×
[searchandfilter taxonomies="search"]
Home / Blog / Advancing SAP Security and Risk Management with Least Privilege 2.0

Advancing SAP Security and Risk Management with Least Privilege 2.0

By Ryan Quinonez • April 2, 2021

The ERP security landscape is drastically evolving and traditionally on-premise applications such as SAP ECC and S/4HANA are falling behind. Dynamic risks posed by remote access, changing compliance requirements, and the rising number of user-centric threats have highlighted a gap in controls. The ways users access SAP has changed, and because of this, it’s time to reevaluate your security model and how the concept of Least Privilege is being enforced.

The Traditional Approach to Least Privilege in SAP is Insufficient

The Principle of Least Privilege aims to minimize risk by limiting the number of privileges given to a user based on what privileges are job-related or necessary to complete a task—reducing the opportunities for improper uses of privilege to occur.

In SAP, this has traditionally guided role design from a functional perspective. For example, an HR Manager role may have privileges such as maintaining HR master data, processing payroll, or modifying pay rates – but should not have access to transactions outside their line of work (ex. creating, maintaining PO’s).

The approach was sufficient when user access was limited to a physical office, during normal business hours, and on a secure network. However, we all know this has changed. Remote work and cloud-hosted applications have expanded the scope of access, and with it, shifted the risk landscape. Context such as the what, when, where, and how a user interacts with SAP must be considered in addition to functional access rights.

Unfortunately, this leads us to the Achilles heel in SAP security: static, role-based access controls (RBAC). Risk is dynamic. RBAC is not. Without the ability to consider contextual factors beyond a user’s role and privileges, organizations are actually constraining their ability to enforce PoLP.

This gap leads to a variety of risks, including data exfiltration, fraud & theft, policy violations, and compliance risks. It’s time for companies to take their SAP security to the next level. It’s time for Least Privilege 2.0.

Appsian’s Approach to Least Privilege 2.0

As noted earlier, a key to minimizing SAP risk exposure is context. To integrate context into controls, SAP customers can leverage attribute-based access controls (ABAC) and business rules that extend SAP’s existing authorization model.

With the Appsian Security Platform, organizations can enable security policies that align controls with real-world scenarios by considering the context. Dynamic authorizations at both the data and transaction level can be implemented to fine-tune your security measures and align exposure to your organization’s risk appetite.

Least Privilege 2.0 means going beyond static roles and privileges, allowing companies to achieve:

  • Dynamic access controls to understand if a transaction should be performed remotely and incorporating attributes such as user, resource, action, and environment characteristics to limit access to and within SAP data.
  • Risk-aware process controls to ensure that established business policies are enforced and prevent violations from happening in the first place
  • Fine-grained data protection to determine if a user really needs access to a particular set of sensitive data and capture granular insights to uncover user activities and transaction details.

This supplemental attribute-based authorization layer enables rapid, wide-reaching changes without the need to redesign individual roles. For example, organizations can now dynamically protect data with:

Policy-Based Data Masking
Limit the exposure of PII and other high-risk information with dynamically enforced data masking throughout SAP. Policy dictates at runtime whether a user has full access to data within a transaction, limited access via full/partial mask on sensitive fields, or is blocked entirely.

Data Exfiltration Controls
Stop data leakage from both privileged accounts and normal end-users by ensuring data can only leave SAP in secure environments. Access to transactions that export data to downloadable files can be blocked in high-risk scenarios.

Let Appsian Show You How to Address Risk in SAP with Least Privilege 2.0

As business processes in SAP evolve and grow more complex, your organization’s capability to mitigate access risks must also evolve. Appsian can help you leverage Least Privilege 2.0 to extend your SAP security controls to address gaps in coverage and minimize your accepted risk. Get in touch with the experts at Appsian today to schedule a demo and learn how we can help.

Related Articles.

Improvements in ERP Security, Risk, and Compliance
[Video Interview] David Vincent Talks to Security Guy TV About Improvements in ERP Security, Risk, and Compliance
Appsian Security’s Vice President of Product Strategy and Customer Experience, David Vincent, recently appeared on Security Guy TV to talk…...
September 30, 2021
Learn More
Preventing Risk from Privileged User Accounts
Preventing Risk from Privileged User Accounts: SAP, Oracle EBS & PeopleSoft
Organizations that use ERP applications like SAP, PeopleSoft, Oracle EBS, etc., manage thousands of users. Most of these users have…...
September 24, 2021
Learn More
Learn why SAP risk management should be a key element of your security and compliance strategy
3 Critical SAP Risks to Prioritize In A Dynamic Business Environment
SAP applications are the backbone of business operations across the world. They improve efficiency and help your business grow. But…...
August 31, 2021
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / Key Strategies for Improving ERP Data Privacy and Compliance

Key Strategies for Improving ERP Data Privacy and Compliance

By Michael Cunningham • March 30, 2021

With 2020 nearly three months behind us and the rollout of COVID-19 vaccines picking up speed, organizations are looking hopefully to 2021 and beyond. Optimism aside, a hard truth about 2021 is that remote work and ERP access are here to stay. Organizations must put a mission-critical emphasis on ERP data privacy, security, and access governance policies. Here are some key strategies to consider as you strive to improve your ERP data privacy and compliance in 2021 and beyond.

ERP Data Privacy Starts with Knowing Your Data

The obvious first step to any kind of ERP data privacy is knowing exactly what data you have. Think of it this way: you can’t protect what you don’t know. This data inventory, if you will, should align with the basic data privacy guidelines set out by regulations like GDPR, CCPA, SOX, and a growing number of others. Companies should have an understanding of what sort of personal data is collected, how that data is accessed, where and how it is stored, what is it used for, if it is shared with another organization or group, and how long is it kept before being disposed of.

Apply Dynamic Access Governance Policies for ERP Data Access

Now that you’ve identified and categorized your data, it’s time to establish who has access to it, when they can access it, from where, on what device, and how often. The problem is that legacy ERP applications like SAP (ECC and S/4HANA), Oracle PeopleSoft, and Oracle EBS use static role-based access controls (RBAC) to govern access. These roles have reached their limitations in a dynamic workplace because static roles do not leverage contextual attributes.

To create a more dynamic and robust cybersecurity and data privacy program, you can enable dynamic access controls (often called ABAC) to support your RBAC controls by incorporating additional contexts, such as geolocation, time of day, and transaction type. Combining ABAC and RBAC, you can establish rules that grant access to ERP applications and transactions only if the person meets certain contextual criteria. When defining risk through the lens of the context of a user’s access, dynamically enforcing governance is a crucial data privacy objective and investment.

Leverage Dynamic Controls to Enforce Policies

Once dynamic governance policies are in place, organizations can enforce those policies by leveraging dynamic technology. Specifically, here’s how Appsian can help you gain control and visibility of data access and usage without sacrificing productivity.

Avoid Unnecessary Data Exposure with Dynamic Data Masking
An essential requirement of data privacy is ensuring that users accessing ERP applications, either in an authorized or unauthorized manner, do not have needless access to valuable data through various pages, reports, or queries. Appsian can reduce the exposure of sensitive data with dynamic data masking for sensitive fields. You can also leverage click-to-view functionality to protect against unnecessary exposure while logging intentional access to sensitive information.

Add Stepped-Up Multi-Factor Authentication at the Transaction Level
Adding multi-factor authentication at the transaction level, as well as at the perimeter, ensures that users are not only authorized to access and view the data but perform the actual transaction based on their current context of access. This should be applied to highly sensitive transactions like editing a direct deposit account number, accessing compensation data, or running a report containing employee PII.

Strengthen Data Loss Prevention
Data exfiltration, whether malicious or accidental, typically originates from employees’ legitimate access to ERP applications and can be hard to prevent or detect with existing security capabilities. Using context-aware data loss prevention policies, Appsian can prevent users from executing transactions that download ERP data in high-risk scenarios, such as: after business hours, from untrusted locations, networks, or devices.

Enhance Visibility into ERP Data Access and Usage

Compliance mandates such as GDPR, CCPA, SOX, and others require organizations to maintain data access and usage details. Unfortunately, user behavior can be a mystery when relying on native ERP logging features to understand the “what, who, where, why, and how” around data access and usage. It’s a manual, time-consuming task. But not anymore.

Appsian360 provides granular, real-time visibility into user activity logging and analytics, delivering actionable insights to automate compliance audits. It allows organizations to continuously monitor data access and usage and proactively alerts security teams to anomalous activity, allowing them to quickly respond with full forensic information.

See for Yourself How Appsian Can Help Improve Your ERP Data Privacy & Compliance

Appsian can help companies ensure that their ERP data privacy, security, and access governance policies are aligned with today’s regulations and scalable to comply with future mandates. Contact us for a demonstration today.

Related Articles.

PeopleSoft Data Exfiltration: Be Alerted to the Violation of Data Security & Privacy Policies
PeopleSoft Data Exfiltration: Be Alerted to the Violation of Data Security & Privacy Policies
The financial, reputational, and regulatory impact of a data breach can be catastrophic. Data exfiltration, whether malicious or accidental, typically…...
April 8, 2022
Learn More
PeopleSoft Data Privacy: Detecting When Users View Co-Worker PII Data
PeopleSoft Data Privacy: Detecting When Users View Co-Worker PII Data
Data privacy is often associated with how companies are allowed to collect and handle customer data. Lost in the data…...
April 6, 2022
Learn More
PeopleSoft Data Privacy: Accessing Executive or Co-Worker Compensation Data
PeopleSoft Data Privacy: Accessing Executive or Co-Worker Compensation Data
When it comes to PeopleSoft data privacy, the financial, reputational, and regulatory impact of having your employees’ or executives’ compensation…...
March 31, 2022
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / How Appsian Reduces Risk in SAP Procurement Transactions

How Appsian Reduces Risk in SAP Procurement Transactions

By Michael Cunningham • March 24, 2021

The sheer breadth and complexity of the procurement process can make maintaining effective internal controls difficult. Organizations must implement business process controls to ensure that employees only have access to SAP procurement transactions appropriate to their role and that the activity within these transactions falls in line with their established business policies. Having tightly aligned controls that prevent policy violations in the first place is critical to reducing the level of accepted risk in procurement business processes.

And this brings us to a key challenge in SAP procurement processes. Relying solely on SAP’s static role-based access controls (RBAC) has its limitations. Without the ability to consider factors beyond a user’s role and privileges, preventive controls may be impractical in certain scenarios, forcing reliance on detection and remediation in hindsight.

Enforce SAP Procurement Transaction Policies with Dynamic Access Controls

With the dynamic nature of procurement processes, extending your business process controls strategy to include data-centric and context-aware functionality can significantly reduce your risk exposure. Organizations using SAP ECC and SAP S/4HANA can strengthen policy enforcement by leveraging dynamic, attribute-based access controls (ABAC). Appsian extends SAP’s existing security model by enabling a fine-grain approach that shrinks the gap between business goals and security controls.

Let’s look at some specific use cases across SAP procurement transactions to demonstrate how Appsian can reduce SAP business process risks in today’s dynamic access environment.

Dynamically Controlling Purchase Order Creation

Purchase order creation is an important procurement transaction that should be controlled by an assigned threshold level and approval limits. Appsian allows you to easily manage risks associated with the purchase order process by extending dynamic controls into SAP based on factors such as PO dollar amount, location, time of day, and more.

For example, let’s look at a couple of employees:

Employee Total PO Threshold Create POs when Remote?
George Up to $5,000 No
Gracie Up to $25,000 Yes. Between 8 am-5 pm

You can allow George only to create POs that do not exceed $5,000 in value. He is also blocked from creating POs outside of the corporate network. For Gracie, she has the company’s approval to create POs up to $25,000 and can do it when working remotely as long as it is during normal business hours of 8:00 am to 5:00 pm.

Dynamically Enforce Segregation of Duties

During the procurement business process, there is a need to control the PO’s life cycle using Segregation of Duties (SoD). That means the same person can’t perform PO creation and GR (Goods Receipt) posting followed by IR (Invoice Receipt) posting.

Segregation of Duties policies that rely on static role-based rules can create unwanted business risk because they lack visibility into attributes that define actual conflicts of interest. This gap also carries over into SoD audit logs, resulting in excessive false positives when SoD exceptions have been made.

Appsian allows you to stop unauthorized user activity in real-time using a data-centric approach to enforce SoD controls. Our preventive SoD controls correlate user, data, and transaction attributes, along with identified SoD conflicts, to block conflicting transactions at runtime – even if they have the role-based privileges to perform the transaction.

This approach can add flexibility to procurement processes by allowing users with SoD exceptions to perform conflicting transactions that do not pose actual SoD violations while preventing those that do. The preventive SoD controls can also act as a safeguard to stop any SoD violations that may originate from privilege creep, such as a user changing roles without prompt deprovisioning of old privileges.

Limit Access to Sensitive Data by Masking with Conditions

Because the SAP procurement process touches different departments, it’s important to ensure that users do not have access to data or transactions outside of their roles and responsibilities. From protected PII to privileged financial information – this data carries risks that organizations must address.

Alas, there are no masking capabilities available out of the box in SAP. As a result, privileged users can access sensitive data fields even when access is unnecessary. This kind of unchecked data exposure leaves a massive threat surface that is vulnerable to exploitation and leakage.

Appsian’s Dynamic Data Masking provides SAP customers with fine-grained control over which sensitive data fields they can mask for specified users in the context of any situation. For example, you can decide to mask PII, account names, account numbers, etc., if access comes from an unmanaged device, unknown IP range, or outside typical working hours. Likewise, you can easily mask sensitive data in transactions where exposure is unnecessary for a certain role to do the task at hand.

Appsian: The Dynamic Approach to Reducing SAP Procurement Risks

Managing SAP procurement transactions exist in the overall category of reducing SAP business process risks. It’s a persistent challenge facing organizations of all sizes.

Contact the experts at Appsian today to learn how we can help you face this challenge head-on with our dynamic approach to managing your SAP business process controls.

Related Articles.

Go beyond traditional SAP GRC capabilities with Appsian
How Appsian Enhances SAP GRC with Cross-Application SoD & Risk Management
What is SAP GRC? SAP Governance, Risk, and Compliance (SAP GRC) is a set of SAP solutions that enable organizations…...
December 31, 2021
Learn More
How To Handle Expiring SAP User Role Assignments
How To Handle Expiring SAP User Role Assignments
There are many reasons why SAP customers need to provide temporary access to their applications. These include short-term contractors or…...
December 16, 2021
Learn More
Appsian How-To: Enforce Transaction Level Policy Controls in SAP
The typical business application’s role-based access control (RBAC) security model provides poor dynamic transaction level policy control enforcement. In this…...
November 24, 2021
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / How Appsian Improves SAP Segregation of Duties Violations Management

How Appsian Improves SAP Segregation of Duties Violations Management

By Ryan Quinonez • March 22, 2021

From stopping fraud, theft, and errors to preventing SOX compliance violations, SAP Segregation of Duties (SoD) plays a lead role in minimizing business risk. Organizations must continuously iterate their internal controls to ensure their SoD strategy is effective; however, we all know this is easier said than done. 

What are SoD Violations?

A Segregation of Duties or SoD violation occurs when a user has more control over a particular workflow than needed. For example, if a user can both approve new vendors and release purchase orders, it creates a conflict of interest that could, potentially, lead to fraud. The primary goal of implementing SoD is to, first, prevent users from gaining authorizations that create conflict and, second, to detect existing user authorizations that are in violation of organisational policies and/or compliance regulations.

Finite Resources & Manual Processes Can Only Address So Much

With existing capabilities, audit preparation and reporting are manually intensive processes that deliver an outdated snapshot of risk. Time and effort are wasted investigating immaterial events (i.e., false-positives, non-financial activity) because audit logs miss relevant details. Furthermore, manual analysis can be prone to errors, unscalable, and increasingly costly.

Due to resource-intensive audit processes, most organizations can only review a fraction of their SoD audit findings. This limited sample scope, typically between 3-8%, leaves the vast majority of risk unaddressed. While the sample may indicate control effectiveness, significant material risks may go undetected, and confidence will be curbed. 

