In order to prevent data loss in any system, first discover where any confidential or sensitive data is located and inventory it. It is important to understand what and who accesses and uses it, again recording all your findings. This can be a time-consuming task, particularly on poorly documented systems or those whose architecture sprawls across yours and your partners' systems.
Review the controls in place to ensure sensitive data is protected at rest, in transit and during processing and that only authorized processes and users can access it; by review I mean not only documenting the controls, but also checking that they are doing their intended job.
Once this exercise has been completed, there will likely be a number of areas that need attention, such as redundant accounts, inappropriate access rights, outdated encryption algorithms, inadequate network protection, unpatched software and poorly documented and enforced security policies relating to the ERP system and the data it holds.
All of these issues will need fixing just to bring your legacy system up to an acceptable level. To proactively secure your data and prevent it from leaking from your organization, you will also need to address new technologies and new attack techniques that could be used to extract data from it that weren't around when it was first designed. Your system should certainly be reviewed to ensure it isn't susceptible to any of the OWASP Top Ten critical Web application security flaws, and I recommend subscribing to services such as the Threatpost, the Kaspersky Lab security news service that reports on new vulnerabilities and exploits.
If your users access your ERP system via desktops, enforce security policies at the endpoint by monitoring network activity. Focus on the most significant causes of data loss, namely email, Web communications (such as social networking sites), and removable media such as USB drives. However, as you monitor your system, any suspected incident and policy violation should generate a detailed report. This will enable you to take action to stop the violation and deal with the offender.
There are programs out there that may help you. Symantec Corp.'s Data Loss Prevention, for example, uses content matching to find and protect confidential data on laptops, desktops and servers and track or prevent the movement of that information to unauthorized destinations. If you decide you need to overhaul your ERP system, it may be worth looking at using Approva Corp.'s Controls Intelligence Suite, which can add automated controls for access, configurations and operations into your system.
Sharing data across an organization is no easy task, particularly if you want to share sensitive data. If you were selecting a new system today, your ERP system probably wouldn't be your first choice, so make sure it doesn't become a constraint on your business due to poor security.
This was first published in September 2010