Managing Third-Party Risks with Continuous Controls Monitoring

By David Vincent • August 10, 2021

Third-Party Risk Management (TRPM) is the process of analyzing and controlling risks presented to your company, your operations, your data, and your finances by Third Party Service Providers (TPSP). Most companies rely on a network of third-party vendors, suppliers, and service providers to support their business. As an integral part of the overall business operations, third-party entities end up storing, collecting, uploading, and accessing data as needed.

However, adding TPSP users to your ERP applications also increases the risk of data exposure and the possibility of breaches. Though most businesses have access controls in place and undertake periodic audits to assess and mitigate this risk, TPSPs are still one of the major causes of data breaches, and typical static access controls are not enough. According to Gartner’s Continuous Adaptive Risk & Trust Assessment (CARTA) model, organizations need to move away from the initial one-time, yes/no risk-based decision at the main gate to their systems (managed by a static authentication and authorization process) to a continuous, real-time, adaptive risk and trust analysis of user anomalies with context-aware information across the platform. (Context-aware security is the use of situational information, such as identity, geolocation, time of day, or type of endpoint device, found in Attribute-Based Access Control (ABAC) models.)

Additionally, with roles and authorizations constantly changing across your ERP applications, keeping track of changes manually at the transaction, process, and application level is virtually impossible, and with the hundreds or even thousands of TPSPs you may have, it’s difficult to monitor user activities with traditional role-based access management solutions to quickly detect and stop threats. This is where ABAC and Continuous Controls Monitoring (CCM) are making huge strides to change the overall approach to continuously identifying, detecting, protecting, and responding.

The Third-Party Risk Landscape

Before diving into the need for CCM, it is crucial to understand the gravity of the security situation when it comes to third-party access. Digital relationships with third-party providers have become a necessity today. Collaboration with third-party vendors increases opportunities for business growth, capturing market share, and cost reduction, but the flipside is an increase in security breaches.

A 2018 Opus & Ponemon Institute survey of more than 1,000 CISO’s revealed that 61% of U.S. companies had experienced a data breach caused by one of their third-party providers – up 12% since 2016. Furthermore, 22 percent of respondents admitted they didn’t know if they had a third-party data breach during the past 12 months, and more than three-quarters of companies think third-party security breaches are increasing.

On average, organizations spend more than $10M responding to third-party security breaches each year. However, information security is not the only area impacted. Third-party relationships can introduce strategic, financial, operational, contractual, credit, compliance, business continuity, and reputational risks.

Research conducted by Gartner in 2019 found that third-party risk was identified as a top threat by compliance leaders, and 71% of organizations report their third-party network contains more third parties than it did three years ago. Furthermore, the same percentage reports their third-party network will grow even bigger in the next three years.

What is Continuous Controls Monitoring?

Gartner defines continuous controls monitoring (CCM) as “a set of technologies to reduce business losses through continuous monitoring and reducing the cost of audits through continuous auditing of the controls in financial and other transactional applications.”

In simpler terms, CCM is shifting from the traditional audit and assessment approach of randomly sampling a portion of the data over regular intervals to monitoring  100% of the transactions and controls continuously 24/7, 365 days a year.

A core objective of CCM is to ensure that those controls operate as designed and that transactions are processed appropriately. If done right, CCM not only increases the reliability of the controls but also improves the management oversight, policy enforcement, and operational efficiency for critical financial processes, often producing hard-dollar savings.

How Continuous Controls Monitoring Reduces Third-Party Risk

The risk posed by providing access to third-party vendors makes it imperative for businesses to ensure that third-party access to applications and data is controlled and audited. Unfortunately, despite having access control mechanisms in place, third-party data breaches have been on the rise. One of the key reasons for this is the lack of effective monitoring of user anomalies. Roles and authorizations are never static. As new vendors are added, granted varying degrees of authorizations, and terminated from the system, there is a need to continuously monitor access controls and user behavior associated with critical data.

