example, an anomaly is created when an SAP administrator who never accessed the customer database before tries to access it. Even though the user has the authorization to access the database, a deviation in behavior can be an indication of compromised credentials, giving security teams an impetus to check user behavior.

The IBM 2020 Cost of Insider Threat Report states that 29 percent of all credential thefts involve the theft of privileged users’ credentials. This proves that privileged users are primary targets for attackers because of their access privileges. Appsian Security mitigates the risk of high privilege credentials and sessions being exploited by bad actors by enabling you to implement multiple security measures like attribute-based access controls, step-up authentication for sensitive transactions, segregation of duties, and behavior-based profiling.

Schedule a demo with our security experts to find out how privileged user risk can be mitigated across your ERP ecosystem.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

[Customer Story] How Appsian Helped OU Secure their PeopleSoft Data by Integrating Duo Security (for Dynamic MFA)

Since 2008, the University of Oklahoma Health Sciences Center (OUHSC) has successfully used the Appsian Security dynamic MFA solution to secure the ERP data on its instance of PeopleSoft. OUHSC initially selected Appsian Security because of its ability to directly integrate its multi-factor authentication (MFA) solution with PeopleSoft without added customizations, hardware, or complexity.

What Challenges Made OU Enable Dynamic Access Controls?

OU’s main campus in Norman had its own PeopleSoft system, which was separate from the OU Health Sciences Center’s system. Recently, the University decided to consolidate the Financials and Human Capital systems along with information technology of the University’s three campuses, including uniting the unique instances of PeopleSoft into a single one.

In 2020, the University began the consolidation project. In addition to requiring secure access to the HRMS pillar for the nearly 15,000 faculty and staff members on the unified instance of PeopleSoft, the University wanted to leverage dynamic access controls to enforce MFA at login and inside the application at the field, page, and component levels.

As a unified system, OU wanted to –

Reduce unwanted exposure of sensitive data
Improve visibility into user activity across applications
Limit access to sensitive transactions

Oklahoma University Enhanced PeopleSoft Data Security With Dynamic MFA

Appsian Security’s native integration with PeopleSoft allowed OU to successfully deploy their MFA solution for the HRMS pillar. The University uses MFA at login for both off-campus (remote) and on-campus users. The combined platform for all three campuses applies dynamic access controls to grant access to sensitive information and gate high-value transactions, such as direct deposit, based on contextual attributes like device, geolocation, time, and more. Additionally, OU uses Appsian Security to monitor and log high privileged user activity within PeopleSoft. The system captures all user activity at the field, page, and component levels.

The University completed its system upgrades and merger and is now live using the Appsian Security Platform in all three of its PeopleSoft pillars, namely Financials, Human Capital, and Campus Solutions.

Appsian Security Platform As A Key Enabler For End-To-End PeopleSoft Data Security & Compliance

Appsian’s PeopleSoft customer base includes multiple colleges and universities like Oklahoma University looking for a single platform to strengthen Identity and Access Management, Data Security, and Compliance, including:

Native SAML/ADFS Compatibility And PeopleSoft MFA Integration: Integrating single sign-on and multi-factor authentication natively with PeopleSoft and your identity provider improves security and convenience. Integrated MFA also enables step-up authentication, so users can be forced to re-authenticate when accessing highly sensitive transactions.
Contextual Access Control For Greater Security: Reduce the attack surface with a dynamic rules engine that applies the contextual variables of a user’s access and defines privileges in real-time. Implement least privilege to limit access to modules/transactions, dynamically mask sensitive data, enforce step-up MFA, and more.
Real-Time Analytics For Improved Response Times: Enhanced PeopleSoft logging capabilities capture all user activity at the field, page, and component levels and combine them with contextual user data. Real-time visualized dashboards allow you to quickly spot suspicious activity and drill down to root out issues.

Contact Appsian’s PeopleSoft experts today to learn how the Appsian Security Platform can help you establish a dynamic MFA solution and a strong ERP data security posture.