Leveraging Technology to Reduce Your SAP SoD Risk Exposure

Existing SAP SoD audit logs will show transaction activity but lack the data-level granularity to identify and filter out false-positive SoD violations. Manual investigation and correlation must be performed to do this – adding overhead, slowing the reporting process, and making it more difficult to prove compliance. 

The bottleneck stems from technology and dictates unscalable processes. One approach to overcome this challenge is to adopt data-centric logging, which provides relevant details beyond roles and transactions – enabling customers to automate the majority of manual investigation and correlation efforts. From here, organizations can shift their valuable human resources towards remedial activities to further reduce SoD risks. 

How Appsian Improves SAP Segregation of Duties Violations Management

Delivering data-centric logs paired with contextual information, Appsian360 provides visibility into SoD violations with far greater detail than what is possible with existing transaction-level audit logs. This additional information enables customers to eliminate false-positives automatically, view actual SoD violations, and prioritize events based on relevant details (e.g., dollar amount, time/location performed, etc.)

Leverage data-centric visibility to streamline SAP Segregation of Duties:

  • Uncover 100% of SoD violations with data-centric continuous controls monitoring.
  • Capture actionable details that would previously require manual investigation.
  • Gain an always current view of SoD risks with continuous audit capabilities.
  • Prioritize investigation & remediation activity by eliminating wasted effort on immaterial events.
  • Simplify proving compliance with granular visibility and contextual information that is missing from existing audit logs.
  • Get a Demo of Appsian360 and See for Yourself

As the burden of SAP SoD compliance grows, organizations must look towards technology to help automate tedious manual processes and strengthen internal controls. At Appsian, we’ve built our solutions with this need in mind, delivering a platform that enables SAP customers to do more with less. Contact us today for a demo, and let’s explore how we can help your organization streamline SAP segregation of duties. 

Related Articles.

3 Major Benefits of Implementing Automated User Provisioning For JD Edwards
3 Major Benefits of Implementing Automated User Provisioning For JD Edwards 
Increased compliance regulations and the rising number of internal threats have forced organizations to tighten application access and adopt the…...
April 29, 2022
Learn More
3 Key Steps To Prevent Fraud In Your JD Edwards EnterpriseOne Applications
3 Key Steps To Prevent Fraud In Your JD Edwards EnterpriseOne
When you have a few hundred or maybe thousands of users logging into your JD Edwards EnterpriseOne applications – many…...
April 13, 2022
Learn More
4 Steps That Enable You to Prevent Fraud in Oracle EBS
4 Steps That Enable You to Prevent Fraud in Oracle EBS
ERP systems like Oracle EBS are at the core of financial operations for enterprises across the world. With hundreds of…...
March 31, 2022
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / Implementing Dynamic SAP Data Masking in ECC & S/4HANA Using Appsian

Implementing Dynamic SAP Data Masking in ECC & S/4HANA Using Appsian

By Scott Lavery • March 18, 2021

2020 brought about a reckoning for organizations that were slow to adopt strong data privacy and data loss prevention strategies. As users went remote, the networks and devices used to access SAP financial data became a liability – and organizations were sent scrambling for solutions to their newfound dynamic access demands.

Why is data masking used?

Data masking is security measure used to shuffle, obscure, or encrypt data so that it cannot be accessed or deciphered without the requisite authorization. Masking of sensitive data like SSN, bank account information, healthcare records, and financial information in ERP systems like SAP allows enterprises to reduce unnecessary exposure of data while enhancing data security and reducing their overall risk. Data masking also helps private and public companies align with compliance regulations like GDPR, PCI DSS, Sarbanes Oxley, etc., which mandate the protection of all personal data from unauthorized access and theft.

Out-of-the-Box SAP Data Protection is Not Enough

In order to prevent data exfiltration and general over-exposure of enterprise data, the use of SAP data masking has grown in popularity. Unfortunately, customers have no out-of-the-box solutions for SAP data masking. In fact, the entire SAP security model hinges on static, role-based controls that offer little to actually protect the data inside the transactions that the access controls are designed to govern. In many cases, a user who has access to a transaction has access to a wide range of data within that transaction that simply isn’t necessary – providing opportunities for misuse.

To make matters more complicated, if an organization were to undergo a large-scale SAP data masking project, the sheer amount of custom development would prove to be a significant hurdle and nearly impossible to scale effectively.

Appsian Offers a Centralized, Scalable Alternative

To offer SAP ERP customers a scalable data masking solution, the Appsian Security Platform (ASP) features dynamic data masking capabilities that enable fine-grained control over which sensitive data fields customers can mask for any specified user and in the context of any situation. By implementing a full or partial mask to a data record, ASP minimizes the risk of a data breach and fulfills encryption and anonymization mandates imposed or implied by regulatory bodies. 

Unlike most off-the-shelf masking solutions, Appsian uses a single ruleset to define and mask data across the entire application:

  • Centralize SAP data masking enforcement with a single ruleset
  • Deploy dynamic policies that account for risk contexts such as location, IP address, time, data sensitivity, and more 
  • Protect sensitive data in production and non-production environments
  • Implement masking without requiring additional customizations to SAP
  • Filter out sensitive data at the presentation layer, resulting in no additional maintenance requirements for updates

Why Appsian is the Essential Dynamic SAP Data Masking Solution

Simply put, when you are trying to protect data without overly-restricting access, then there is no alternative to leveraging a dynamic SAP data masking solution. Because the context of access plays such a critical role in defining risk, being able to apply full or partial masks based on context is the only real way to balance data protection and productivity. 