Current auditing practices are primarily manual and time-consuming, with auditors only looking at a sample of the data logs. As a result, a significant part of the process and transaction-level data is still going entirely under the radar. By implementing tools and technologies that enable Continuous Controls Monitoring (CCM) at the access, transaction, and master data level, businesses can automate the risk and control assessment and monitoring process needed to observe control effectiveness for audit, risk, & compliance management programs.

Enabling Continuous Controls Monitoring with Appsian Security

The list of third-party vendors your business is working with is only going to grow over time. In addition to managing the security risk, companies must also comply with regulations like GDPR, SOX, CCPA, etc., which adds additional burden and cost. CCM technologies offered by Appsian help provide real-time, context-based monitoring within your ERP applications at the access, transaction, and data level to enable you to be audit-ready.

Appsian 360 helps you detect and respond to fraud, theft, and errors by employees and third parties by capturing granular data at multiple levels. Through a visually rich dashboard, you will be able to identify data access and usage trends at the business process, transaction, and data level that reflect suspicious activity by any third-party vendors. In addition, the continuous monitoring and detailed log data eliminate much of the manual work required for performing audits and ensures that you remain compliant with new data privacy regulations.

Appsian’s Identity and Access Management (IAM) simplifies and elevates user access management in dynamic multi-vendor ERP environments. It enforces the zero-trust principle, enables content-based, real-time, dynamic risk and trust analysis of user anomalies, and configures preventative controls at the business process, transaction, and field levels. Finally, it allows policy enforcement through the use of the ABAC security model. 

ProfileTailor GRC enables you to automate user provisioning to ensure effective role assignments to third-party vendors. The solution allows auditors and security managers to perform periodic user access reviews and recertification to maintain compliance and security within your ERP applications. With ProfileTailor GRC, a single SoD ruleset can be enforced across multiple ERP applications, simultaneously ensuring third-party vendors across your organization have controlled authorizations. In addition, the real-time monitoring capabilities of ProfileTailor GRC is an AI and machine learning empowered solution that conducts an impact analysis to alert you to violations as they happen while providing mitigating controls to prevent future violations.

Connect with our ERP security experts to learn more about how Appsian can enable Continuous Controls Monitoring to mitigate your third-party risk. Schedule a Demo.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

It’s Time to Include Data in the ERP Security Conversation

By Scott Lavery • March 11, 2021

ERP security had traditionally focused on vulnerability testing for ERP applications, whether hosted on-premise or in the cloud. Given the sensitive nature of ERP transactions, frequently checking applications, databases, and servers for vulnerabilities through routine assessments had long been considered best practice. It makes sense that application vulnerabilities are considered a top threat vector because ERP applications were long touted for their highly customizable nature. Customizable because every organization’s business requirements are different – which means security settings and access controls need to be highly customizable. 

All of this customization was in-service to governing user access to the application – a real “outside looking in” approach. But if you’re constantly looking “out” for threats, how do you protect against the ones that are already “in?”

Is Traditional ERP Security Actually Protecting Data?

While you might be checking for conflicts in your configuration settings, ensuring you’re up-to-date on vendor patches, and executing manual audits every once in a while, you should ask yourself, “am I actually protecting my ERP data?” Sure, preventing intrusions is passively protecting ERP data. But at the end of the day, if you spend your time hardening the walls of your fortress, you’re really only protecting the perimeter of your fortress – not what’s inside. Cybercriminals have identified this disconnect and now spend their time exploiting user credentials to infiltrate systems to steal and manipulate data. Cybercriminals have adjusted. Now it’s time organizations do the same with their ERP applications, and ultimately – their ERP data. 

The Information Security Conversation is Going Below the Network & Application Layer

Information security professionals have long been adept at protecting enterprise data and not just network and application perimeters. The abundance of cloud applications has allowed access controls and visibility to go to the next level. Concepts like zero trust and least privilege all require information security policies that are not reliant on arbitrary roles and privileges but on inspecting who a user is, where they are coming from, on what device, and any other attribute. Just because they are allowed access to a network or application does not grant them privileges to data.

