Our management team is concerned about the potential of data leaks from our legacy in-house ERP application. How should I go about validating its security and offering up best practices to prevent data leakage?
An enterprise resource planning (ERP) application is used to consolidate and manage internal and external resources, such as assets and materials, as well as financial and human resources. Its main purpose is to facilitate the flow of information between business functions within the organization and manage any connections to those outside, like vendors and clients. There are various implementations but there is usually some sort of database with either a centralized or distributed modular architecture.
In order to prevent data loss in any system, first discover where any confidential or sensitive data is located and inventory it. It is important to understand what and who accesses and uses it, again recording all your findings. This can be a time-consuming task, particularly on poorly documented systems or those whose architecture sprawls across yours and your partners' systems.
Review the controls in place to ensure sensitive data is protected at rest, in transit and during processing and that only authorized processes and users can access it; by review I mean not only documenting the controls, but also checking that they are doing their intended job.
Once this exercise has been completed, there will likely be a number of areas that need attention, such as redundant accounts, inappropriate access rights, outdated encryption algorithms, inadequate network protection, unpatched software and poorly documented and enforced security policies relating to the ERP system and the data it holds.
All of these issues will need fixing just to bring your legacy system up to an acceptable level. To proactively secure your data and prevent it from leaking from your organization, you will also need to address new technologies and new attack techniques that could be used to extract data from it that weren't around when it was first designed. Your system should certainly be reviewed to ensure it isn't susceptible to any of the OWASP Top Ten critical Web application security flaws, and I recommend subscribing to services such as the Threatpost, the Kaspersky Lab security news service that reports on new vulnerabilities and exploits.
If your users access your ERP system via desktops, enforce security policies at the endpoint by monitoring network activity. Focus on the most significant causes of data loss, namely email, Web communications (such as social networking sites), and removable media such as USB drives. However, as you monitor your system, any suspected incident and policy violation should generate a detailed report. This will enable you to take action to stop the violation and deal with the offender.
There are programs out there that may help you. Symantec Corp.'s Data Loss Prevention, for example, uses content matching to find and protect confidential data on laptops, desktops and servers and track or prevent the movement of that information to unauthorized destinations. If you decide you need to overhaul your ERP system, it may be worth looking at using Approva Corp.'s Controls Intelligence Suite, which can add automated controls for access, configurations and operations into your system.
Sharing data across an organization is no easy task, particularly if you want to share sensitive data. If you were selecting a new system today, your ERP system probably wouldn't be your first choice, so make sure it doesn't become a constraint on your business due to poor security.
Dig Deeper on Data security strategies and governance
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading