Deltek. The company says it is "the leading global provider of software and solutions for project-based businesses", and that it "delivers software and information solutions that enable superior levels of project intelligence, management and collaboration."
Caleb Merriman is the CISO of Deltek, and he has shared four ways ITSM professionals can double down on the security of their ERP systems.
After all, the various applications integrated in ERP systems collect, store, manage and interpret sensitive data from the many business activities, allowing organisations to improve their efficiency in the long run. "This alone", said Merriman, "means that your IT team should emphasise protecting that data."
Merriman continued: "The technical complexity of ERP systems means that security researchers are constantly finding vulnerabilities in them, and businesses that make them internet-facing and don’t think through or prioritise protecting them create risks that they may not be aware of."
So, what are the four tips that Merriman has shared?
Ensure the application is secure: Even if an organisation is using a commercial application, new vulnerabilities can be discovered over time. All companies, no matter their size, should actively stress-test their applications on a routine basis.
Typically, this means a security team will be necessary to conduct penetration testing, assumed breach testing, and red teaming – a rigorous challenge to test your plans, policies and systems.
Testing like this should be performed at both the application and network layers – using tools such as dynamic application security testing (DAST), static application security testing (SAST), software composition analysis (SCA), or interactive application security testing (IAST) – all tools that a diligent security team should be using!
Manage access control: ERP systems often contain data that is essential to your business and may be sensitive. Exposure of this data could lead to compliance, contractual, or operational risk.
In addition, ERP systems are often essential to daily operations, so any lack of availability to ERP systems or inappropriate alterations to the system or data could cause significant impact to your business.
Organisations should enforce strict “least privilege” access to ERP systems and data and consider role based access, or “RBAC” and zero trust access models for their ERP systems, as first steps.
Simple measures that can be put in place, such as ensuring all remote access to ERP systems require multi-factor authentication, can make all the difference in the long run.
Security teams should also perform regular access reviews and implement robust user provisioning, termination, and transfer procedures.
Use Encryption to protect sensitive data: Use of encryption in ERP systems is essential to protect sensitive data and to address compliance and contractual obligations.
Data should be protected at all times – when in transit and when at rest. Using encryption is especially important for any system integrations.
At-rest data should be encrypted at the storage/volume level and database or field level to protect against more than physical layer access. For encryption work, it’s important to use current strong encryption methods – and appropriate Key Management is essential.
Transfer some of the risk to a SaaS partner: Given the complexity, cost, and risk of providing ERP system security, it is often beneficial to engage third parties to provide additional ERP security.
The speed at which the security landscape is moving, coupled with the challenges of hiring qualified security staff and the cost of keeping security technologies current, often makes it advantageous to work with partners who can provide these capabilities at scale.
While it is unlikely that an organisation will be able to transfer all of its risk to a third party entity, it is often the case that a well-qualified partner could shoulder the majority of the security and compliance risk obligations.