Marketing Communications Manager at ERP Maestro.
Top 5 Access Control Trends for 2019
Today’s enterprises are well aware of the consequences of security breaches. In previous years, we’ve seen data compromised at Home Depot, Target, Anthem, and other large companies. Yet 2018 was full of data breaches that compromised the personal information of millions of users and severely damaged the reputations of many companies, including Marriott Starwood hotels, T-Mobile, Saks, Lord & Taylor, and Facebook. With some of these breaches barely behind us, we’re anticipating an increase in both internal and external security measures in the year ahead. From an internal perspective, we expect a rise in the following top 5 access control safeguards to prevent the wrong people and entities from accessing internal databases, including SAP ERP systems.
Trend 1: Complete Access Control Reviews
Marriott Starwood hotels received an alert from one of its internal security tools that there had been an unauthorized attempt to access the Starwood guest reservations database. But by then, the damage had been done: there had been unauthorized access to the Starwood database since 2014, and approximately 500 million customers had been affected. Payment information, names, mailing addresses, phone numbers, email addresses, and passport numbers had all been compromised.
In 2019, we’ll see enterprises be more vigilant in conducting full audits of their access controls. They will be reviewing risks by user, role, and business process to isolate risks and mitigate them before they become high profile breaches, as well as applying policies across accounts en masse by using automation tools.
Trend 2: Individual User Accounts with Role-Based Access
Believe it or not, some companies still use shared logins for ERP systems, and these accounts can both request approval for invoices and approve them. For instance,the new hire, Bob, needs to start inputting data into the system, and the IT department hasn’t yet provisioned his account. So Barb gives him her user name and password because she can’t wait to offload the stack of invoices to someone else. This can result in all kinds of security breach scenarios: Bob writes down Barb’s password on a sticky note, which is then stolen by a third party and used to gain access to the system. Or Bob is fired during his probationary period and uses Barb’s password to “get back at” his employer.
Enterprises are wising up to this problem and investing in automated provisioning, which not only automatically sets up user accounts but creates automated workflows and segregation of duties (SoD). That way, Bob’s account is ready to go on his first day, and he can enter invoices immediately. Barb’s account can only request approval to pay the invoices she enters, not approve them as well.
In addition, companies will also be reviewing privileges hidden in accounts including administration accounts, system/service accounts, containers, devices, and codes. These often are overlooked as organizations focus on users, but are just as critical for locking down SAP systems and protecting them from unauthorized access.
Trend 3: Comprehensive Security Patching
With SAP systems, patching early and often sounds like an oxymoron. However, a study released in July 2018 found that old security flaws in ERP software are being exploited by hackers, and the U.S. Department of Homeland Security issued an alert. The issues go back at least a decade, but hackers are showing new interest in gaining access via these points of entry that have been overlooked. That’s why one of the top five access control trends of 2019 is patching these vulnerabilities, even if it means temporarily disrupting the production environment. As 2018’s breaches have taught us, no organization is safe, and with the tendency to open up systems to partners or third-party applications, the points of entry to ERP systems can be exponentially higher than in years past.
Trend 4: Data Analytics to Identify Potential Threats
In 2019, enterprises will continue to use –and expand their use of –data analytics to monitor and mitigate threats. This will extend beyond detecting threats as they happen and encompass risk simulation tools and what-if scenarios. Companies will continue to use dashboards that monitor access, but they’ll also move toward running possible scenarios to identify potential SoD issues and conflicts. Enterprises will also use role design analysis tools to prevent roles from expanding into grey territory over time and maintain the integrity of role structure within the system.
Trend 5: Cloud-based Access Control Tools
With the need for data analytics, automation, and comprehensive access control reviews, it’s no surprise that more enterprises will turn toward cloud-based access control tools. As companies continue to add to their technology stacks, introducing more cloud and mobile tools, Internet of Things (IoT) applications, and more, they will want to protect their systems using cloud-native tools. Large enterprise security vendors just now are starting to acquire smaller companies to boost their own portfolios, indicating that the demand for cloud-based access control tools will continue to grow in 2019.
As 2019 continues to unfold, we’ll surely see more data breaches. However, by paying attention to the trends in access control, including complete reviews of existing policies and accounts, creating individual role-based accounts, patching ERP systems to the latest version, using data analytics, and implementing cloud-based access control, enterprises will have a far better chance of staying one step ahead of potential threats.