There are no easy solutions when it comes to cybersecurity, but when it comes to ERP security best practices, IT can be easily lulled into complacency. On one hand, companies with stable on-premises solutions may assume criminals aren’t targeting ERP or their organizations’ existing defenses will thwart attackers. On the other hand, companies migrating to the cloud may believe they can simply hand off security concerns to their cloud service providers (CSPs). Neither of these assumptions drives an effective defense.
Analysis:
It’s certain that over the next five years criminals will continue to up their game and further infiltrate critical enterprise data stores, so ERP security strategy should be a priority.
“While cyberattacks continue to be top of mind for executives, many may not fully appreciate how vulnerable their ERP systems are to such attacks,” McKinsey analysts write. “This could become a significant problem as evidence mounts of increasing threats targeting ERP systems. Supply-chain attacks rose by 42 percent in the United States in the first quarter of 2021, impacting up to seven million people. And security threats against industrial control systems (ICS) and operational technology (OT) more than tripled in 2020.”
ERP solutions thrive on data, but so do cyber attackers for whom company databases are akin to haphazardly guarded bank vaults ripe for the picking. “The typical ERP environment is a soft target,” information security consultant Kevin Beaver warns in a TechTarget article. “It includes multiple components, including network hosts, web components, databases, thick clients and mobile apps. These complexities keep IT and information security (infosec) professionals on their toes year-round.”
It’s surely tempting to turn over the security issue to cloud services providers (CSPs), who presumably are better staffed to maintain defenses and have deployed security best practices. But CSPs typically adhere to a shared security model. “The CSP is responsible for security ‘of’ the cloud—think physical facilities, utilities, cables, hardware, etc.,” explains CSO. “The customer is responsible for security ‘in’ the cloud—meaning network controls, identity and access management, application configurations, and data.”
What to watch for
There’s plenty of room for improvement, and efforts are well underway that could bolster security for ERP and mobile ERP solutions over the next few years. These include:
Secure access service edge (SASE)
First articulated by Gartner, SASE converges wide area networking capabilities with network security capabilities in a cloud-delivered model aimed at securing all the elements of enterprise networks, from the data center to home offices. From an ERP perspective, according to SD-WAN Experts, a SASE platform would “prioritize the ERP traffic while applying the necessary acceleration and optimization techniques to improve access. Malware inspection, DLP, and UEBA would be used to detect and prevent potential infections, data loss, and malicious activity. Internet browsing might be given a lower priority but still secured …” using data loss prevention and secure web gateways.
Zero Trust Network Access (ZTNA)
The ZTNA concept precedes and has been embraced within the SASE framework. According to Gartner, ZTNA “is a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities…This removes application assets from public visibility and significantly reduces the surface area for attack.” But that many ERP or CRM type applications present a challenge for ZTNA access because they “do not have internal controls with the ability to segregate functions and features.”
Artificial Intelligence
“A modern ERP foundation provides intelligent automations like machine learning and artificial intelligence (AI) that make it easier to safeguard your systems from attack,” says SAP. But there’s also a threat: “The advancement in AI can also benefit hackers as it enables them to perform highly sophisticated and large-scale cyberattacks,” Kashyap Vyas writes for IT Business Edge. Then there is the perplexing potential of quantum mechanics: “The use of quantum entanglement could lead to massively tougher security controls, meaning customers could more readily and more directly place additional mission critical ERP services in public clouds served by quantum accelerators and toolsets,” Adrian Bridgwater suggests at ERP Today.
Actions to take
There are no easy answers, but there certainly are many interesting developments that could lead to more secure ERP implementations. It’s incumbent on IT and security leaders to stay on top of the latest tools and threats that could impact their enterprises and to make sure they deploy security best practices as they take advantage of new developments.