In addition, Appsian uses a “one to many” approach for creating policy-based data masking rules. This enables customers to quickly scale SAP data masking without extensive development effort at implementation or reconfiguration efforts for policy updates. 

Example Use Cases for Dynamic SAP Data Masking

  1. Mask PII of Customers in SAP CRM Based on their residency
    GDPR Compliance – Ex: Mask PII Data if Customers’ Address is in the EU
  2. Mask & Lock Bank Account Fields After Hours
    Fraud & Theft – Ex: Insider Changing Data at Night Before Pay-Run 
  3. Obscure Data Fields in Transactions that are Unnecessary for a Role 
    Data Minimization – Ex: Customer Support Seeing Financial Spend, Pricing Info
  4. Prevent Remote Access of Unpublished Financial Information
    Risk Mitigation – Ex: Mask Data when Access Occurs After Hours or Remote

Get a Demo of Appsian’s Dynamic SAP Data Masking and See for Yourself!

As business processes become more complicated, your ability to protect data must evolve as well. Fortunately, Appsian offers the fastest, most cost-effective approach for SAP data masking. Contact us today and get a demo! And find out how you can be applying dynamic data masking rules within only 4-6 weeks!

Related Articles.

How Often Should You Perform PeopleSoft User Access Reviews And Why
How Often Should You Perform PeopleSoft User Access Reviews And Why
PeopleSoft teams often face threats caused by excess privilege, malicious insiders, and access misuse. Most of these can be mitigated…...
May 27, 2022
Learn More
How to Detect PeopleSoft Security Threats with Real-Time Analytics
How to Detect PeopleSoft Security Threats with Real-Time Analytics
PeopleSoft applications process and store vast amounts of customer, employee, and financial data that are constantly accessed by an increasing…...
April 12, 2022
Learn More
PeopleSoft Data Exfiltration: Be Alerted to the Violation of Data Security & Privacy Policies
PeopleSoft Data Exfiltration: Be Alerted to the Violation of Data Security & Privacy Policies
The financial, reputational, and regulatory impact of a data breach can be catastrophic. Data exfiltration, whether malicious or accidental, typically…...
April 8, 2022
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / It’s Time to Include Data in the ERP Security Conversation

It’s Time to Include Data in the ERP Security Conversation

By Scott Lavery • March 11, 2021

ERP security had traditionally focused on vulnerability testing for ERP applications, whether hosted on-premise or in the cloud. Given the sensitive nature of ERP transactions, frequently checking applications, databases, and servers for vulnerabilities through routine assessments had long been considered best practice. It makes sense that application vulnerabilities are considered a top threat vector because ERP applications were long touted for their highly customizable nature. Customizable because every organization’s business requirements are different – which means security settings and access controls need to be highly customizable. 

All of this customization was in-service to governing user access to the application – a real “outside looking in” approach. But if you’re constantly looking “out” for threats, how do you protect against the ones that are already “in?”

Is Traditional ERP Security Actually Protecting Data?

While you might be checking for conflicts in your configuration settings, ensuring you’re up-to-date on vendor patches, and executing manual audits every once in a while, you should ask yourself, “am I actually protecting my ERP data?” Sure, preventing intrusions is passively protecting ERP data. But at the end of the day, if you spend your time hardening the walls of your fortress, you’re really only protecting the perimeter of your fortress – not what’s inside. Cybercriminals have identified this disconnect and now spend their time exploiting user credentials to infiltrate systems to steal and manipulate data. Cybercriminals have adjusted. Now it’s time organizations do the same with their ERP applications, and ultimately – their ERP data. 

The Information Security Conversation is Going Below the Network & Application Layer

Information security professionals have long been adept at protecting enterprise data and not just network and application perimeters. The abundance of cloud applications has allowed access controls and visibility to go to the next level. Concepts like zero trust and least privilege all require information security policies that are not reliant on arbitrary roles and privileges but on inspecting who a user is, where they are coming from, on what device, and any other attribute. Just because they are allowed access to a network or application does not grant them privileges to data.

If this is where the information security conversation is going, why is ERP security still focused on the perimeter? Shouldn’t the focus be on ERP data security?

How to Shift the Conversation to ERP Data Security

Many would say that ERP security remains a perimeter conversation because such a large part of the ERP market uses on-premise applications. This dates back to the inception of ERP when the appeal was mostly around customizing your business transactions to your processes. This would be accurate – but as business became more complex, organizations became more entwined with their legacy applications. However, that doesn’t mean that on-premise applications (and ERP applications only hosted in the cloud) must remain isolated from a unified “ERP Data Security” conversation. 

Here Are a Few Recommendations for Beginning an ERP Data Security Conversation:

  • Integrated Identity & Access Management (IAM) – Integrating enterprise solutions meant for identity and access management (ex. SSO & MFA) provides a perfect opportunity to govern access to data versus only governing access to an application. An integration would enable policies to be written that deploy authentication measures based on what someone is attempting to access. This is also referred to as “step-up authentication” or zero trust. Of course, an integration layer is required, which is exactly why Appsian developed the necessary integration connections that organizations can use to natively integrate their IAM solutions with their legacy ERP applications (i.e., Oracle PeopleSoft & E-Business Suite).
  • Attribute-Based Access Controls (ABAC) – Traditional ERP governance revolves around role-based access controls. Pre-defined and sometimes over-simplified buckets that dictate what users can and can’t do. Role-based access controls (RBAC) are artifacts of traditional ERP security strategies that have been identified as problematic and flawed when data protection is the objective. This is not to say that RBAC doesn’t have its place but as a sole governance measure? Absolutely not. Many would say that the rapid move to remote work following COVID-19 was the death blow to RBAC because so much of its effectiveness hinges on network and application security layers. Both of which enter a grey area when sensitive financial transactions and data can be accessed remotely.

