Alex - stock.adobe.com
General-purpose security doesn't go far enough for ERP
Organizations need to pay more attention to security as ERP systems move to the cloud, are opened up to other applications and services and face an uptick in cyber attacks.
Security for ERP systems like SAP should be a top priority for organizations, as cyber attackers increasingly turn their attention to these data-rich environments.
However, cybersecurity experts say that ERP security is not always the same as general IT security, and that organizations need to pay attention to vulnerabilities specific to ERP systems.
Attacks on SAP and other ERP systems rose in 2020 and 2021 for several reasons, including, primarily, the migration of systems to the cloud, according to Juan Pablo Perez-Etchegoyen, CTO at Onapsis, a Boston-based firm that provides security services and applications for SAP, Oracle and Salesforce systems.
Then COVID-19 hit and forced most organizations to transition employees to remote work and accelerate the digitization of business processes, which led to more security vulnerabilities in ERP systems.
"We found there's been a significant increase in terms of focusing not only on traditional IT assets, but also on automating and exploiting business applications, specifically SAP," Perez-Etchegoyen said. "Some of the most critical SAP vulnerabilities are being actively exploited in the wild, which means that threat actors are incorporating the new vulnerabilities in their tool sets, and they are exploiting and targeting SAP applications as part of their campaigns, and they are compromising the systems."
ERP security poses a particular problem for organizations because the people who are responsible for IT security often lack expertise in ERP systems, he explained. Chief information security officers (CISOs) are becoming more aware of the need for security services for ERP systems, but administering these systems may be out of their control or they may lack the skills to deal with ERP configuration complexities.
Juan Pablo Perez-Etchegoyen CTO, Onapsis
"There are thousands of configurations in many of these applications, and a lot of those are security relevant," Perez-Etchegoyen said. "So leaving aside security patching for software vulnerabilities, you need to make sure that every single component of these applications is secured. Each technology has its own intricacies in what you need to configure and how to configure it securely."
ERP processes have specific security issues
Security teams within organizations have to be concerned with both general-purpose attacks on IT systems and targeted attacks on ERP systems, according to Bhavani Thuraisingham, a professor of computer science and the executive director of the Cyber Security Research and Education Institute at The University of Texas at Dallas.
Typically, there are two main security concerns for IT departments, she said. One is around malicious attacks and ransomware, and the other is around controlling access to processes and data.
Because ERP systems run specific business processes, organizations have to focus their investigations on how processes are being exploited, a strategy that requires more than general-purpose security measures and ERP expertise, Thuraisingham explained.
"You need people who understand SAP or Oracle databases; you need people who understand the cloud and understand web services," she said. "That's the only way that you can achieve at least some success."
ERP-specific security measures often involve user access control, but according to Perez-Etchegoyen this involves more than user management, as ERP systems have become increasingly complex due to integration with other systems or applications.
"You need to create accounts continuously for different purposes," he said. "You have to make sure that the passwords of default users are properly set, and make sure that you don't have interface users or service accounts that have high privileges with weak passwords."
Cloud security is a shared responsibility
Integrations aren't the only reason for complexity. The growth of e-commerce and the vendor desire to migrate ERP customers to the cloud are also prevalent. SAP, for example, is pushing its large SAP ECC customer base to adopt SAP S/4HANA in the cloud. Others such as Epicor and Infor have also made investments in providing their cloud-averse customers with a path to the cloud, although with less aggressive measures than SAP.
Security isn't the only reason why some organizations remain reluctant to migrate, but a perception that cloud may make mission-critical ERP data less secure persists. However, a move to the cloud does not necessarily make an ERP system less secure.
The most important aspect to understand about moving to the cloud is that security is a shared responsibility between the organization and the cloud provider, Perez-Etchegoyen said. Companies are responsible for their data in the cloud, even if a cloud provider or third-party managed services provider manages overall security and processes.
"The adoption of the cloud really accelerated over the past few years and that involves a lot of the security controls," he said. "Cloud providers are great at automating the security controls, but the majority of the breaches of data that happens in the cloud are not because there wasn't a patch properly implemented, it's because of how the customers adopted the cloud and how they configured it."
Thuraisingham agreed that companies using cloud products should remain vigilant over data security. Data should always be encrypted if it's put in the cloud, she said, but this can be complicated because some processes can't be run on encrypted data.
"You can encrypt the data and put it in the cloud, but to take full advantage of the cloud, you need to do operations in the cloud," Thuraisingham said. "However, there are measures like homomorphic encryption that allow you to process or run operations on the data without decrypting it."
Measures like homomorphic encryption may make the cloud more secure but may not be enough for highly regulated industries or companies having to adhere to privacy regulations like GDPR.
"That's why many organizations, particularly government organizations, have their own cloud, or why companies might not want to have their data on another company's cloud," Thuraisingham said.
Cloud providers can handle security better than customers
Still, companies that decide to use cloud-based ERP systems may find the benefits outweigh the potential drawbacks, said Kyle Rice, CTO at SAP NS2, a subsidiary of SAP that provides software and services to U.S.-based organizations that cannot buy software from foreign-owned companies.
While attacks on cloud companies are highly publicized, overall, companies that move their ERP systems and IT infrastructure to managed services on the cloud are better off than those that don't, Rice said. This is primarily because most companies don't have the expertise to build and maintain the kind of security technology needed to compete in an economy shaped by cloud computing.
"Let's say you're a utility company. Not too long ago, you would run your own internal IT organization, and many still do. But IT is not your business, so it's not like you've got the best IT people and you could be as good at it as an IT company is," Rice said. "You wouldn't ask Microsoft to build and operate your hydroelectric dam, so it's unclear why we were ever comfortable with a utility building and operating their own Microsoft Exchange Server. It just didn't make a whole lot of sense."
Public cloud providers have a big target on their backs, but they employ a lot of resources to keeping the systems secure, according to Rice.
"I guarantee they're doing better work than some random IT shop, because it's their business," he said.
Jim O'Donnell is a TechTarget news writer who covers ERP and other enterprise applications for SearchSAP and SearchERP.