Every good hacker story ends with the line: "and then he's got root access to your network and can do whatever he wants." But the story really doesn't end there. This is just the beginning of the real damage that the hacker can inflict.
While most information security initiatives focus on perimeter security to keep outsiders from gaining access to the internal network, the potential for real financial loss comes from the risk of outsiders acting as authorized users to generate damaging transactions within business systems.
The continued integration of enterprise resource planning software only increases the risk of both hackers who break through perimeter security and insiders who abuse system privileges to misappropriate assets - namely cash - through acts of fraud.
Security in the e-business, integrated enterprise resource planning (ERP) world requires a new way of thinking about security - not just about the bits and bytes of network traffic, but about business transactions that inflict financial losses from systems-based fraud, abuse and errors.
The ERP market has matured to a point where heightened competition has brought declining sales. As a result, ERP vendors are committed to bundling new functionality, such as CRM and Web services-based architecture, to provide more value to their customers. Unfortunately, security remains an afterthought.
While external threats from attacks and intrusions continue to rise, the opportunity for insider fraud and systems abuse has increased exponentially with the advent of a single automated system that manages accounts payable, employee benefits and other sensitive information.
Historically, ERP security focused on the internal controls that aim to limit user behavior and privileges while organizations rely on network perimeter defenses - firewalls, VPNs, intrusion detection, etc. - to keep outsiders from accessing the ERP system. However, increasingly integrated information systems with numerous system users require new levels of transaction-level security.
According to Gartner, "enterprises should consider the overall set of security functions and controls that permeate the entire environment that will be running trusted transactions." The analyst firm contends that "vulnerabilities can be exploited, mostly by insiders to create business threats at the transaction level."
And while ERP systems allow enterprises to integrate information systems with trusted partners through supply chain management, the number of authorized users continues to grow. This effectively introduces new entry points to business systems from outside the traditional IT security perimeter. Enterprises must not only trust the actions of employees but also trust partners' employees and perimeter security.
ERP Security Today
For most enterprises, ERP security starts with user-based controls where authorized users log in with a secure username and password. Enterprises then limit a user's system access based on their individual, customized authorization level. For example, an accounts payable clerk should not have access to human resources or inventory management modules within the ERP system
Most ERP systems offer data encryption which limits someone's ability to export the database but does not address the need to protect authorized insiders from accessing unauthorized modules in the system.
Audit logs within an ERP system track individual transactions or changes in the system but provide little detail into the relevance of the transaction. With each transaction documented individually, the audit log does not consider the context of the transaction, such as the events that occurred before or after the transaction. Internal auditors can then sample the audit logs for irregular transactions.