To help organizations manage, and more importantly, mitigate the risk of remote access to financial applications like SAP ECC, S/4HANA, & E-Business Suite, Appsian has developed Attribute-Based Access Controls that organizations can use to grant, modify, or restrict access to data. Governance policies can be dynamically enforced based on the context of user access – or attributes of user access.

  • Data Level Visibility is Critical – ERP applications are no stranger to activity logging. However, current logging is primarily in-service to troubleshooting system issues and receiving basic insight on authentication and page access. This is why auditing an ERP application requires manual pulling and triangulation of reports from multiple sources. It’s an obstacle most have to accept, and because of this, they only audit sporadically.

To gain visibility and insight into how data is being accessed and used, Appsian developed Appsian360. Appsian360 represents a powerful combination of comprehensive user activity logging and analytics – all designed to detect and alert to anomalous behavior. Whether it’s access from a foreign country, the same user frequently downloading certain reports, or specific PO or account numbers receiving frequent access, Appsian360 is designed to give ERP customers the data level visibility needed to automate critical security, compliance, and audit functions.

Appsian Helps Enable ERP Data Security

Just because your organization is using a legacy ERP application does not mean that you cannot employ the same granular levels of control and visibility as a cloud application. Appsian has been enhancing on-premise ERP environments for over 10 years, and we’d love the opportunity to learn more about your ERP data security objectives. Contact us today!

Related Articles.

MFA Is A “Critical Security Baseline” for Your Zero Trust Strategy
MFA Is A “Critical Security Baseline” for Your Zero Trust Strategy
Following up on last year’s Executive Order to help improve the nation’s cybersecurity posture, the White House released a 30-page…...
March 3, 2022
Learn More
Image describes the material weakness access control violation and vulnerabilities
Material Weakness Series Part 3: Ineffective Transaction Level Controls
In the previous article of this series, we talked about data field-level controls and how you can resolve a data field-level…...
October 25, 2021
Learn More
Ineffective Data Field Level Controls are a Material Weakness
Material Weakness Series Part 2: Ineffective Data Field Level Controls
In the first article of our material weakness series, we addressed what a material weakness is and how an ineffective access control weakness can be resolved. This article will look at another critical…...
October 22, 2021
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / How Remote Work Has Accelerated ERP Data Privacy Challenges

How Remote Work Has Accelerated ERP Data Privacy Challenges

By Michael Cunningham • February 26, 2021

If 2020 was the year of hastily enabling secure remote access to ERP applications, then 2021 will be the year when organizations realize that remote ERP access is here to stay – and long-term data privacy, security, and access governance strategies will be missioncritical. Securing ERP data has always been important in principle, but the mass migration to requiring remote access (in perpetuity) has kicked off a heightened emphasis on the topic. 

Amongst a sea of learnings from the pandemic is that 2020 was the “coming of age” for ERP data privacy and the challenges it createdMany organizations were forced to learn the hard way that sensitive ERP data (business data and PII) are top targets for malicious activity and some of the most difficult assets for organizations to secure. Especially data in legacy business applications. 

Let’s look back at the Year of the Pandemic and examine some of the data privacy events and trends we observed that will serve as guideposts for making ERP data privacy a mission-critical priority in 2021.   

Variations in Access Presents Greater Data Privacy Challenges 

It’s clear that working remotely is here to stay. A Gartner HR survey reveals that 41% of employees are likely to work remotely at least some of the time post-pandemic. Tech giants like Facebook, Salesforce, Twitter, and more, announced that they would continue to offer remote work and possibly move to entirely remote models permanently.  

A key challenge uncovered when the pandemic forced a rapid transition to remote workforces was most organizations had data privacy and governance policies that didn’t account for variations in user access. Especially those using legacy ERP applications like SAP (ECC & S/4HANA), PeopleSoft, and Oracle EBS. After all, these applications were originally designed so users could get easy access to data inside the firewall. They were never designed for a dynamic access environment 

The fact of the matter is the roles and privileges that governed access to these systems depended on managed devices, corporate firewalls, and in many cases – 9:00 to 5:00 access demands. Remove those variables and enable access from anywhere, on any device, and at any time – and those strict privacy and governance policies were replaced by “wild west” levels of access risk. 

Instead of needing to be in a specific physical location, users can access an organization’s sensitive data from anywhere. The physical and network controls that protected IT infrastructures and data privacy no longer provide the same level of confidence. Changing how companies do work requires them to change how they secure data and re-evaluate their data privacy and access governance strategies.  

When it Comes to ERP Data Privacy – Identity is the New Perimeter 

With organizations continuing to support remote access to ERP applications, they need to design policies and practices that define how data is accessed, viewed, and used – as well as the technology they’ll need to implement and enforce those policies.   

A key investment is implementing dynamic capabilities to already established identity and access management (IAM) solutions. In other words, providing the ability to minimize risk by dynamically providing access based on the context of a user’s access.   

Applying dynamic IAM and access governance supports traditional role-based controls but accounts for the variations in a user’s access that may indicate risk.  

