Introduction

Cybersecurity in general

In its simplest form cybersecurity is protecting data being compromised by a third party. This particular domain is expanding exponentially.

As per the publications of Telstra which is one of the leading telecommunication providers, cybersecurity is protecting anything across the network. Further, this may include, hardware, software and data in transit or rest. (“What is cybersecurity and why is it important?”, 2019)

Technically, cybersecurity categorizes into three major components,

• Confidentiality: State that data should only available to read to authorized parties
• Integrity: State that data should not be modified during the transit or at rest without proper authorization
• Availability: Data should be available to all authorized parties

Cybersecurity and ERP

Enterprise Resource Planning (ERP), is a business or business processes integration approach which is has been widely deployed in all around the globe. Further, it was first initiated in 1990 and there has been massive expansion can be seen in today’s industry.

ERP systems are configurable and could be integrated to a vast number of other information systems. The expansion of the ERP industry could automate almost all the key business processes. As per the aspect of data security, ERP deals with the most precious information which an organization has. Further, every node, every network, every data storage and even every user is vulnerable. The worst nightmare in the ERP industry is data breach in its system. If an organization lose their social media account or website is recoverable but breaching the ERP system is destroying the whole business.

ERP Security approaches

Generally, in ERP domain, security can be categorized by referring 3 deferent layers in the OSI model.

1. Network Layer
2. Presentation Layer
3. Application Layer

Networking Layer Security

In this category, it is mainly focused on data which is transfer through the network. For instance, a customer communicates with an ERP or an ERP system itself communicate with another third-party information system.

Traffic interception and modification

For instance these type vulnerabilities can be called as a man in the middle attacks. A third person or device intercepts the communication channel and listen to the media/data or sometimes override the media/data with fraudulent data.

Even data encryption and hashing algorithms mitigate that the data in the network will never be supposed to safe.

Vulnerabilities in protocols

If underlying protocols are vulnerable, ERP whole ERP system is vulnerable. In worst cases rather than data breaches, this can lead to denial of service (DoS) attacks. One of the famous examples for this is RFC protocol which SAP was using in their version 6.x and 7.x in TCP/IP layer was vulnerable to a denial of access for the legitimate users.

Presentation Layer Security

This is referring to the GUI or WEB access security. In many cases, these types of vulnerabilities are mitigated by using a solution like Citrix.

Further, the security of the Operating system is also a major factor.

• OS Software vulnerabilities
• Weak passwords
• Insecure settings on OS

Can leads to these type of security vulnerabilities.

Application Layer Security

Apart from the other two major categories, application-layer security on purely on the hands of the ERP experts.

Policies and Administration:

Parallel to the implementation of the ERP system, a security policy should be introduced to administrators, mentioning a set of rules related to which subject is available to which object.

Authentication

In general terms, Authentication is referring to verify, if the object is the object it claims.

Authorization

Grants minimum access on a resource for a particular object. Further, authorization assures that particular resources are accessible for a particular user.

Separation of Duties

This is supposed to ensure that a particular task can be performed by certain users or roles.

Time Restriction

The systems access is granted only for a certain time. After the expire the current session user must re-authenticate to the system.

Logs

The entire system should keep separate logs. For instance, access logs, error logs and access logs

Security of the Database and other application components

It is vital to ensure that all the other related components to ERP is well secured. More importantly data base one of the key components in any ERP system, due to that it must be proactively to ensure that these major components remain secure.

Enhanced Security Implementation of ERP

Almost all the ERP implementation in the current industry is based on Role-Base Access Control (RBAC) model. RBAC model consists of following major components,

Role-Base Access Control (RBAC)

Figure Role-Based Access control structure

• Permission: Permission can be defined as the availability of the object for a particular subject. But each domain has its own definition for permission.
• Roles: Role can be a predefined set of responsibilities.
• Users: A user is a person as it names and the user may be assigned to one or more role.
• Constraints: In a hierarchical structure senior-level user can override the permission on their subordinate users

Drivers of ERP Security

The layout of the ERP implementations are still evolving, the arrival of new features leads to enormous challenges in security aspect. Further, customers requirements are always agile, even ERP could fully automate all the business processes, still, there will be a new feature to absorb. According to the research paper published by She and Thuraisingham, they have predicted the following key features in ERP (She & Thuraisingham, 2007),

On the hand, in most cases, the primary aspect of security implementation is access control and logging. Implementing and practising access control is the most tedious and resource-consuming procedure for any information systems. As an example, the present organization structure is agile than ever, employee turnovers cause a change of responsibilities on them while it led the privilege level of the system to keep changing. Due to that, the administration of the system become more resource consuming. But the worst case is, most of the higher the security measures lower the performance on the system, but even more downside of this is user’s feedback on these security measures.

Either way, it is vital for systems to maintain the balance between security cost and performance on the systems.

