Page 43 - Cyber Defense Magazine RSA Edition for 2021
P. 43
ERP applications have historically had a reputation for being complex systems with equal parts value
and challenge. Value in that they can be uniquely tailored to an organization's business processes. But
challenging because the complexity of those business processes typically leaves organizations exposed
to a myriad of data security risks. ERP applications house the most sensitive PII, financial, accounting,
and proprietary data an organization may have. That puts ERP data in the unique position of being
routinely accessed by many users within the organization (in an authorized manner) while being highly
coveted by bad actors.
In short, ERP data is the "crown jewels" of an organization.
The sensitive nature of these crown jewels makes them an attractive target for a variety of security threats
like phishing attacks, payroll diversion, zero-day, brute force attacks, and exploit by malicious insiders.
To thwart these advanced threats, businesses invest in NGFW, IDS/IPS, VPN, and SIEM solutions.
Unfortunately, most of these solutions monitor and control north-south traffic but have no visibility into
what is happening within the applications – leaving significant visibility gaps. Plus, access governance is
dictated by broad-bucketed, static roles that leave many opportunities for risk, as the context of user
access (different locations, devices, connection points, etc.) changes with various contextual scenarios.
These variations are the origins of risk.
This means that control and visibility gaps are widening as business processes become more complex,
and user access to ERP applications becomes more ubiquitous. These gaps are only exacerbated by
legacy ERP applications like PeopleSoft, Oracle EBS, and SAP ECC that were not designed to combat
modern threats. In fact, they were designed to replace manual, paper processes and were designed to
provide as much access to data and transactions as possible – in service to enabling productivity.
For many organizations, legacy ERP applications have been deployed on-premise and continuously
customized for decades. The customizable nature is a highly desirable characteristic, but that also means
there are not many widely adopted best practices for protecting the security at the application/user
interface layer. Each organization handles data security differently, and the sophistication of the
strategies can vary widely. Throw in the 2020 shift to remote workforces, and present-day ERP data
security strategies are far from adequate for protecting the crown jewels.
Moreover, the ERP security threat landscape is dynamic, consisting of application vulnerabilities and bad
actors compromising data. To keep up with security maintenance, organizations must update applications
and operating systems and apply security patches – creating an extremely cumbersome process. These
initiatives require cross-functional collaboration across IT, information security, and HRIS teams, and any
configuration errors can lead to ERP downtime, costing thousands of dollars every hour. Cyber-criminals
can leverage these pitfalls and typically can impersonate an authorized user to stay undetected and
exfiltrate sensitive data. And sadly, organizations can take over two months to contain an insider threat,
as indicated in the latest Ponemon reports.
43