Further examples would be: 

  • Integrating an MFA on a sensitive transaction or data field and requiring a user to re-authenticate 
  • Deploying MFA if a user is accessing from an unmanaged device. Also known as zero-trust authentication 
  • Reducing levels of access privilege for super users if their access is coming from an unknown IP range. Also known as applying the principle of least privilege 
  • Applying dynamic data masking that masks all PII, account numbers, etc., if access is coming from an unmanaged device, unknown IP range, or outside typical working hours. 

 The sooner organizations realize that their perimeter is only as strong as their ability to manage user access – the better off they’ll be! 

Data Privacy Regulations Mixed with Remote Access Will Only Make Compliance More Challenging 

Today’s everchanging data privacy landscape is a reminder that organizations should always be diligent about what kinds of data they are collecting, how it’s being stored, and most importantly – have the visibility to understand exactly how that data is being accessed. For example, is access suddenly coming from a hostile foreign country, or are certain data records/reports being accessed at a higher-than-normal frequency? Ask yourself, just because someone can access sensitive data, does it mean they should? 

Successful organizations will invest in technologies that monitor user behavior around data access and usage, capturing contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information that is paramount for compliance reporting and effectively responding to audit findings. 

Hodgepodge of State-Level Data Privacy Regulations Sow Confusion 

Up to now, the standard-bearer for data privacy regulations in the United States was California’s CCPA. In 2021, the number of state-level data privacy regulations is likely to increase, which is bound to further complicate matters by creating multiple compliance requirements.  

Virginia is poised to become the second state to enact a data privacy bill, while lawmakers in Washington state, New York, Oklahoma, and Utah are currently weighing proposals. Meanwhile, Californians voted to approve the California Privacy Rights Act (CPRA), a series of changes made to the existing California Consumer Privacy Act (CCPA). 

This hodgepodge of domestic data privacy regulations should motivate organizations to get data privacy, security, and access governance strategies in place, ensure documentation, and prepare for both financial penalties and civil actions. If 2020 was any indication (GDPR fines rose by nearly 40%), companies are likely to see more frequent and more significant fines for non-compliance in 2021. 

Having Weak ERP Data Privacy Policies Will Become Expensive 

COVID raised the awareness of ERP data privacy as companies struggled last year to continue with normal business operations in a remote environment. These struggles forced many leaders to establish privacy and compliance frameworks and implement the technology to support them. However, this is just the beginning.  

With 2020 being a record year for data breaches – along with an ever-growing list of data privacy regulations that carry monetary fines for non-compliance – the writing is on the wall. Organizations will not be able to call themselves victims if their decades of accumulated PII and business data get exploited or breached. The monetary consequences that come from these incidences can have catastrophic effects—both against your bottom line and reputation.   

Contact Appsian to learn how we can help you align your legacy ERP applications with today’s data privacy and compliance demands. Effectively scale your efforts for future mandates.

Related Articles.

PeopleSoft Data Exfiltration: Be Alerted to the Violation of Data Security & Privacy Policies
PeopleSoft Data Exfiltration: Be Alerted to the Violation of Data Security & Privacy Policies
The financial, reputational, and regulatory impact of a data breach can be catastrophic. Data exfiltration, whether malicious or accidental, typically…...
April 8, 2022
Learn More
PeopleSoft Data Privacy: Detecting When Users View Co-Worker PII Data
PeopleSoft Data Privacy: Detecting When Users View Co-Worker PII Data
Data privacy is often associated with how companies are allowed to collect and handle customer data. Lost in the data…...
April 6, 2022
Learn More
PeopleSoft Data Privacy: Accessing Executive or Co-Worker Compensation Data
PeopleSoft Data Privacy: Accessing Executive or Co-Worker Compensation Data
When it comes to PeopleSoft data privacy, the financial, reputational, and regulatory impact of having your employees’ or executives’ compensation…...
March 31, 2022
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / [Podcast] Potential ERP Data Security and Compliance Risks for Legacy Applications

[Podcast] Potential ERP Data Security and Compliance Risks for Legacy Applications

By Michael Cunningham • February 2, 2021

Appsian’s Executive Director for Security Solutions, Greg Wendt, appears in the latest episode of Brilliance Security Magazine Podcast. The focus of the conversation between Greg and host Steven Bowcut is legacy ERP data security and compliance. Their wide-ranging conversation also includes some of the potential security risks associated with legacy applications, what companies can do to protect sensitive data in a post-COVID world, and thoughts on the possibility of a federal data privacy law.  

Listen to the full episode here:  

   

Episode Highlights  

Legacy ERP applications were initially designed to give users easy access to data and business processes. They were never designed to meet the demands of today’s remote access requirements, let alone provide the security necessary to protect ERP data from internal or external threats. 

While there is no silver bullet for comprehensive ERP data security and compliance, Greg recommends that organizations deploy a multi-layered security model to determine who should access what data and when.  

ERP data security and compliance are going to have an interesting couple of years. Currently, there isn’t a federal data privacy law. A couple of states implemented their own, with California’s CCPA being the most notable, and more than a dozen other states have laws on the docket. The last thing we need is 50 different state data privacy laws. Greg’s “prediction” is that we’ll soon have a federal law, which will drastically affect some of the compliance requirements.  

To learn more about how a multi-layered security approach can protect your ERP data from internal and external threats, contact the security experts at Appsian today. 

Related Articles.