If this is where the information security conversation is going, why is ERP security still focused on the perimeter? Shouldn’t the focus be on ERP data security?

How to Shift the Conversation to ERP Data Security

Many would say that ERP security remains a perimeter conversation because such a large part of the ERP market uses on-premise applications. This dates back to the inception of ERP when the appeal was mostly around customizing your business transactions to your processes. This would be accurate – but as business became more complex, organizations became more entwined with their legacy applications. However, that doesn’t mean that on-premise applications (and ERP applications only hosted in the cloud) must remain isolated from a unified “ERP Data Security” conversation. 

Here Are a Few Recommendations for Beginning an ERP Data Security Conversation:

  • Integrated Identity & Access Management (IAM) – Integrating enterprise solutions meant for identity and access management (ex. SSO & MFA) provides a perfect opportunity to govern access to data versus only governing access to an application. An integration would enable policies to be written that deploy authentication measures based on what someone is attempting to access. This is also referred to as “step-up authentication” or zero trust. Of course, an integration layer is required, which is exactly why Appsian developed the necessary integration connections that organizations can use to natively integrate their IAM solutions with their legacy ERP applications (i.e., Oracle PeopleSoft & E-Business Suite).
  • Attribute-Based Access Controls (ABAC) – Traditional ERP governance revolves around role-based access controls. Pre-defined and sometimes over-simplified buckets that dictate what users can and can’t do. Role-based access controls (RBAC) are artifacts of traditional ERP security strategies that have been identified as problematic and flawed when data protection is the objective. This is not to say that RBAC doesn’t have its place but as a sole governance measure? Absolutely not. Many would say that the rapid move to remote work following COVID-19 was the death blow to RBAC because so much of its effectiveness hinges on network and application security layers. Both of which enter a grey area when sensitive financial transactions and data can be accessed remotely.

To help organizations manage, and more importantly, mitigate the risk of remote access to financial applications like SAP ECC, S/4HANA, & E-Business Suite, Appsian has developed Attribute-Based Access Controls that organizations can use to grant, modify, or restrict access to data. Governance policies can be dynamically enforced based on the context of user access – or attributes of user access.

  • Data Level Visibility is Critical – ERP applications are no stranger to activity logging. However, current logging is primarily in-service to troubleshooting system issues and receiving basic insight on authentication and page access. This is why auditing an ERP application requires manual pulling and triangulation of reports from multiple sources. It’s an obstacle most have to accept, and because of this, they only audit sporadically.

To gain visibility and insight into how data is being accessed and used, Appsian developed Appsian360. Appsian360 represents a powerful combination of comprehensive user activity logging and analytics – all designed to detect and alert to anomalous behavior. Whether it’s access from a foreign country, the same user frequently downloading certain reports, or specific PO or account numbers receiving frequent access, Appsian360 is designed to give ERP customers the data level visibility needed to automate critical security, compliance, and audit functions.

Appsian Helps Enable ERP Data Security

Just because your organization is using a legacy ERP application does not mean that you cannot employ the same granular levels of control and visibility as a cloud application. Appsian has been enhancing on-premise ERP environments for over 10 years, and we’d love the opportunity to learn more about your ERP data security objectives. Contact us today!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Securing Business Data in ERP Applications: A Fast Path Guide to Success

By Scott Lavery • December 8, 2020

With 2020 coming to a close, ensuring business applications are equipped to meet the longterm access demands of 2021 is a critical objective. All around the world, information security and financial risk leaders are being tasked with ensuring the security of business data while remote access (on unknown networks and devices) remains the standard for the foreseeable future. Finding solutions that can quickly and easily secure this data – without requiring an exorbitant amount of time and resources is mission critical. 

Data security is proving most challenging for organizations that utilize ERP applications like PeopleSoft, Oracle E-Business Suite, and SAP (ECC/S4HANA.) ERP applications like these were designed with ease-of-access to data as the primary objective. They have the biggest hill to climb when it comes to security, privacy, governance, and compliance.