Customer Profile:

Founded in 1890, the University of Oklahoma is a public research university located in Norman, Oklahoma, just 20 minutes south of Oklahoma City. With three campuses in Oklahoma, OU also offers study abroad opportunities at several locations and OU campuses overseas. The OU Health Sciences Center serves approximately 4,000 students in more than 70 undergraduate and graduate degree programs on Oklahoma City and Tulsa campuses.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

How Enhanced Logging Enables Better Breach Investigation, Remediation, and Security

Every time a major data breach makes the headlines, the company in question almost always struggles to answer the most important question: Why did it take so long to detect the breach, and what exactly did the attackers steal? Even though companies maintain transactions logs, investigators need to look at log entries that could run into the millions to find out what was accessed by whom and when. This affects the investigation, remediation, and calls the company’s data security practices into question.

Connecting the Dots with Multiple Log Files is a Challenge

When asked how the U.S. government missed the SolarWinds and Microsoft Exchange Server hacking for so long, National Security Agency Director Gen. Paul Nakasone said, “It’s not the fact that we can’t connect the dots — we can’t see all the dots.” This is a very significant statement and highlights a serious problem with breach detection and remediation.

Many companies use legacy applications like PeopleSoft or legacy versions of SAP for their business operations. They store vast amounts of sensitive and confidential data that is essential to facilitate day-to-day transactions. However, once the user gains access, these applications offer limited monitoring and logging capabilities – creating blind spots that allow intruders to stay undetected for months.

According to the 2020 IBM Cost of a Data Breach Report, it takes 280 days, that’s more than nine months, to identify and contain a breach. Even with robust monitoring and logging capabilities in place, the volume of raw log information generated makes it virtually impossible to determine any meaningful insights to make a timely impact.

In fact, it is routine for incident detection teams to end up sorting through more false positives than malicious activities that are the real threat. Considering the volume of log data, it is rare for security teams to spot potentially malicious behavior in time to take preventive measures. And should a breach occur, investigation and forensics teams are confronted with a mountain of log entries that need to be analyzed to estimate the damage.

How Logging and Detection can be Enhanced

Logging and monitoring are important security measures that enable both prevention and detection of threats. Logging allows you to understand user behavior, trace malicious activity, and react to incidents enabling faster detection. In the event of a breach, logs allow forensic investigators to reconstruct events, determine the extent of data exposure, and take effective steps to remediate the problems that led to the breach. Here are some of the ways companies can enhance their logging capabilities to detect and prevent threats.

Granular Activity Logging

Most applications offer some degree of monitoring and logging, but security teams need to decide if the recorded log data is granular enough. In many cases, applications provide limited visibility into user activity once access has been granted. Transaction details like what data was accessed, by whom, from where/what device, and why are crucial to determining context and risk. These details enable faster detection and allow administrators to run reports and perform audits.

Access Checkpoints

Users perform multiple transactions and access a variety of data every day, including PII and confidential data. Using dynamic data masking and creating checkpoints like Click-to-View and Step-Up MFA to access specific data fields within your ERP ecosystem ensures that data isn’t needlessly exposed and access to sensitive data is always logged. This also creates an audit trail that aids investigation and remediation efforts.

Real-Time Monitoring

Monitoring and logging are essentially two sides of the same coin for the simple reason that you cannot monitor what you’re not logging. A real-time monitoring and analytics tool that draws insights from the vast volume of logs that are generated every day enables security teams to get detailed information on transactions and data access, failed login attempts, and potential brute force attacks. Such tools also provide administrators and auditors with detailed reports and visually rich dashboards that show trends in behavior and usage.

As attacks increase in frequency and sophistication, companies and government departments are trying to find ways to detect attackers faster and initiate remediation to prevent future attacks. The 2020 SolarWinds attack was a stark reminder of the extent of damage hackers can cause. It even prompted the U.S. President to issue an Executive Order which asks federal departments to strengthen their cybersecurity defenses and improve investigative and remediation capabilities.

While logging is vital for breach investigations and remediation, it can also be used as a tool for proactive and preventative security. By enhancing logging and monitoring capabilities, companies can not only bring down the dwell time but also derive insights that enable active detection and reduce potential security incidents.

