Safeguarding the crown jewels
Enterprise resource planning applications are central to any application portfolio and should be protected at all costs.
Whether it's called ERP or business systems, there's no denying these applications are growing in importance - and becoming more vulnerable in the process.
In my first Industry Insight in this series, I made the point that as mobile and Web-based applications proliferate and become more important, they are attracting the unwelcome attention of cyber criminals.
However, the impact of the mobility revolution is also having an effect on the ERP systems that used to exist securely within the corporate firewall - as the platform on which business operates, ERP systems have to interact with mobile and Web-based applications, and integrate with the systems of supply chain partners.
Not just a pretty face
In other words, the back-office/front-office distinction is increasingly breaking down in the modern business context. ERP is currently experiencing the transformation that will make it highly integrated with other systems - more intelligent, more collaborative, Web-enabled and even wireless.
The growing adoption of the Internet of things (IOT) is further driving this trend. Technical systems, like SCADA (system control and data acquisition), are becoming sources of useful data as sensors and chips find their way onto machinery, manufacturing systems, vehicles and so on. This data is transmitted back to the corporate systems via the Internet or other networks, where it is mined for information to support better decision-making. In the process, though, the IOT is creating a new gateway into the heart of the corporate ICT ecosystem for hackers to exploit.
As in the traditional app development world, the IT professionals who manage ERP systems have never seen security as a particularly important consideration. Because of these systems' importance, and their growing integration with a highly distributed and open ICT environment, this viewpoint needs to change - and fast.
Based on my own experience in advising clients, the following factors should be included to develop an effective ERP security strategy:
The IOT is creating a new gateway into the heart of the corporate ICT ecosystem for hackers to exploit.
* User identity and authorisation: Identity management needs to be prioritised in order to control access - it is the cornerstone of any security solution. The adoption of governance, risk and compliance principles is helping, but does not address the entire problem. Specifically, access by super-users or administrators is not covered adequately. Auditing of the access by both normal business users and administrators must be integrated into a single solution, and this must be given a high priority - it is not just another system function.
* Multifactor authentication: Passwords have proven to be the weakest link in controlling access; many high-profile hacks rely on compromised credentials. Authentication needs to be strong, which means using multiple factors: a password plus something the user knows (for example, a one-time password or PIN) or a biometric identifier (for example, a fingerprint). The more risk a user represents, the stronger the authentication must be.
* Secure ERP configuration: ERP implementations must ensure any customisation is aligned with internal and external security standards for configuration. However, it is a fact that ERP environments are constantly being altered in line with business needs, so a solution needs to be put in place to monitor configuration settings over time. Manual procedures will not meet the challenge, so a good option is to use a reliable, secure tool for automating configuration management. Such a tool can ensure planned configuration changes are vetted to ensure compliance with standards, fast and reliable configuration validation, policy enforcement and monitoring. Importantly, such an option provides transparency of the system configuration for audit and compliance purposes. Secure configuration should include real-time checking of configuration releases for completeness, consistency and changes in critical data. This makes it possible to identify flawed configuration in advance, which in turn, helps prevent system downtime, damage to target systems, and the cost and effort required for correcting errors.
* Secure ERP customisation: One of the great benefits of ERP systems is their ability to be customised. Thus, while ERP vendors do make some effort to integrate security controls into base code, ERP security is the responsibility of the company that uses and customises the application. The key consideration here is to ensure custom code is safe, compliant and not introducing vulnerabilities. Checks should be performed on the custom code to ensure potential backdoors and weaknesses are closed, and a customised ERP system is well protected.
* Protection of the ERP database: The ultimate target of any hack is data, and ERP data is at its most vulnerable when it is at rest and concentrated in a database. Where possible, these important and at-risk databases should be encrypted. In cases where the database format and structure is integral to the application itself, and thus cannot be altered, then tokenisation is an alternative.
In my next Industry Insight in this series, I will summarise my top 10 tips for application security.
Godfrey Kutumela has over 16 yearsâ experience in security consulting and engineering, having conducted high-end security consulting engagements, and designed and delivered technical solutions on three continents. Driven by his passion for securing online and mobile applications in this new era of the Internet of things, he made a strategic move to join the newly formed IBM Security Systems Division in 2012. His role at IBM was as leader and evangelist of IBMâs application security, security and threat intelligence portfolio for the Middle East and Africa market. Kutumela joined IndigoCube in June 2015 as the leader of the cyber crime and security division. His responsibilities include bringing application security integration practices to the local market and helping organisations protect their critical applications and generated data. He has also served as membership chair for the (ISC) 2 Gauteng Chapter since May 2015.