Fortunately, this challenge is why Appsian (and the Appsian Security Platform) exists! We are here so organizations can fully utilize their investment in legacy ERP technology while scaling to meet present and future data security demands. After all, external and internal threats to business data will always continue to evolve.

Right now, thousands of organizations around the world are currently faced with the same challenges and are likely scoping solutions that solve one or two of these challenges. Here is the comprehensive approach that can serve as the playbook for securing legacy ERP data:

Identify Risks From User Access

The most significant risks to data typically originate from:

  • Compromised credentials (for example, stolen from phishing attacks)
  • Unknown networks and devices
  • Capture and visualize data access

These risks can be an acceptable part of an organization’s relationship with its ERP applications, but they don’t have to be. They should be addressed the way any security threat should – and it doesn’t have to result in overly-restricting access and potentially hindering authorized work. Restricting access to sensitive data can be the instinct when these risks are identified because risk mitigation can feel insurmountable. The truth is, mitigating controls can be implemented that fully align data security objectives with the access requirements of the business.

Apply Dynamic Authorization Policies

Dynamic authorization is the foundation of the principle of least privilege (PoLP), which says users should only have access to what they require. Given the access risks outlined above, it should be noted what someone “needs” (or should have) access to likely changes with each new context of access. For example, does high-privilege access require 100% of those capabilities from an unknown network and/or unmanaged device? How about during off-work hours? Many would say “no.” Applying access policies dynamically gives you this control. This strategy alone makes an enormous impact on an organization’s ability to control access to sensitive data and enable data security, privacy, and governance.

Integrate Authentication Solutions

It goes without saying that single sign-on and multi-factor authentication have become table stakes IAM solutions. Whether you have employed these for many years or only since the beginning of the COVID-19 crisis, it is clear that their value goes way beyond the convenience of not having to remember passwords. With these solutions in place, the job of securing data is not necessarily over. In fact, taking authentication a step further to align with zero-trust (aka. never trust, always verify) requires native integration of SSO and MFA solutions for four very important reasons:

  • ERP authentication should always align with your enterprise identity and access management strategies
  • Users falsely authenticate out of habit
  • Stepped-up authentication should be required for particularly sensitive activity
  • Using custom code (vs. native integration/configuration) for authentication is NOT a best practice

Capture and Visualize User Behavior

If I told you that most organizations have almost no idea who is accessing sensitive data (at any given time), how and why – would you be surprised? This may be a dirty little secret, but the truth is legacy ERP logging has simply not kept up to meet the demands of security and compliance requirements that must understand data access and usage by users.

What most ERP administrators will tell you is in order to respond to an audit or investigate an incident, they must pull multiple logs manually triangulate them. Only then does a foggy picture of what may have happened come into view. The problem is, a foggy picture of anything related to a forensic investigation or helping align with information security policies is simply not good enough.

Further investment is needed to enhance the granularity of native ERP logging, along with analytics and visualization tools in order to add context to the data, aggregate it and then visualize it so the insights can be actionable. Only then is the logging data that you are alrighty getting out of your ERP truly useful for security and compliance purposes.

Partner with Appsian Security

For over 10 years, Appsian Security has watched organizations struggle with many of the same ERP security and compliance issues. Mostly originating from the fact that their applications were not natively designed to do what they need them to do – i.e., secure data. This end result is the natural progression of security and compliance threats evolving while native ERP security features stay the same. 

ERP applications are built with static, role-based controls and logging/alerts designed for system troubleshooting. The idea that many of these legacy applications would be exposed to the internet with only a username, password and maybe a VPN standing between malicious actors and your business data is the definition of risky. Some organizations have accepted that risk – but they don’t have to.

Appsian has designed the world-leading security platform designed to provide holistic, end-to-end data security (along with application security), giving legacy ERP customers complete control and visibility over their ERP data.

