Godfrey Kutumela, Head: Security Division, IndigoCube
Enterprise resource planning (ERP) systems are more important than ever—and more vulnerable. Outdated thinking about ERP security is now posing a massive threat to corporate data, and making companies vulnerable to cyber-attacks.
Four areas should be the focus for this new breed of ERP manager to manage risk more effectively:
1. Access control must be prioritised and integrated
Most companies continue to believe that separation of duties and authorisation audits offer sufficient security for their ERP systems. The adoption of Governance, Risk and Compliance principles is helping to address access-control risks, but it does not address the entire problem. In particular, access by super users or system administrators is typically not covered adequately. Auditing of the access by both normal business users and administrators must be integrated into a single solution, and this must be given a high priority—it is not just another system function.
2. Authentication must be strong and risk-based
Passwords have been proven to be the weakest link in the access control chain—many high-profile hackings rely on compromised credentials. If you’re counting on passwords only for authentication, you’ve got a problem, period. Many organizations are turning to advanced authentication to help manage access and improve trust among customers and business partners—critical business systems like the ERP must be prioritised for strong and risk based authentication.
3. ERP systems should be configured for security
ERP implementers must focus on ensuring that any custom configuration is aligned with internal and external security configuration standards, and that the entire ERP landscape is constantly monitored. A key challenge is that ERP environments are constantly changing, leading to configuration drift, and thus manual procedures will not be adequate. A good option is the use of a reliable secure configuration management automation tool, which can ensure planned configuration changes are vetted to ensure compliance with standards, fast and reliable configuration validation, policy enforcement and monitoring. Importantly, such an option provides transparency of the system configuration for audit and compliance purposes.
4. Custom coding needs to be secure
While ERP vendors do make some efforts to build security controls into standard code, the truth is that ERP systems are always customised to a greater or lesser extent—their customisability is, indeed, critical to their usefulness. This means that the code of its enterprise systems is ultimately the responsibility of each company, both at implementation and thereafter as the system is changed in light of new business requirements.
The key consideration here is to ensure that custom code is safe, compliant and not introducing vulnerabilities. Checks should be performed on the custom code to ensure that potential back doors and weaknesses are closed, and that your customised ERP system is well protected.