Monitoring and Logging with Appsian

Appsian Security enables you to enhance your logging capabilities by capturing granular transaction details within your ERP applications. Controlled by a configurable rules engine, Appsian lets you add click-to-view features to log exposure of specific data fields and enforce step-up authentication for sensitive transactions. Appsian360, a visibility and analytics solution, provides the most powerful, real-time view into your ERP data access and usage while maintaining complete visibility of sensitive business transactions.

Schedule a demo with our ERP security experts to get a first-hand look at our enhanced logging and monitoring solutions.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Unpacking China’s New Data Security Law and Privacy Legal Framework

If you’re a multinational enterprise (MNE) that does business in or with China, you’re likely aware of the Data Security Law (DSL) that went into effect on September 1, 2021. The DSL adds to an increasingly comprehensive legal framework for information and data security in China. The law also imposes extensive data processing requirements and imposes potentially severe penalties for violations.

This article attempts to share a high-level overview of the DSL and put into context the overall state of data governance in China. First, a disclaimer: This article isn’t legal advice. Instead, it is a high-level look at a new set of data governance and regulations that affect our customers. We do recommend that you seek guidance from your legal department and other relevant experts.

A Brief Recap of China’s Recent Data Security Initiatives

The recent legal moves by China over the past few years address the country’s growing concerns over the amount of data collected by firms and whether that information is at risk of misuse and attack, particularly by foreign nations. On June 10, 2021, the Standing Committee of China’s National People’s Congress passed the Data Security Law (DSL), which took effect earlier this month (September). The DSL, together with the 2017 Cybersecurity Law and the just-passed Personal Information Protection Law (PIPL), will form an increasingly comprehensive legal framework for information and data security in China.

Data Security Law Highlights

The primary purpose of the DSL is to regulate “data activities,” safeguard data security, promote data development and usage, and protect individuals and entities’ legitimate rights and interests. Additionally, the DSL focuses on safeguarding China’s state sovereignty, state security, and development interests.

Extraterritorial Jurisdiction

The DSL provides broad extraterritorial jurisdiction. According to Article 2, the law governs data activities conducted within China as well as those outside the country that may “harm the national security or public interests of the PRC, or the legitimate rights of Chinese citizens or entities.”

Defining and Classifying Data

The DSL requires all companies in China to classify the data they handle into several categories and governs how that data is stored and transferred to other parties. The classification system will control data according to the data’s importance (i.e., “important data”) to China’s economy, national security, and public and private interests.

The DSL further introduces a separate regulatory framework for “core state data,” broadly defined as data involving national security, lifelines of the national economy, importance to people’s livelihood, and significant public interests. Core data are subject to stricter processing regulations.

Currently, the data classification system details are not specified in the DSL but are expected to be rolled out in the future.

Data Security Compliance Obligations

The DSL imposes general obligations on companies and individuals who carry out any data activities, including:

Establishing comprehensive data security management systems, organizing data security education, and implementing necessary measures to ensure data security
Strengthening risk monitoring, taking corrective actions when data security flaws or “loopholes” are discovered, and notifying users and authorities of security incidents
Conducting regular risk evaluations of the data activities for “important data” processors and reporting results to relevant authorities.

The more sensitive the data a company handles, the more rigorous the data security obligations. For example, in addition to obeying strict processing restrictions for “national core” data, entities that process “important data” must:

assign a data security officer,
create a data security management department,
conduct regular evaluations to monitor potential risks, and
report results to appropriate government agencies.

Cross-Border Data Transfer Requirements

There are many details about cross-border data transfers that we won’t cover in this article. But, basically, the DSL doesn’t allow the transfer of any data from China to any foreign law enforcement agencies or judicial bodies without approval from the appropriate Chinese government authorities, creating complications for companies legally required to submit data to foreign authorities.

For example, companies established in China that offer goods or services in the European Union (EU) are subject to the EU General Data Protection Regulation (GDPR), which allows EU supervisory officials to request data when exercising their enforcement powers. However, China requires that companies receive government approval before transferring data in response to GDPR enforcement requests.

Again, the DSL currently provides no specific guidance to companies on this requirement.