We know that every organization is unique, which is why we want you to put our security platform to the test! Request a demonstration today, and let us show you how Appsian can tailor a solution to your organization’s unique requirements.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Using Advanced Analytics to Improve ERP System Performance

By Michael Cunningham • November 6, 2020

Improve ERP System Performance with Real-Time Data Access & Usage Visibility  

Your ERP system is a complex ecosystem with multiple deployments, serving hundreds to thousands of users. All of which are processing batch jobs, completing transactions, and performing daily functions that are the lifeblood for operations. Sitting at the center of this ecosystem is your system administrators, who oversee monitoring and maintaining the ERP system’s overall health and performance.  

Factors Driving up Administration Complexity 

In many ERP deployments, integrations with application and web servers, along with other external systems are common. Further increasing complexity is that each has its own set of monitoring tools to determine the quality of service they are delivering. This fragmented approach can make it challenging to identify and resolve ERP system performance issues. Now there’s a tool that allows you to focus exclusively on the health of your ERP system: Appsian360

How Appsian360 Reduces Complexity 

Appsian360 focuses squarely on ERP-specific performance metrics that allow you to quickly isolate and identify performance issues: 

  • Average Page Load Time 
  • Top 10 Components Accessed 
  • Average Page Load Time by Application 
  • Pages Accessed by Device Type 
  • Page Access Count and Average Page Load Time 
  • Top 10 Underperforming Pages 

Appsian360 is also capturing real-time data access and usage information that provide a clear narrative around how user traffic is affecting system performance. It can also be used to combat security threats or uncover fraud. 

Organization-Wide ERP System Performance at a Glance 

Now you have information at your fingertips that allow you to become proactive about system degradation, rather than reactive and relying on users to report the issues to you. Fixing slowness issues ahead of time might also prevent more serious problems like data corruption, which lead to time lost across the whole enterprise. 

You can also focus on application performance across office locations and by hardware. For example: 

  • Average Page Load Time by Country 
  • Average Page Load Time by Location (looks like office locations) 
  • Average Page Load Time by IP [Address] 
  • Average Page Load Time by Web Server 
  • Average Page Load Time by App Server 

If your offices are spread across the globe, for example, in America, India, and New Zealand, you can examine the Average Page Load Time by Country. Just by looking at a map, you can see that maybe one of the offices in India is running slow while the other is performing within normal speeds. You can contact the appropriate IT team in that office to investigate. 

Resolving Individual Issues Within Minutes 

Raise your hand if a user has ever contacted you with, “Oh, the system is really slow today.” It’s a common yet frustrating reality for sys admins because it lacks context. Is the performance slow just for that one person or for everybody? Is the performance issue for a single component or an entire application?  

Without Appsian360, your team has few resources to resolve this issue. For example, the resources available to you might include: 

  • The user description of the problem 
  • You can try to replicate what the user was accessing or viewing 
  • You might need to even visit the user’s office location and check the device 
  • Maybe it’s related to a time of day, etc.  
  • Based on this information, you can try to replicate the issue.  
  • Finally, you might have access to database monitoring tools to give you an idea of how individual queries are performing. However, this is a piecemeal approach and lacks insight into the actual ERP system performance as a whole. 

Resolving these system performance issues manually could take hours or days to resolve. With Appsian360, you can drill into a particular IP address and get details on a user’s individual access in the system, and you can drill-down into the context you need to create actionable insights. For example, you can view the user’s Average Page Load Time by Application. Now you can holistically look at those transaction sets together to see how they’re affecting your system and the users working within the system. 

Drilling down a bit further, you can look at the Top 10 Underperforming Pages. Now you’re getting more granular with your detective work to see if a specific page is performing slowly. In a matter of minutes and just a few clicks, a system admin can diagnose a system performance issue and put into place an action plan to resolve the issue.  

The Proactive Approach to ERP System Performance  

The regular duties of an ERP system administrator include making sure that the system is performing to its maximum ability and resolving any issues and problems the users might have. They’re also trying to resolve system performance issues before people complain there is a problem. Because when the ERP system performance deteriorates, productivity suffers, employee morale declines, and the company’s bottom line is negatively impacted. 

Contact us today to learn how Appsian360 can transform your IT team into proactive ERP application administrators and keep your ERP system running at peak performance levels.  