How Often Should You Perform PeopleSoft User Access Reviews And Why
How Often Should You Perform PeopleSoft User Access Reviews And Why
PeopleSoft teams often face threats caused by excess privilege, malicious insiders, and access misuse. Most of these can be mitigated…...
May 27, 2022
Learn More
How to Detect PeopleSoft Security Threats with Real-Time Analytics
How to Detect PeopleSoft Security Threats with Real-Time Analytics
PeopleSoft applications process and store vast amounts of customer, employee, and financial data that are constantly accessed by an increasing…...
April 12, 2022
Learn More
PeopleSoft Data Exfiltration: Be Alerted to the Violation of Data Security & Privacy Policies
PeopleSoft Data Exfiltration: Be Alerted to the Violation of Data Security & Privacy Policies
The financial, reputational, and regulatory impact of a data breach can be catastrophic. Data exfiltration, whether malicious or accidental, typically…...
April 8, 2022
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / Modernize PeopleSoft Security with Defense in Depth

Modernize PeopleSoft Security with Defense in Depth

By Scott Lavery • January 4, 2021

As work-from-home continues into 2021 indefinitely and the reality of this increased risk becomes clearer, organizations should heavily prioritize the modernization of their existing business applications – especially legacy ERP applications like PeopleSoft. Mainly because native user authentication, governance, data privacy and visibility features can leave an organization open to a myriad of risks. This has opened the door to organizations scoping a defense in depth strategy.

When you hear the term defense in depth, you typically think about traditional information security measures like network security controls, antivirus protection, database monitoring, and more. IT and security teams realized that multiple layers of security are necessary across the enterprise because cybercriminals will find vulnerabilities somewhere. Sadly, some of the most costly vulnerabilities for organizations using PeopleSoft ERP applications have proven to be the users themselves (employees, 3rd party vendors, students, etc.) It’s no secret that making these applications available on the open internet has introduced risk, so we frequently get the question, “how can I apply defense in depth to my PeopleSoft users?”

Step 1: Integrate your Identity & Access Management

This would be integrating your single sign-on and multi-factor authentication natively with PeopleSoft and your identity provider. Using proxy servers or customizing PeopleSoft poses their own risks and complexity, which is why using a native SAML handler (like Appsian) is a best practice. This minimizes the possibility of corruption, and a configurable solution(s) will scale much more effectively.

Integration of multi-factor authentication also enables stepped-up authentication, so users can be forced to re-authenticate once they have already passed the login screen. This should be applied to highly sensitive transactions like editing a direct deposit account number, accessing compensation data, or running a report containing employee PII.

Step 2: Apply Dynamic Authorization in Accordance with the Principle of Least Privilege

Controlling data access for high privilege PeopleSoft users can be challenging because native authorization is basically “all or nothing.” Limiting access to superfluous data or limiting access based on location/device/etc. is simply not an option. Leaving the door open to enormous risk. We have discussed time and time again that the context of access often defines risk, and this is never more true when users can access the system remotely.

Using a dynamic rules engine, Appsian can take the contextual variables of a user’s access and define privileges in real-time. Thus, mitigating risk. Don’t think a user needs access to compensation data from an unmanaged device or certain location? Want to limit the access granted to users or 3rd party vendors at certain hours of the day? Then dynamic authorization is the solution for managing that risk.

Step 3: Mask Sensitive Data Fields (Partial, Full, or Click-to-View)

This is data privacy 101, and as regulations like GDPR and CCPA become the norm (with wider federal guidelines likely coming soon), masking sensitive data is table stakes. After all, with PeopleSoft systems housing a wide range of PII, much of which belongs to past or prospective users (not just current employees), there is a treasure trove of personal data that comes with a far greater holding cost than you might realize. Masking data at the UI level at least ensures that those accessing the applications either in an authorized or unauthorized manner do not have needless access to valuable data through various pages, reports, or queries.

Step 4: Monitor Data Access & Usage

Monitoring the data users are accessing is not possible in PeopleSoft without enhancing logging and analytics capabilities. Having greater visibility cannot be overstated, and having a direct view of how data is accessed is one of the most valuable pieces of defense in depth. After all, in a sea of every day, authorized activity – how likely are you to detect the subtle hints of unauthorized activity? Phishing and privilege misuse are the main enemies of any data loss prevention strategy. The best way to detect and respond to unauthorized activity is through an analytics platform specifically designed for ERP applications, like Appsian360.

Step 5: Contact Appsian

To learn more about how you can apply Defense in Depth to PeopleSoft, contact us at info@appsian.com.

Figure 1: Prevent external and internal threats with defense in depth from Appsian.

Defense In Depth with Appsian Sm

Related Articles.

How Often Should You Perform PeopleSoft User Access Reviews And Why
How Often Should You Perform PeopleSoft User Access Reviews And Why
PeopleSoft teams often face threats caused by excess privilege, malicious insiders, and access misuse. Most of these can be mitigated…...
May 27, 2022
Learn More
7 Benefits Of Automating User Access Reviews In PeopleSoft
7 Benefits Of Automating User Access Reviews In PeopleSoft
When PeopleSoft users transition to different roles or offboard, their previous roles and accounts in the system often remain intact.…...
May 6, 2022
Learn More
8 Critical Success Factors For Achieving Audit-Readiness In PeopleSoft
8 Critical Success Factors For Achieving Audit-Readiness In PeopleSoft
Maintaining a state of audit readiness has become more critical than ever for organizations using PeopleSoft and other ERP systems…...
May 2, 2022
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

  1. Pages:
  3. 1
  4. ...
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. ...
  13. 34
Request a Demo

Start your free demo

"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"

Trusted by hundreds of leading brands