Middle East Blogger

Re-evaluating Enterprise Resource Planning Software Security

Home About Contact Privacy Terms Sitemap  




Cool Companies



Salesforce.com User






Re-evaluating ERP Security

New Technology Advances Come With New Vulnerabilities

Enterprise Resource Planning (ERP) applications have gained new productivity features in the last few years, including mobile access for workers in the field and the ability to more easily share information with business partners and vendors. Those are great additions, but there is a catch.

Now that more people have increased access to your ERP systems and customer and business data, have you reverified that your systems are secure from electronic intruders, hackers and others who want to inappropriately acquire your information or harm your business? If you haven't revisited this concern, this may be a good time for you to take a closer look at confirming or tightening the controls to be sure that access is only granted to those who require it. A formal review process is a good place to begin.

Dr. Joy R. Hughes, the CIO and VP of IT at Fairfax, Va.-based George Mason University believes that this is a critical subject for higher education institutions and other businesses to keep front of mind. She's been keeping abreast of ERP information security for several years as part of a post-ERP replacement deployment at her educational institution, and she previously served as the co-chairwoman of a Security Task Force for EDUCAUSE, a Washington-based not for profit group that helps colleges and universities enhance their IT systems.

"Many in higher education have spent a great deal of time and money in hardening our ERP deployments," Hughes advised in a phone interview. That has often come on top of the money spent to bring the ERP applications in because the built-in security controls weren't enough or because they weren't easy to use, she explained.

"Here at George Mason University we added an identity management system to force strong passwords by users where they were not required by the ERP application," Hughes said. "We also force password rotation. We've just done many, many things to harden our ERP system."

The problem, she said, is that since colleges, universities and businesses tend to keep their ERP software for many years, they also need to keep them up to date on their security controls, even if that means doing the work yourself. The need for information security for ERP systems is always increasing, and you have to keep up to stay ahead of the game.

Hughes said that if your company is in an ERP software selection project, you need to have security issues at top of mind as you review vendor products, and be aware how the vendors plan to keep up with information security as new threats emerge. "I think that's very important for the people who are buying these systems now," she advises.

In a presentation on ERP information security for EDUCAUSE, Hughes put together an "ERP Checklist" that included recommendations for critical security items that users should be on the lookout for:

  • Establish managing roles and responsibilities for ERP security inside your company.
  • Require strong policies for passwords, identification protocols and PINs and have rules for how often they must be rotated.
  • Establish rules for data standards and integrity to ensure data quality and security.
  • Establish and maintain process documentation for your security initiatives and be sure the policies are followed.
  • Create and enforce rules for how users can properly and securely export confidential or sensitive data within the ERP application.

One big key for ERP software security is ensuring that your ERP application has easy-to-implement role-based user access controls that can be simply managed by your IT staff. ERP applications usually have role-based tools, Hughes says, but they're not always easy to implement and that can make a complex job even tougher for your IT staff. The way around that difficulty, Hughes says, is to do your homework before you buy an ERP software system.

"Every vendor tells you that they have role-based configuration, but what they probably don't tell you is that they may be very difficult to implement," she comments. "So sit down and try it out," Hughes advises. "Do test runs. Set up some roles and see what happens."

Inside EDUCAUSE, colleges and universities can get first-hand information from other higher education schools that have already reviewed the ERP systems. That kind of information-sharing is helpful to make sure that you purchase an ERP system that gives you the controls and security that you need. "In the higher education community, we have extremely strong collaboration on information security, organized through EDUCAUSE," Hughes states. "I would not make a multi-million dollar ERP decision unless I first consulted with those interest groups and got real-world reviews."

These same concerns and issues surrounding ERP software and security exist for commercial businesses as well. "Universities use the same ERP software systems that the corporate world uses," Hughes notes. "Obviously, if you have a Fortune 100 corporation, you probably have a team of people managing the user roles" for your ERP system. But even that has changed in the last couple years as IT departments have gotten smaller due to layoffs and the global recession. That makes it even more critical today that your ERP security processes be easy to manage by the IT staff that you have now, she warned. "That's when the ease of use becomes extremely important," Hughes cautions.

New software technology releases are a good reminder about what we already know about enterprise software - that it's never just buy, deploy and run. It's always a matter of staying up with changes, fixes and patches. It's bringing in add-ons and process improvements over time. Staying on top of your ERP application and its security vulnerabilities is an always-changing job.


 Middle East Blogger | ERP Systems, CRM Software & Technology Blog