Security in an ERP World
Introduction
Every good hacker story ends with the line: “and then he’s got root access to your network and can do whatever he wants.” But the story really doesn’t end there. This is just the beginning of the real damage that the hacker can inflict.
While most information security initiatives focus on perimeter security to keep outsiders from gaining access to the internal network, the potential for real financial loss comes from the risk of outsiders acting as authorized users to generate damaging transactions within business systems.
The continued integration of enterprise resource planning software only increases the risk of both hackers who break through perimeter security and insiders who abuse system privileges to misappropriate assets – namely cash – through acts of fraud.
Security in the e-business, integrated enterprise resource planning (ERP) world requires a new way of thinking about security – not just about the bits and bytes of network traffic, but about business transactions that inflict financial losses from systems-based fraud, abuse and errors.
Market Maturity
The ERP market has matured to a point where heightened competition has brought declining sales. As a result, ERP vendors are committed to bundling new functionality, such as CRM and Web services-based architecture, to provide more value to their customers. Unfortunately, security remains an afterthought.
While external threats from attacks and intrusions continue to rise, the opportunity for insider fraud and systems abuse has increased exponentially with the advent of a single automated system that manages accounts payable, employee benefits and other sensitive information.
Historically, ERP security focused on the internal controls that aim to limit user behavior and privileges while organizations rely on network perimeter defenses – firewalls, VPNs, intrusion detection, etc. – to keep outsiders from accessing the ERP system. However, increasingly integrated information systems with numerous system users require new levels of transaction-level security.
According to Gartner, “enterprises should consider the overall set of security functions and controls that permeate the entire environment that will be running trusted transactions.” The analyst firm contends that “vulnerabilities can be exploited, mostly by insiders to create business threats at the transaction level.”
And while ERP systems allow enterprises to integrate information systems with trusted partners through supply chain management, the number of authorized users continues to grow. This effectively introduces new entry points to business systems from outside the traditional IT security perimeter. Enterprises must not only trust the actions of employees but also trust partners’ employees and perimeter security.
ERP Security Today
For most enterprises, ERP security starts with user-based controls where authorized users log in with a secure username and password. Enterprises then limit a user’s system access based on their individual, customized authorization level. For example, an accounts payable clerk should not have access to human resources or inventory management modules within the ERP system
Most ERP systems offer data encryption which limits someone’s ability to export the database but does not address the need to protect authorized insiders from accessing unauthorized modules in the system.
Audit logs within an ERP system track individual transactions or changes in the system but provide little detail into the relevance of the transaction. With each transaction documented individually, the audit log does not consider the context of the transaction, such as the events that occurred before or after the transaction. Internal auditors can then sample the audit logs for irregular transactions.
However, about half of all organizations do not configure their ERP system to maintain audit logs because they are concerned about performance degradation and they don’t think they need it. Regrettably, these organizations believe IT security only focuses on the layers of traditional perimeter security. In a compromise between security and performance, enterprises can avoid logging every detail of system activity and focus on meaningful information that’s relevant to the transaction.
For organizations that do utilize audit logs, system administrators can configure customized audit reports that employ simple logic to identify “outliers” – system transactions that fall outside of normal parameters, such as date and time, location of the user logging into the system and checks larger than a predefined setting.
While it’s time consuming to customize these reports, they provide hundreds of data points to manually process and are invariably riddled with false positives. Each flagged event requires manual human analysis of the event because the audit reports cannot analyze the event to determine the cause for concern.
Security Failures
When you consider that the average business loses 3 percent to 6 percent of annual revenue due to fraud, most agree that the ERP security features listed above are not working. Worse yet, businesses suffer additional losses through duplicate payment errors. The average enterprise submits duplicate payments for 2 percent of its total accounts payable. Of these duplicate payments, 10 percent are never recovered, which leads to total losses equivalent to 0.2 percent of total accounts payable.
The fact remains that applications remain highly vulnerable to external security threats. Weak passwords can be broken with simple dictionary attacks; buffer overflows can flood an application until it allows a hacker in the door. However, some of the most damaging hacks come in the form of social engineering where users are tricked into freely divulging their credentials. And of course, the real danger of external hackers comes once they enter the system as authorized users with the ability to divert payments for their benefit.
Most organizations fail in their ERP security efforts because they implement systems with a plan that leaves controls design and implementation until the end of the process. However, ERP projects are invariably over budget and behind schedule, so strict internal controls are often glossed over to keep costs down and make up time.
Some organizations decide against stringent controls because internal controls can introduce additional overhead by making it hard for employees to do their jobs with process inefficiencies.
The biggest drawback of relying on internal controls for ERP security comes from the costly and time-consuming maintenance of those controls. As employees are promoted, reassigned or terminated, organizations must continually update their business systems with each employee’s correct authorization level. The advent of new business partners, the creation of new business departments or entry into new markets also requires new or modified procedural rules. Maintenance of the ERP system can turn into a never-ending resource drain.
A recent Gartner audit of several SAP systems noted that “because SAP is used to process financial accounting information including purchasing, accounts payable, accounts receivable, general ledger and human resources, security breaches in these areas could lead to unauthorized, undetected access to confidential financial and employee data.” The study audit revealed two important points:
- Duties within the purchasing process have not been adequately segregated. As a result, personnel could gain control of the entire purchasing cycle, resulting in errors, irregularities or fraud.
- A lot of users have been granted inappropriate authorities in the Financial Accounting and Controlling modules.
Continuous Monitoring as the Solution
According to Matthew Kovar at Yankee Group, the ‘inside threat’ causes the greatest real losses in corporations and governments today. “Detecting inappropriate application activity committed by authorized users represents the ‘next frontier’ in information security.”
After recognizing the significant business risks and inadequacies of relying upon the built-in controls of business applications, leading businesses and government organizations are now deploying continuous transaction and incident monitoring to detect, prevent and deter financial loss from systems-based fraud, misuse and errors.
The concept of continuous transaction and incident monitoring goes above simple procedural rules and transaction logs to incorporate advanced analysis to identify irregular transactions and determine if the transaction is indicative of fraud, misuse or error.
The benefits of continuous transaction and incident monitoring are clear. First, this type of transaction monitoring establishes a business environment that deters employees and other insiders from committing business hacks. Continuous transaction and incident monitoring then augments the internal controls. Even if procedural rules are not 100 percent maintained or employees learn to game the system, risk managers are satisfied with a solution that keeps pace with real-time business transactions. Finally, continuous transaction and incident monitoring acts as the ultimate layer of security from outsiders who penetrate the network as authorized users.