ktsdesign - Fotolia
ERP data is often described as a company's "crown jewels" because it contains a trove of valuable information. Customer data, inventory, budgets, payroll and sales orders are all types of data that ERP systems hold and transact.
Yet for all that value, ERP data security is an often unsung topic and ERP systems can be vulnerable to security threats. That's especially the case for organizations moving from on-premises systems to cloud-based systems.
In the first of a two-part series, Greg Wendt, executive director of security for Appsian in Dallas, discusses what organizations need to consider about ERP data security as the cloud becomes more prevalent.
Appsian provides ERP security services primarily for SAP and Oracle PeopleSoft systems, including access control, compliance and audit, and threat protection.
What are a few of the main ERP data security issues that organizations face today?
Greg Wendt: Historically, ERP implementations have been on-premises and they've been some of the later [systems] to shift into cloud-based environments, but this is changing. What we are seeing more of is that some organizations are [moving ERP systems to] either a cloud hyperscaler like an AWS, a vendor-specific cloud or a hosting provider. But across the board, we are seeing that the security departments inside these organizations are definitely concerned as to what's happening with this and who has access to the data once this occurs. Typically, when ERP shifts to the cloud, most of the development instances have a full copy of production, so they have the same sensitive data as production does. A lot of these organizations are attempting to change that, so they don't have that level of information in all of these different systems.
What are some of the concerns that people have about moving to the cloud?
Wendt: Let's say you go into a hosted environment where the vendor not only runs the hardware and the software for you, but also administers the application. The vendor is actually logging into your application, and it has powerful accounts that can get into your application set. So you have to ask: What is the vendor accessing? What is it seeing?
Some organizations are very apprehensive to move to the cloud because of those security concerns. They don't want all of that private, sensitive data in an area where they might not have full control over it. So we're seeing a shift to controls around the data, whether it's multi-factor authentication or data masking, especially for those accounts that are based on who may be accessing what type of data or if it's private, personal information type of data. What we've seen is a layering in of a lot of those controls especially throughout the development stack, not just the production implementation, because of that full realm of private data sitting throughout the development stack.
Are there other reasons why organizations might be reluctant to move ERP systems to the cloud?
Wendt: These are often mission-critical systems, so you have to talk about disaster recovery and what happens if your network gets cut or severed. At an organization that I worked with in the past, we had a lot of construction going on around it and we had our up-to-the-internet cut three different times within a year. They cut the fiber lines, which aren't exactly quick and easy to fix. So you could be down for 24 to 48 hours. If you're on-premises, you still have access to all of those systems. But if it's in the cloud, you don't because you can't get there.
Is there anything particular about ERP systems that makes them more vulnerable?
Wendt: ERPs have become more of a challenge because they're not necessarily as clear-cut to define and find out who has access to what information. A lot of ERPs are now built to where they're metadata-driven applications, so you have to understand that metadata to really understand what a user is accessing. For example, when you look at PeopleSoft, to understand what a field is at the database level, you have to look at how that is defined and how it's built within the PeopleTool layer of the ERP system. Because of the complexity of ERPs, whether it's PeopleSoft or SAP, it does make it more challenging to understand what people are doing.
What are some measures organizations can take to improve ERP data security?
Wendt: Definitely from an implementation of security level, it needs to be contextual-based security inside of the application. If you think of the ways you utilize your applications, maybe based upon how you're accessing that application, you have to have data that's either masked or you have to do stepped up multi-factor authentication. You can also control access to that particular transaction based upon where the user is coming from. These are very contextual, attribute-based controls that are layered into the application and that gives the control back to the organization. Because typically once you go to an internet-enabled application, many of these ERP applications are just user ID and password authenticated, so they're vulnerable once a hacker gets a hold of those credentials. This is why the phishing attacks are so successful, because they get access to that system and all the roles and transactions that that user has access to. That's where you want to enforce least-privileged access when they're coming in from an untrusted location. That's where you come into extra layers of protection and decide through those attributes what somebody should really be able to do, see or edit.