Penalties for Noncompliance

Failure to comply with DSL requirements includes demands for rectification, warnings, monetary fines, forfeiture of illegal gains, revocation of business licenses, and/or orders to close down businesses. Noncompliance with the DSL that scales to a criminal or administrative offense level may also be prosecuted criminally under China’s Criminal Law or be subject to administrative penalties. In addition, the DSL allows parties to recover damages through civil litigation in court.

What’s Next? Here’s How Appsian Security Can Help

MNEs currently conducting business in and with China are likely already used to stingy information and data security controls and may have existing internal policies for information technology, data management, and privacy already in place. Even so, those companies will benefit from additional reviews of their data processing policies and activities for potential non-compliance risks.

Additionally, it’s a good time to talk with Appsian Security to learn how the Appsian Security Platform (ASP) can help you comply with China’s DSL, along with other global compliance regulations like GDPR. ASP gives you complete control and visibility over your business data using a comprehensive platform that combines data security, identity and access management, and governance, risk, and compliance (GRC).

Sources, references, and further reading:

“China’s New Data Security Law: What to Know,” by Hui Xu & Kieran Donovan, Latham & Watkins, LLP
“China Adopts New Data Security Law,” by Colin Zick, Foley Hoag LLP
“Cross-Border Data Transfer and Data Localization Requirements in China,” by Andrea Tang, CIPP/E, CIPM, ISO27001 LA
“Translation: Data Security Law of the People’s Republic of China” – Stanford’s DigiChina Cyber Policy Center
“Unpacking China’s game-changing data law,” by Shen Lu, Protocol

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

SAP Access Management: Automating and Centralizing the Identity Lifecycle

If you do an internet search for the most common cause of data breaches, you’re going to get a variety of answers: ransomware, phishing attacks, stolen credentials, insider activity, etc. While these types of cyberattacks lead to data breaches, there is one simple truth ERP customers can never overlook: data breaches are caused by unauthorized access. Of course, not all unauthorized access is malicious. It can also be accidental due to poor access management (also called identity lifecycle management).

Clearly, the best practice is using the principle of least privilege to grant access to the applications, transactions, and data that a person needs to carry out their jobs. While data security and privacy are the primary elements of a successful access management process, the overall identity lifecycle management process should be automated, centralized, and provide IT teams and business units with audit-ready information. This information is critical for providing reasonable assurances that their SAP access management process is compliant and operating effectively.

Poor Access Management Exposes SAP Data to Risk

The process of SAP access management shouldn’t exist in a vacuum or a silo. Unfortunately, many organizations struggle with manual and decentralized identity lifecycle management. This leads to a variety of situations where unauthorized access leaves valuable ERP data exposed to risk:

Unused new accounts with default passwords
Employees collect new authorizations as they move around the business without removing unnecessary ones
New employee authorizations causing SoD issues and sensitive access issues
Employees leaving the company while their user IDs remain valid
And many more

The identity lifecycle requires a process for controlling user access to critical information within an organization. The IT Infrastructure Library (ITIL) has a framework of best practices for access management: Requesting access, verification, providing rights, monitoring identity status, logging and tracking access, and removing or restricting access rights. But one department isn’t more responsible for the access management process than another, as outlined in this diagram:

While business leaders are the first line of defense and are responsible for owning and managing their risks, those business unit leaders and the IT departments are responsible for assigning and monitoring user privileges in ERP systems. Unfortunately, existing access management processes are manual, siloed, and error-prone. For instance, HR might request access by emailing IT or using a self-service portal to create a request. IT might use a provisioning solution that’s included out-of-the-box with their ERP system. But this approach is still mostly manual and exists in siloes, requiring one unit to rely on each other for updates.

This less-than-optimal approach leaves organizations exposed to security and compliance issues. Increasingly, organizations are under regulatory pressure to prove they are protecting access to corporate resources. As a result, organizations can no longer rely on manual and error-prone processes to assign and track user privileges.

Audit-Ready Access Management

A poorly managed identity lifecycle process not only leads to security gaps but also visibility and compliance gaps.

As you can see from this illustration, all departments involved with access management will be audited to prove that their internal processes’ operating effectiveness sufficiently manages access risks, data security risks, and data privacy risks.

