Part 1 – Risk from leaking data of ERP system
The Enterprise Resource Planning (ERP) system is the enterprise’s centralized management system, which brings economic efficiency and effective supportive management for many kind of enterprises. In fact, enterprises contain many potential risks in term of information security but they do not have full awareness about this. ERP is known as the core system that processes and stores the most important and sensitive business data such as financial information, human resources, customer’s data and so on. Normally, ERP system is the large and complicated system because there are a huge of data with diversified accesses, multiple transaction processing, multiple users such as: end user, admin…
In addition, the application, may be a public web portal, can be hacked and attack the ERP database. Therefore, it is very difficult for enterprises to control the system, and it existed a lot of risks such as copy right, hacker attacks, data corruption… Businesses may face the security challenges about the ERP system as follows:
- Identify where sensitive data is located in the system.
- Monitor sensitive access, quickly detect and prevent abnormal behavior, unauthorized access from hackers and internal users.
- Identify vulnerabilities, how to maintain and fix vulnerabilities without interrupting the operating system.
Further more, financial and banking businesses may have to comply the information security regulations such as PCI DSS – obtain requirements for systems that store and process card data.
This article introduces Imperva’s ERP database security solution, SAP Certified Solutions, the leading ERP solution provider, and interoperability certification with SAP NetWeaver Application Server as well as SAP 4 / HANA in order to help businesses to implement information security measures, address the issues that mentioned in above.
PRINCIPLES FOR DESIGN DATABASE SECURITY SYSTEM
- Define the data object to be protected
To establish a sensitive data protection policy, firstly, businesses need to identify kind of sensitive objects in the system. It is not easy to classify these objects in the large systems with many data processes like ERP. Imperva has a Research Center that analyzes application architecture and enterprise database systems such as ERP, CRM and human resources management by leading service providers such as SAP, Oracle EBS, PeopleSoft. build.
Hence, the solution is to identify the key data objects in the system that contain sensitive information including financial information, credit card information, metadata. Moreover, this solution allows customers to define rules, detect the new database and other sensitive data in the system. When the data objects are defined, the monitoring and protection policies are created correspondingly for the objects.
- Monitoring the data retrieval
It is such important to monitor all activities in the database to record the evidence for forensic investigation, detect and prevent unauthorized acts. However, it is so difficult to do this in the ERP system because turn on the log copy can increase the quality of database server. Besides, this not maps the rules to separate admin so that they can delete or turn off log features for negative purposes. The Imperva solution allows continuous and independent log-generation of applications and databases with detailed access to the database including:
- Record all access of user applications such as: data query (SELECT) and manipulation of data (UPDATE, INSERT, DELETEs)
- Record user privileged / administrator actions (DBA) such as GRANT, REVOKE, CREATE, and CREATE DATABASE / SCHEMA (CREATE, DROP, ALTER)
- Recognize and record the end user name of the application (SAP, Oracle EBS, PeopleSoft) whether users use the same account to access the database and use the same details such as OS user name, tools, data objects and so on.
In order to simplify the policy setting, Imperva offers a number of predefined audit policies for the SAP system, Oracle EBS, PeopleSoft, etc. The administrator can chose the suitable policies that they need. The similar solution provides a variety of reports are made availability for SAP system, Oracle EBS, PeopleSoft … as well as policies, reports samples meet the standards of information security such as ISO 27001, PCI DSS …
- Detect and prevent unauthorized access
In the thousands or millions of transactions on the system, the Imperva solution is capable of detecting abnormal behavior, unauthorized access and attacking from outside. The solution provides security-defined policies that allow to detect and warn and prevent abnormalities, for example on SAP systems, as follows:
- Access by non-SAP accounts (accounts not registered on the system).
- Access to data and data structures not by SAP applications.
- Access to data and data structures from a user workstation and not through the SAP application server.
- Monitoring, tracking the new accounts (3rd party, non SAP), privileges granted to accounts.
Part 2: Proposed Solutions
Song Phuong – FPT IS