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Monitoring High Privileged User Activity in PeopleSoft and SAP Using Appsian360

By Michael Cunningham • August 11, 2020

We are in the midst of a perfect storm of ERP security calamity: the greatest work from home experiment colliding with historic levels of employee churn and unemployment. Hackers are exploiting the situation by launching phishing, spear-phishing, and other social engineering attacks at remote workers to gain access to privileged user accounts and email passwords.   

The increased threat surface and hacker activity mandate that companies deploy a strong security posture at the identity perimeter, using tools such as virtual private networks (VPN) and adaptable multi-factor authentication (MFA). However, limiting security to user access and authentication can leave organizations at risk of malicious activity when, not if, a privileged user account is compromised.   

Unfortunately, today’s legacy on-premise SAP and PeopleSoft systems simply do not provide organizations the granular visibility and context of user access and data usage they need in real-time to make proactive and strategic decisions. This lack of visibility and reliance on static controls to ensure your most critical data isn’t compromised means that many organizations are flying blind.  

Monitoring Privileged User Activity Must Be Part of a Strong Security Posture   

The issue with traditional ERP logging and analytics is that it focuses on troubleshooting errors and scanning for broad system vulnerabilities. They were not designed for understanding user behavior, data access, and usage. In addition to ensuring a strict authentication process, companies need to layer in the ability to monitor privileged user activity continuously.   

Using a layered-defense approach, organizations can proactively mitigate many of the risks associated with the increased interest in corporate networks and user accounts. A strict authentication process on its own is no longer acceptable. Actively monitoring privileged account activity is a critical way of identifying that an external threat has entered the network, compromised an account, and is ultimately engaged in fraud or theft.   

Granular Privileged User Activity to Monitor  

Organizations can set fine-grained access controls all day long. For example, organizations may be able to apply time-based ABAC for standard users, since the general human resources employee likely works during daytime hours, and you have visibility into which user accessed an application. Unfortunately, if you do not have a granular-level view into precisely what a user accessed, then you are missing a significant part of the data security puzzle.  

I’m sure you can think of a list of all Tier 1, highly sensitive data fields you want to watch closely. A shortlist includes C-suite salary information, social security numbers, bank account information, national ID number, passport number, visa permit number, driver’s license number, etc.   

Continuously monitoring privileged user activity and behavior at the granular level provides valuable visibility into how users engage with data and what they do with their access. For example, application-level logging can’t track or show you if a hacker or malicious insider changes employee direct deposit information to route that week’s payroll run into an offshore account. Only field-level logging can show you how much “over access” users may have or if they are engaged in irregular activity.  

With this information, organizations can review whether a certain activity was necessary and document the findings. By tracking the activity back to the user, the organization proves governance and proactively protects data.  

Appsian360: Monitor ERP Activity for High Privilege Users  

Using Appsian360 to monitor privileged user activity, you get a 360-degree view of what is happening around your ERP data as well as full visibility into exactly how your ERP data is being accessed – by whom, from where, on what, and why. From there, you can map out a targeted incident response before damages become catastrophic.   

Your organization needs to be in a constant and vigilant state of security when it comes to monitoring privileged user account activity, especially in these times of excessive employee churn and remote access. Unfortunately, doing so in your ERP system is a manual process that needs to be addressed frequently.  

Request a demo of Appsian360 to see for yourself how your organization can actively monitor privileged user activity and mitigate the risks associated with a compromised account or malicious insider. 

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Does ERP Data Security Qualify as an Essential IT Project? Here Are Five Reasons Why It Does.

By Michael Cunningham • May 26, 2020

Stop me if you’ve heard (or spoken) this phrase: “All non-essential projects have been put on hold.”

To be fair, pausing large-scale IT projects (like a cloud ERP migration) in such an uncertain and unpredictable environment makes sense. If the project will take months to implement and it isn’t helping keep the lights on, it isn’t essential. Simple as that! But what is considered “essential” is often a matter of opinion rather than true importance.   