What’s missing for many organizations is an access management solution that centralizes and automates these tasks and enables granular access control and auditing of this process.

Automating and Centralizing Access Management with the Appsian Security Platform

Taking control of SAP access management from the start is key to enforcing data security, maintaining internal and external compliance, and adhering to various regulations. With ProfileTailor GRC from Appsian Security, you can easily organize, understand, and control the identity lifecycle process across your ERP landscape. Enabled by artificial intelligence, machine learning, and predictive analytics, it continuously identifies potential risks and provides optimized suggestions to streamline access management, including:

Recommending the best alternatives when activities need to be removed from a user.
Recommending the optimal segregation of roles to sub-roles according to business needs and actual usage. It automatically locks and removes the old authorization role from users who had it before the split.
Solving SoD violations by replacing a user’s current roles without losing access to the activities actually needed.
Choosing the optimal authorization role to grant users that enables them to perform additional activities without violating SoD policies.

Contact the SAP experts at Appsian Security for a demonstration on how you can prevent unauthorized user access at the transaction and master data level.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Request a Demo

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Performance

Analytics

Others

Platforms

Features

Register for an Upcoming Webinar

SAP

PeopleSoft

Appsian360

Review

Webinars

Persona

Register for an Upcoming Webinar

Customers

Video Testimonials

Featured Case Studies

Why Appsian

Management Team

Careers

Press Releases

Partners

Contact Us

Customers

Partners

Home / Blog / Material Weakness Series Part 2: Ineffective Data Field Level Controls

Material Weakness Series Part 2: Ineffective Data Field Level Controls

What are Data Field Level Controls?

How to Resolve Data Field Control Weaknesses

Protecting Data Fields with Appsian Security

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / Material Weakness Series Part 1: Ineffective Access Controls

Material Weakness Series Part 1: Ineffective Access Controls

What is a Material Weakness?

Access Control Weakness

Resolving SoD Security Violations with Appsian

Define Scope of Process

Commence Review

Complete Review

Seal the Process

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / [Video Interview] David Vincent Talks to Security Guy TV About Improvements in ERP Security, Risk, and Compliance

[Video Interview] David Vincent Talks to Security Guy TV About Improvements in ERP Security, Risk, and Compliance

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / 6 Warning Signs Of Potential Insider Threat Activity And How To Detect Them

6 Warning Signs Of Potential Insider Threat Activity And How To Detect Them

Why Insider Threat Activity is Difficult to Discover

What are Potential Insider Threat Indicators?

Detect and Prevent Insider Threats with Data-Centric Security

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / Preventing Risk from Privileged User Accounts: SAP, Oracle EBS & PeopleSoft

Preventing Risk from Privileged User Accounts: SAP, Oracle EBS & PeopleSoft

Who are Privileged Users?

Security Implications of Privileged User Accounts

Mitigating Privileged User Risk

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / [Customer Story] How Appsian Helped OU Secure their PeopleSoft Data by Integrating Duo Security (for Dynamic MFA)

[Customer Story] How Appsian Helped OU Secure their PeopleSoft Data by Integrating Duo Security (for Dynamic MFA)

What Challenges Made OU Enable Dynamic Access Controls?

Oklahoma University Enhanced PeopleSoft Data Security With Dynamic MFA

Appsian Security Platform As A Key Enabler For End-To-End PeopleSoft Data Security & Compliance

Customer Profile:

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / How Enhanced Logging Enables Better Breach Investigation, Remediation, and Security

How Enhanced Logging Enables Better Breach Investigation, Remediation, and Security

Connecting the Dots with Multiple Log Files is a Challenge

How Logging and Detection can be Enhanced

Monitoring and Logging with Appsian

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / Unpacking China’s New Data Security Law and Privacy Legal Framework

Unpacking China’s New Data Security Law and Privacy Legal Framework

A Brief Recap of China’s Recent Data Security Initiatives

Data Security Law Highlights

Penalties for Noncompliance

What’s Next? Here’s How Appsian Security Can Help

Sources, references, and further reading:

Related Articles.

Register
for an Upcoming
Webinar

Register
for an Upcoming
Webinar