Security Policies related to ERP

According to Thuraisingham, ERP security widely focused on confidentiality (Thuraisingham, 2005), but it is a must to introduce other types of policies in order to mitigate security vulnerabilities.

• Integrity Policies: Ensure that data is only could change/modified by authorized users of the systems
• Data quality and provenance policies: Control the validity of the data flows and data accuracy
• Trust Policies: Data only be available to the parties which organization trust
• Need-to-Know Policies: These policies define that particular information should be acknowledged by the intended parties
• Need-to-Share Policies: Same as Need-to-Know policies, these define that particular information should be shared with the intended parties

Security of Shared content

Shared information through ERPs is one of the security aspects that resent ERP systems are lacking. In order to cater to this security aspect, a secured framework with encryption is necessary. But as discussed earlier in this text, there is a considerable amount of resource needed to be allocated. Further, practising this with lesser performance impact is vital.

Security-related ERP web components

ERP systems in present, more likely to have web features. Generally, almost all components implemented on standalone architecture now is available in web-based infrastructure as well.

When it comes to the security-related web components, the data travel through XML format has major concerns. In fact, XML framework has integrated with encryption and digital signatures, it still to be boosted up.

Well-known issues and resolutions in ES Domain

Lack of Employee Training and Upkeep

The weakest link in any software system is humans. Untrained and uninformed employees that use the ERP system and handle important data are one of the biggest security liabilities. Having an ongoing training schedule should not be overlooked! It’s important to train all your employees about the new system initially, but what’s really going to make a difference is the continuous learning approach. Employees should be briefed about the ERP regularly in the case there are any changes or upgrades made to the system. Rather than investing time and money on cybersecurity measures, invest some in educating your staff.

Overlooking Software Updates

Speaking of changes and upgrades to the system, failing to keep up with any and all updates to your ERP is another security problem you’ll definitely want to avoid. Because most software updates take time, companies see this as a waste of precious resources and will often delay making regular updates to their ERP system. Software vendors release updates to address known security vulnerabilities and to fix weak spots in order to help keep their customer’s systems more secure, so delaying or failing to keep up with system updates is only hurting you more in the long run.

Inadequate Access and Authentication

Like all software systems, single authentication is the standard way to access the data within them. Passwords may seem great; however, they may not be enough anymore. Cracking a password is one of the most common forms of hacking, so having your businesses most important and confidential data accessible through the use of a single password (which can be easily stolen or guessed by cybercriminals) doesn’t make much sense anymore. Switching to a two-factor authentication method is a good way to make sure your passwords aren’t hacked or stolen.

Who can access and edit data within your ERP system is another security concern that stems from authentication. Full access rights are usually a default when it comes to software, but it’s important to manage who has access to what data. Access rights and/or permissions depend on the needs and requirements of your business, so definitely keep this in mind when giving your employees important information on how to access data within the ERP – maybe maintain audit logs to track any changes or add authorizations to keep track of who is looking at what.

Enterprise cloud services are not enterprise or security threats ready

This problem arises while selecting the ideal ERP vendor. An organization often choose the ERP vendors without evaluating the security aspect of their product which are not ready for security standpoint.

Nowadays, most cloud services depend upon APIs which are third-party developers to manage and interact with their services and it controls from authentication and access to encryption and activity monitoring.

Data breaches or Failure to comply

Breaches involving health information, trade secrets and intellectual property are typically the most devastating. For this, cybercriminals are responsible. They get attracted to the huge amount of data stored in cloud servers.

To protect the data in the cloud enterprise should be able to comply with the General Data Protection Regulation (GDPR).

Full access rights (Confidentiality violation): lack of encryption

Whilst some public cloud providers are starting to provide customers with more control over their data, information stored in the cloud is often not within an organization’s control. Many enterprises make the mistake of failing to encrypt sensitive data.

The Cloud Security Alliances (CSA) recommends organizations to use a VPN tunnel to protect their data. It protects sensitive enterprise data from being in hands of unknown third-party applications.

Use of unauthorized systems (lack of due diligence)

There are plenty of vendors providing enterprise systems. An unauthorized system is risky for the business it may not come up with the best practice of cloud security control.

To avoid this, enterprises should review the standards and accreditations gained by cloud provider’s such as: ISO 9001, DCS, PCI and HIPAA and this process is called due diligence.

DDoS Attack

Distributed Denial of Services (DDoS) is nothing but it stretches the time of processing in a system it attacks it. For example, botnet; it attacks the targeted system with flooded traffic.

We can avoid this using DDoS mitigation which is a set of techniques or tools for resisting or mitigating the impact of DDoS attacks on networks attached to the internet by protecting the target and relay networks.