A perfect example is ERP data security. When COVID-19 hit, many organizations began scoping enterprise security solutions like a VPN, which enables remote access. But only in the sense of creating an authentication point – not actually securing data. We touched on this more in a previous blog.

Enabling remote access with a VPN helps keep the lights on, but now that the lights are on (and will hopefully stay on), at what point do you consider the vast amounts of data exposure that have emerged as a NEW risk vector? As a direct result of remote access. This is the point where data security becomes essential.

Overlooked but Essential 

ERP data security too often gets thrown into the “non-essential” project pile, with companies considering it an afterthought, regardless of the economic climate. Afterthought might be too harsh – perhaps they consider what they already have in place as “good enough.” Essentially making the decision to go into completely unprecedented times with legacy technology. Such thinking will leave your data fully exposed to theft, fraud, and other forms of damage. Alas, if you don’t prepare for the future, then the future is likely to be your downfall. This is why we think NOW is the perfect time to make ERP data security a high-priority – dare we say essential – project. Here are five reasons why. 

1: Your ERP Data is Already Exposed 

Just because your virtual front door is locked doesn’t mean there’s nobody in your house. Besides the fact that user credentials (including VPN credentials) are routinely stolen – insider threats are one of the fastest-growing trends in data breaches, accounting for 34% of attacks in 2019, according to Verizon’s 2019 Data Breach Investigations Report. In addition, many insider breaches occur simply by insiders unintentionally misusing data. Without proper data security and monitoring protocols in place, it’s difficult to know if users are leveraging their privilege to access sensitive information for either legitimate or malicious purposes. 

2: Remote Access and Data Security Should Be Synonymous  

A remote workforce is nothing new, but not to the scale caused by the COVID-19 outbreak. The rapid scaling of remote access for critical business functions left many companies relying on conventional (but outdated) security technology, like a VPN. All the while, not considering that remote access means an expanded threat surface – and the wider your threat surface, the more exposed your data is to risk. A VPN may leave you feeling like you shrank your threat surface, but you haven’t truly shrunk your level of risk. Today, the most devastating data breaches happen when credentials are stolen and/or insiders leak/expose data. In a remote access environment, credential/insider risks go up dramatically while a VPN does little to mitigate.

When allowing remote access to your ERP data, you need to monitor a variety of data points, such as where is a user coming from? What data are they trying to access? What device are they using? Is that device being used by the right person? Cybercriminals know these systems are vulnerable and are stepping up attacks.

3: Data Security is Not as Costly as A Data Breach 

According to IBM’s Cost of a Data Breach Report, the average cost of a data breach is $4 million. The average cost of a breach in the U.S. is $8.2 million – more than double the worldwide average

The risks posed by a data breach extend well beyond financial. They are operational as well as compliance-related. Then there are the difficult to quantify costs, including negative exposure and scrutiny for your brand and senior leadership. 

4: Compliance Stakes Have Never Been Higher 

Compliance mandates like SOX, GDPR, CCPA, and others require organizations to maintain details regarding data access, and places a substantial liability when companies are not taking appropriate measures to secure ERP data. Fortunately, organizations can improve compliance by implementing data security tools that respond to insider threats, minimize direct damage caused by a breach, and reduce (or even void) penalties incurred by compromising customer data. 

5: ERP Data Security is A Manageable Problem 

An essential project doesn’t mean it’s complicated or burdensome. In fact, this is one of the more manageable problems to solve, as adding data security doesn’t involve much change management – unlike a cloud migration project. The key is to NOT customize the application(s) but to seek solutions that are configurable. Customizations are not a quick fix – they are not scalable and place additional complexity on support down the line. Configurable solutions to these challenges exist – trust us!   

Data Protection Can Help Keep the Lights On 

You could argue that an ERP data security project isn’t going to help keep the lights on; therefore, it isn’t essential. We would say that any project that helps mitigate business and security risks by enhancing your ability to authenticate users, control access to data, and monitor & respond to potential threats, is essential. And if that project can protect you from fines, theft, and fraud due to a data breach in this current work environment? That’s money you can use to keep the lights on.      

