How To Maintain Security In An ERP System

Even though the ERP market has matured considerably, one area often overlooked by the ERP vendor's is that of security. Perhaps the reason for this is that, unlike other new functionality such as a Web-enabled architecture or Customer Relationship Management (CRM), security systems do not guarantee success.

Security breaches can originate externally or could be a result of insider fraud. This article looks at external and internal security threats to your ERP system, and provides possible solutions to ensure that you ERP system remains secure.

EXTERNAL THREATS To combat external threats, ERP systems have traditionally relied on network-based defences such as firewalls and Virtual Private Networks. The philosophy behind this approach is to prevent an authorised outsiders from accessing the corporate information systems. However, modern ERP systems are designed to facilitate the sharing of information with selected trading partners with systems such as supply chain management. The ERP implementations must therefore allow external users to access the company's core systems so the traditional approach of blocking external access is no longer appropriate.

INTERNAL THREATS Prior to ERP, internal security revolved around user access control whereby a user's access was based their specific job requirement. For example, an Accounts Payable clerk could access the Accounts Payable system but not the Inventory Management system. User access control centres around individual user IDs and passwords, and maintaining rules which define which user IDs have access to which applications. This approach does not work in the context of modern ERP systems because they are designed to integrate the various business functions - and Accounts Payable clerk may have a legitimate reason to access the Inventory Management module in the ERP system!

SOLUTIONS

Logs - individual transactions are logged and available to internal auditors and security staff through an audit log report. These logs provide detailed information on each transaction and can be sampled for irregularities. To use audit logs effectively, the ERP system needs to be configured to maintain audit logs. There is a processing overhead associated with maintaining audit logs. It can be tedious to manually audit these logs so you may need to customise a exception report to highlight transactions which appear to be unusual.

Continuous monitoring - this goes one step beyond monitoring system logs. It incorporates sophisticated analysis to identify fraudulent elections or misuse of the system. The rules need to be 100% accurate and continually updated to reflect the real-time business environment.