Vendor Security

A vendor is also known as a supplier, is an individual or company that sells goods or services to someone else in the economic production chain. Vendors are a part of the supply chain i.e. the network of all the individuals, organizations, resources, activities and technology involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual delivery to the end-user. Parts manufacturers are vendors of parts to other manufacturers that assemble the parts into something sold to wholesalers or retailers. Retailers are vendors of products to consumers. In information technology as well as in other industries, the term is commonly applied to suppliers of goods and services to other companies.

Vendor risk management or security (VRM) is a process that deals with the management and planning of third-party products and services. This ensures that the use of third-party products, IT suppliers and service providers does not result in a potential business disruption or in any negative impact on business performance. This process is meant to assist organizations in managing and monitoring the risk exposure resulting from third-party suppliers of IT products and services. Vendor risk management (VRM) involves a comprehensive plan for the identification and mitigation of potential business uncertainties as well as legal liabilities regard to hiring third-party vendors of IT products and services.

VRM has become even more important because of the prevalence of outsourcing. Because some organizations entrust some of their workflows to third parties, they lose control of those workflows and have to trust the third party to do their job well. But disruptive events like natural disasters, cyber-attacks and data breaches and are often out of the organizations control.

A good VRM strategy may include the following points:

• First and foremost, there must be a contract that outlines the business relationships between the organization and the third-party.
• There should be clear guidelines pertaining to access and control of sensitive information as per vendor agreement.
• There should be consistent monitoring of the vendor’s performance to ensure that each line of the contract is executed properly.
• The organization must ensure that vendors meet all regulatory compliance within the industry and should create a method to constantly monitor this compliance.

Conclusion 

Enterprise systems are widely used in various industries and these systems its self is being rapidly developed. Security concerns related to enterprise systems were there at the beginning and now with the development of the technologies, these security concerns have also been changed and have introduced new varieties. Initially, enterprise systems were only available to organization premises but now systems are available to anywhere if the internet is there hence, security concerns are exponentially growing.

Researches should focus on following key areas to enhance the security aspect of enterprise systems,

• Policies
• Secured file sharing
• Knowledge sharing
• Secured authentication and authorization methods.

As a vendor or client point of view following the practical security aspect should be analyzed.

Updates

Since ERP implementations are practice out of the box concepts, most of the implementations are identical to each others. Usually, it can be seen, plenty of variation from their original core modules. These sorts of implementation are vulnerable to malfunctioning after the updates since the underline initial changes might not compatible with new updates. Vendor updates and patches are mandatory and more importantly when selecting a vendor, it is vital to consider whether security patches and updates are applicable on fly.

Training

One of the key factors is facilitating proper training to the end-users. Training should cover functional areas and security and ethics. To up to date the end-users’ regular training are mandatory.

Compliance

It is vital to an organization to comply with industry standards. As an example,

ITIL, CMMI, COBIT, PMBOK, PRINCE2, ISO/IEC 20000, ISO 21500, ISO/IEC 38500, TOGAF.

Policies

Proper security policies are mandatory for any type of organization. And these policies are to be updated and actively practice in the organization. Some of the common policies in the industry,

Password policy, Need-to-know policy, Need-to-share policy. (These policies already explained in earlier sections)

System integrations

System integration in ERP can’t avoid since this whole concept is an Integration. When connecting third-party modules it is recommended to use an escrow or any other trusted intermediate service.

Reference

DDoS mitigation. (2019). Retrieved from https://en.wikipedia.org/wiki/DDoS_mitigation

ERP security. (2019). Retrieved from https://en.wikipedia.org/wiki/ERP_security

Lua, X., Lia, R., Zhengding, M., & Wanga, W. (2011). Mining constraints in role-based access control [Ebook] (2nd ed., pp. 87-88). Nanyang: Elsevier

Pazanjiyel, A. (2019). Enterprise systems security. Presentation, IIBIT Adelaide.

Polyakov, A. (2019). Survey reveals the damage of fraud attacks against SAP system is estimated at $10m. Retrieved from https://www.cso.com.au/article/621185/survey-reveals-damage-fraud-attacks-against-sap-system-estimated-10m/

Quirk, E. (2019). Top ERP Security Problems and How to Avoid Them. Retrieved from https://solutionsreview.com/enterprise-resource-planning/top-erp-security-problems-and-how-to-avoid-them/

She, W., & Thuraisingham, B. (2007). Security for Enterprise Resource Planning Systems (pp. 1-13). Texas: Taylor & Francis Group.

Thuraisingham, B. (2005). Security standards for the semantic web (pp. 257-268). Bedford: Elsevier B.V.

What is cyber security and why is it important?. (2019). Retrieved from https://www.telstra.com.au/small-business/platinum-technical-support/articles/what-is-cyber-security-and-why-is-it-important

Wheeler, D. (2015). Secure Programming HOWTO (3rd ed.). Free Software Foundation.

Yeo, S., Kim, S., & Cho, D. (2014). Dynamic Access Control Model for Security Client Services in Smart Grid. Daejeon, South Korea: International Journal of Distributed Sensor Networks.