Request a demonstration today to learn how Appsian can help you with your essential ERP data security project.  

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

CarolinaGo Mobile App Single Day Downloads Hit 2,000

By Chris Heller • August 31, 2015

According to Kate Hash, Manager of ITS Communications at UNC Chapel Hill, “Up until Friday, our largest download month had been 600 downloads of the app. On Friday alone, we had 2,000. It is clear that ConnectCarolina is adding a value to the app and that the students are now discovering the app because they want to use ConnectCarolina.”

Check out the full article on dailytarheel.com to learn more about how UNC mobilized and transformed PeopleSoft using PeopleMobile®.  Read more

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Webinar: Fact or Myth – Protecting your PeopleSoft HCM Data from Cybercrime

By Chris Heller • August 2, 2015

Want to sort cybercrime fact from fiction? Do you think you know the difference? Test your knowledge. In this OHUG sponsored webinar, GreyHeller will set the record straight about cybersecurity myths using data from its Annual Cybersecurity Survey, the Sans Survey and live audience polling.

This engaging and interactive webinar session will test your internal and external threat knowledge and give you the tools necessary to assess your organizations’ PeopleSoft security. All participants will be given a copy of GreyHeller’s Confidential Threat Assessment Matrix which identifies the internal, external and data threat vectors the bad guys have used to compromise HCM data.

The session will include information on:

  • Data Masking
  • Data Leakage
  • Multi-Factor Authentication
  • Location Based Security
  • Self Service Use
  • High Privilege Access
  • Logging/Analysis & Forensic Investigation

We will conclude with real world case studies of how PeopleSoft customers are protecting their HCM data from cybercrime.

Register Now

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

PeopleSoft and the Future of ERP

By Chris Heller • June 6, 2015

In this two-part series, GreyHeller founders and former, early PeopleSoft Technical Strategists, Larry Grey and Chris Heller will discuss ERP trends and how they affect PeopleSoft customers. Part I will discuss Gartner’s recently published 2015 Strategic Road Map for Postmodern ERP and how the opportunities and challenges affect PeopleSoft customers.  Part II will be a demo-intensive session showing how GreyHeller customers are meeting these challenges today.

Part I
July 15  •   11am PST

According to Gartner, Monolithic ERP solutions are being deconstructed into postmodern ERP that will result in a more federated, loosely coupled ERP environment with much of the functionality sourced as cloud services or via business process outsourcers.  This direction is driven by a need to support strategic, organization-wide functionality that is more flexible, secure, integrated, and modern.

Where does this leave you as a PeopleSoft customer?  Do you need to replace PeopleSoft to achieve the architecture and benefits to drive your organization in the future, or do you have an option to leverage it along with other cloud-based solutions?

This session will answer these questions as well as describe how PeopleSoft can be part of a hybrid approach to utilizing PeopleSoft and the cloud:

  • Where PeopleSoft fits
  • Integration considerations, including data and security
  • User experience modernization
  • Lifecycle Management and compliance
  • Control over functionality and infrastructure 
Register Now

Part II
July 29   •   11am PST

This session will discuss how GreyHeller customers are utilizing our technology today to utilize PeopleSoft effectively in their postmodern ERP roadmap.  This demo-intensive session will include customer case studies and product demonstrations that illustrate how to flexibly and safely retain your PeopleSoft investment by evolving its role from being a monolithic application to a key component of your hybrid ERP architecture.

  • Security:  how to protect your most sensitive data and processes in an ever-evolving cybercrime landscape

  • Identity Management:  how to leverage multiple identity providers for your different constituents — Candidates, Vendors, Employees using solutions such as Facebook, LinkedIn, Azure, and on-premise resources

  • User Experience:  how to provide a seamless solution that is modern, looks consistent across cloud and on-premise components, and is easy to use

  • Flexibility:  how to evolve the functionality you deploy rapidly

  • Lifecycle Management:  how to keep up with new updates (driven by regulatory or business value requirements) while keeping a low TCO

  • Integration:  how to control all of the integrations between each of the component

Register Now

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives