A REPORT ERP SECURITY ISSUES AND PRIVACY ISSUES

NITHIN SASI

School Of Management Studies CUSAT, Kochi 22 Email: nithin.sdn@gmail.com

Abstract: The paper is mainly deals with the various security and privacy issues related with ERP. The advancement in the entire technology led to the development and modification of various business activities. on the same time the issues regarding privacy and security of ERP has also increased.so this paper gives various idea about the security and privacy concerns regarding ERP Keywords: ERP, security, privacy

1.0 INTRODUCTION
Enterprise resource planning (ERP) system is a business management system that comprises integrated sets of comprehensive software, which can be used, when successfully implemented, to manage and integrate all the business functions within an organization. These sets usually include a set of mature business applications and tools for nancial and cost

accounting, sales and distribution, materials management, human resource, production planning and computer integrated manufacturing, supply chain, and customer information. These packages have the ability to facilitate the ow of information between all supply chain processes (internal and external) in an organization. Furthermore, an ERP system can be used as a tool to help improve the performance level of a supply chain network by helping to reduce cycle times .However, it has traditionally been applied in capital-intensive industries such as manufacturing, construction, aerospace and defence. Recently, ERP systems have been expanded beyond manufacturing and introduced to the nance, health care, hotel chains, and education, insurance, retail and telecommunications sectors. Information is one of the most important assets of any organization, so it should be appropriately protect the Information security combines systems, operations and internal controls to ensure the integrity and confidentiality of data and operation procedures in an organization. Availability of the information is also important to the organization .If the integrity of the information is above board and the information is confidential, but it is not available to authorized users, it is of no use. Enterprise resource planning (ERP) system security must be governed by the same principles as conventional information security. An ERP system controls all the business related information of an organization as well as information relating to customers and suppliers. It is necessary to protect this information from the opposition as well as to ensure that the information within the ERP system conforms to auditing standards such as Sarbanes-Oxleyi The security and protection of the information within the ERP system is therefore crucial to the existence of the organization. The purpose of this article is to provide an ERP security framework that will enable an organization to include security as an integral part of an ERP system and not as an afterthought.

1.1 ENTERPRISE RESOURSE PLANNING

Information in large organizations is often spread across numerous homegrown computer systems, housed in different functions or organizational units. While each of these information islands can ably support a specific business activity, enterprise-wide performance is hampered by the lack of integrated information. Further, the maintenance of these systems can result in substantial costs. For example, many of the older programs cannot properly handle dates beyond the year 2000, and they must be fixed at a steep cost or replaced. While the Y2K bug has been fixed over time (at an estimated cost of $600 billion worldwide), the lack of integration is a pervasive problem. Consider, With the advent of E-Business and the need to leverage multiple sources of information within the enterprise, ERP software has emerged as a major area of interest for many businesses. Back-office enterprise software has its roots in the 1960s and 1970s, as computing power became affordable enough for companies to automate materials planning through MRP and financial processing through payroll and general ledger software. MRP, short for Material Requirements Planning, was developed in the early 1960s at IBM and had become the principal production control paradigm in the U.S. MRP consists of a set of procedures that convert forecasted demand for a manufactured product into a requirements schedule for the components, subassemblies and raw materials comprising that product. MRP is limited to controlling the flow of components and materials, and does not lend itself to more complete production control and coordination. ERP is a software architecture that facilitates the flow of information among the different functions within an enterprise. Similarly, ERP facilitates information sharing across organizational units and geographical locations. It enables decision-makers to have an enterprise-wide view of the information they need in a timely, reliable and consistent fashion.

ERP provides the backbone for an enterprise-wide information system. At the core of this enterprise software is a central database which draws data from and feeds data into modular applications that operate on a common computing platform. Enterprise Resource Planning (ERP) is an enterprise-wide information system designed to coordinate all the resources, information, and activities needed to complete business processes such as order fulfillment or billing. Many firms rely on ERP systems to implement business processes and integrate financial data across their value chains. This reliance increases the importance of ERP system security in protection of a firm's information assets. In recent years, the audit of ERP security has gained importance and begun receiving an increasing percentage of firms' audit budgets. However, the audit of ERP security remains a complex, lengthy and costly task due to a confluence of factors. ERP systems are inherently complex systems spanning many functional areas and processes along a firm's value chain. They are designed to provide flexible solutions to business problems. The sheer number of possibilities available for configuring an ERP system implies many potential security configurations. However, ERP systems pay little attention to potential conflicts and problems in those security configurations. Deployment and implementation of ERP systems also pay little attention to security implications, as the main purpose is to solve business problems within time and budget. In post implementation stages, auditors have access to rudimentary ERP tools and capabilities for auditing security configurations. There are also shortages of staff members trained in the ERP security. 1.2 ERP ADVANTAGES Installing an ERP system has many advantages - both direct and indirect. The direct advantages include improved efficiency information integration for better decision-making, faster response time to customer queries, etc. The indirect benefits include better corporate image, improved customer goodwill, customer satisfaction and so on. Some of the benefits are quantitative (tangible) while others are nonquantitative (intangible). Tangible benefits are those measured in monetary terms and intangible benefits cannot be measured in monetary terms but they do have a very significant business impact. 1.2.1 Tangible benefits: Improves the productivity of process and personnel Lowering the cost of products and services purchased Paper and postage cost reductions Inventory reduction Lead time reduction Reduced stock obsolescence Faster product / service look-up and ordering saving time and money Automated ordering and payment, lowering payment processing and paper costs 1.2.2 Intangible benefits: Increases organizational transparency and responsibility Accurate and faster access to data for timely decisions Can reach more vendors, producing more competitive bids Improved customer response Saves enormous time and effort in data entry

More controls thereby lowering the risk of mis-utilization of resources Facilitates strategic planning Uniform reporting according to global standard 2.0 SECURITY ISSUES AND PRIVACY ISSUES Enterprise Resource Planning (ERP) is an enterprise-wide information system designed to coordinate all the resources, information, and activities needed to complete business processes such as order fulfilment or billing. Many firms rely on ERP systems to implement business processes and integrate financial data across their value chains. This reliance increases the importance of ERP system security in protection of a firm's information assets. In recent years, the audit of ERP security has gained importance and begun receiving an increasing percentage of firms' audit budgets. However, the audit of ERP security remains a complex, lengthy and costly task due to a confluence of factors. ERP systems are inherently complex systems spanning many functional areas and processes along a firm's value chain. They are designed to provide flexible solutions to business problems. The sheer number of possibilities available for configuring an ERP system implies many potential security configurations. However, ERP systems pay little attention to potential conflicts and problems in those security configurations. Deployment and implementation of ERP systems also pay little attention to security implications, as the main purpose is to solve business problems within time and budget. In post implementation stages, auditors have access to rudimentary ERP tools and capabilities for auditing security configurations. There are also shortages of staff members trained in the ERP security.

2.1 Challenges in ERP Security Complexity of ERP systems:

Complexity of ERP systems leads to security vulnerabilities. ERP systems must be able to process a wide array of business transactions and implement a complex security mechanism that provides granular-level access to users. For example, in SAP R/3, hundreds of authorization objects are used to allow access to various actions in the system. A small or medium-sized organization may have 100 transactions that are commonly used, and each transaction typically requires at least two authorization objects. If the company has 200 end users who fill a total of 20 different roles and responsibilities, there are approximately 800,000 (100*2*20*200) ways to configure security in the ERP-and this scenario excludes other complexity factors, such as multiple transactions sharing the same authorization objects, an authorization object having up to 10 fields that can be assigned to various values, and the possibility of using position-based security. The point of this illustration is that the inherent complexity of an ERP system increases the illustration is that the inherent complexity of an ERP system increases the complexity of security configurations and leads to potential security vulnerabilities. Flaws, errors and Segregation-Of-Duty (SOD) conflicts become more likely. Consider a scenario in which a security administrator has to grant read-only access to transaction X, which requires him/her to assign 10 authorization objects to the role. At a later point in time, management decides to grant write access to transaction Y, which implies assigning five more authorization objects. One of the objects is common to both transactions and determines the write capability. Although these two changes are seemingly independent, due to the shared authorization object granting write privileges, the unintended consequence is a potential SOD conflict. An ERP system does not automatically check for these kinds of security vulnerabilities. Unless the security administrator is well trained and employs rigorous

positive and negative testing, he/she is likely to miss the unintended consequence of allowing write access to both transactions X and Y. As the number of potential configurations and authorization objects increases, it becomes increasingly difficult and costly to analyze the security implications of ERP configurations, such as the unintentional creation of SOD conflicts. Lack of ERP Tools: ERP tools for security audit are inadequate. Most of the security tools available in ERP packages are not designed to facilitate efficient and effective audit of ERP security. The main emphasis of ERP tools is on security configuration and maintenance. Recently, there has been an increase in the number of third-party product offerings assisting with ERP security and SOD reviews. However, many users complain that those tools often generate false positives and create more work for auditors. Customization of ERP Systems: The customization of ERP systems to firms inhibits the development of standardized security solutions. Every ERP implementation contains some level of customization specific to the firm undertaking the implementation. However, customization makes it difficult to develop a standard approach or methodology for conducting ERP security audits. Manpower: There is a shortage of manpower trained in ERP security. Most ERP training programs are designed for implementation efforts. They offer very little on ERP security and audit. Thus, there is a shortage of auditors who are trained in ERP security.

Inadequate attention towards security:

Implementers pay inadequate attention to ERP security during deployment. Many companies do not pay adequate attention to security implications of ERP configurations during the deployment and implementation of ERP systems. Implementation teams are usually tasked with finishing the implementation projects on time and within budget. They do not pay adequate attention to security implications since it increases implementation time and budget. Due to limited emphasis on security implications, ERP security becomes too lax, making post implementation problem identification and remediation very costly.

Conventional Approach:
Most ERP security audits today are performed using a manual approach. There is little automation beyond the use of native tools that come standard with ERP packages. Unfortunately, the bottleneck of the manual approach is the limitation of the native security reporting tools found in most ERP products. These native tools are not designed to facilitate a large-scale audit effort, but rather to help security administrators perform occasional validation of the accuracy of security configuration. They allow reporting on only a single transaction per query, which may be adequate for a security administrator who works full time and handles each transaction request individually; however, it is not as practical for an IT auditor who is expected to perform the audit in a limited period of time and must test a large number of

transactions. Although some IT auditors are able to utilize technology to perform this process more efficiently than others, as long as the process is based on the same philosophy of manual extraction followed by analysis, it continues to be an incredibly tedious and time-consuming task. The manual method is also prone to human errors.

2.2 APPROACHES TO SECURITY

Security problems exist in every facet of an ERP system. These facets can be classified into three categories: network layer, presentation layer, and application layer, which includes business processes, internal interfaces, and database. When a customer/partner communicates with an ERP system, or the business components located in different places interact with each other, the security problems in these cases are classified into the network security domain. ERP experts will not deal with these cases directly, instead this function will be provided by purchasing from other vendors who are experts at network security. The presentation layer refers to the graphical user interface, browsers, and PCs. Since the transmission of GUI packets is impossible to restrict, ERP experts cannot secure the system by limiting user access to GUI. The better way to provide security may be to place a CITRIX server between the user and the ERP system. Physical Security Even a cloud application and data must be located somewhere. The physical surroundings of the software and data is an important component of a business continuity plan as well as a software security plan. A physical security breach means that somebody with malicious intent has physical access to the hardware where either your application is running or where your data is stored. If other forms of security are in place, a physical security breach will not result in loss of data. However if the intruders intent is to disrupt your service, then a lapse in physical security will be a problem. Part of your business continuity plan should include a solid physical security plan. Transmission Security When data is communicated between the user, the server, and the database, there is a chance that transmissions can be intercepted. An easy way to prevent this involves encrypting all communications between source and destination. However, encryption comes at a cost to performance. If you spend too many processing cycles encrypting and decrypting data, you will have to purchase more expensive hardware or endure delays. Storage Security When ERP data is accessed by users, business logic limits unauthorized access to users with the proper credentials (see section on application security). But suppose a network administrator has access directly to data in the database. In this case, the data could be viewed without going through the business logic. Access Security Access (or perimeter) security is important for preventing unwanted users from grabbing resources and sending unauthorized queries to your servers. Usually this is accomplished

through the use of firewalls that prevent unwanted traffic from communicating with your business applications. Lack of access security could impact your application availability (in the case of a denial of service attack) and provide hackers with a way in to make it easier to steal resources or passwords Data Security Data security limits access to data objects to specific individuals. Different levels of data security include read-only, edit, insert, and delete. Data security can be set at the application or object level. Application Security Application security encompasses two major areas the way the application authenticates and manages users and the way in which application code is managed. User Authentication User authentication usually involves username and password to identify legitimate users. User identity is critical not only for establishing data rights, but also for creating an audit trail of activities for compliance purposes. Modern systems require strong passwords, enforce lock-out from excessive failures, and give administrators the option to require users to change their password on specific time intervals. In addition to these common security measures, administrators may restrict access to the system by IP address to combat hackers that try to guess usernames and passwords from remote locations. Managing Code and Logic All ERP software undergoes revisions and updates. The processes that manage these updates can be included as part of the overall security plan provided by the vendor. For example, when compiling the final code, processes are in place to insure that rogue code is not inserted into a production build. Physical Security Even a cloud application and data must be located somewhere. The physical surroundings of the software and data is an important component of a business continuity plan as well as a software security plan. A physical security breach means that somebody with malicious intent has physical access to the hardware where either your application is running or where your data is stored. If other forms of security are in place, a physical security breach will not result in loss of data. However if the intruders intent is to disrupt your service, then a lapse in physical security will be a problem. Part of your business continuity plan should include a solid physical security plan. Transmission Security When data is communicated between the user, the server, and the database, there is a chance that transmissions can be intercepted. An easy way to prevent this involves encrypting all communications between source and destination. However, encryption comes at a cost to

performance. If you spend too many processing cycles encrypting and decrypting data, you will have to purchase more expensive hardware or endure delays. Storage Security When ERP data is accessed by users, business logic limits unauthorized access to users with the proper credentials (see section on application security). But suppose a network administrator has access directly to data in the database. In this case, the data could be viewed without going through the business logic. Access Security Access (or perimeter) security is important for preventing unwanted users from grabbing resources and sending unauthorized queries to your servers. Usually this is accomplished through the use of firewalls that prevent unwanted traffic from communicating with your business applications. Lack of access security could impact your application availability (in the case of a denial of service attack) and provide hackers with a way in to make it easier to steal resources or passwords Data Security Data security limits access to data objects to specific individuals. Different levels of data security include read-only, edit, insert, and delete. Data security can be set at the application or object level. Application Security Application security encompasses two major areas the way the application authenticates and manages users and the way in which application code is managed. User Authentication User authentication usually involves username and password to identify legitimate users. User identity is critical not only for establishing data rights, but also for creating an audit trail of activities for compliance purposes. Modern systems require strong passwords, enforce lock-out from excessive failures, and give administrators the option to require users to change their password on specific time intervals. In addition to these common security measures, administrators may restrict access to the system by IP address to combat hackers that try to guess usernames and passwords from remote locations. Managing Code and Logic All ERP software undergoes revisions and updates. The processes that manage these updates can be included as part of the overall security plan provided by the vendor. For example, when compiling the final code, processes are in place to insure that rogue code is not inserted into a production build. Data base security. 2.3 MAJOR AREAS RELATING TO PRIVACY AND SECURITY Evaluating access control

All the data in the ERP are in one single database. Theoretically, it is possible with suitable access to see or modify any part of the data relating to financials, materials, human resources or sales. In a centralized system connected through a network, access to the ERP is possible from any part of the network. Like any other application, access to the data has to be secured not only at the application level, but also at the operating system, database and network levels through suitable controls. The IS auditor should carry out a review of the network, OS and RDBMS before evaluating the access controls in the application. User ID scrutiny and evaluation A good first step for auditing access control is to obtain a list of authorized users and their privileges. The IS auditor should also obtain the list of standard roles and the authorizations required for the roles. Verification and evaluation of configurations relating to business processes This is another major area of audit for an ERP system. The process flow in every business activity, and the possible options for carrying out these activities are decided by the configurations in the system. Such configurations exist literally in every process and module, and the process of evaluating them can be a long and tedious job for the auditor. The best way to do this is to approach it. from the business risk perspective and identify the configurations pertaining to those processes. Each of these configurations can be seen on the system by executing certain commands or following a certain path in the menu. An audit program that lists these and the possible values and options of these is a necessary tool, without which it would be difficult to carry out this evaluation. Change management The other factor that can influence security is change management. The way modifications are done to the programs and the configurations, the effective segregation between the development and production environments, the processes for testing, quality assurance and migration need to be reviewed by the auditor. Interfaces ERPs invariably need to send or receive data from other systems. Interfaces can be simple batch uploads of data or real-time data movement from multiple systems to and from the ERP through an integration middleware platform. An interface has the potential to become a weak point that can compromise security

3.0 CONCLUSION Enterprise Resource Planning is the technology that drives the reformation in the realm of economy and impacts peoples life style indirectly. ERP sys-tem now is going towards a system with more coordination/collaboration, higher heterogeneity and integrity, more intelligent, operating on the level of knowledge, and even wireless-enabled. The security issue within ERP

has been there for a long time, but most of the solutions are based on the assumption that an ERP system is a closed environment. Given current trends, where the ERP is more likely to be an open system, these solutions are insufficient to pro-vide the security. Although there are many researchers working in this area and some solutions are provided to better suite the open environment, yet the security mechanism for ERP system has not yet been brought to the open environment for discussion. Furthermore, these existing security solutions are based on the features of the current ERP system; since ERP reveals more and more new features that may be supported in the future, the security mechanism has to be retrofitted and new security issues have to be identified. The research should focus on the following areas Policy, model and design of the security architecture. Securing the exchanged documents, Securing the management and sharing of knowledge Securing web services and service oriented architecture, User authentication and authorization methods in open environment, Securing data transfer in wired and wireless communications, especially security issues on low power devices. Examining the security of the interfaces between different components (e.g., operating system, data-base system, and logging mechanism) and ensuring that no security loopholes are introduced due to component interactions.

4.0 REFERENCES

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20.

Anonymous,2012,Enterpriseresourceplanning,http://en.wikipedia.org/wiki/Enterprise_resource_ planning,downloaded on 30-3-2012. .Ananthasayana,2012,Auditingsecurityandprivacyconcerns,http://www.isaca.org/Journal/PastIs sues/2004/Volume-4/Pages/Auditing-Security-and-Privacy-in-ERPApplications.aspx,downloaded on 30-3-2012. Mark Jeffrey,2010,ERP and privacy standards,http://www.erp.com/sectionlayout/52implementation/6253-erp-and-erp-privacystandards.html,downloaded on 30-3-2012. Anonymous,2012,ERp privacy issues, http://www.erp.com/topicERPsecurityandprivacyissues,downloded on 31-3-2012. Anonymous,2011,ERP security challenges, http://www.csoonline.com/article/216940/the-erpsecurity-challenge,downloded on 31-3-2012. Anonymous,2011,Security in ERP world, http://www.netsecurity.org/article.php?id=691,downloded on 30-3-2012. StephenAdison,2010,RisskandgovernanceissuesinERPworld,http://www.isaca.org/Journal/Past Issues/2001/Volume-4/Pages/Risk-and-Governance-Issues-for-ERP-EnterpriseApplications.aspx,downloaded on 31-3-2012. Peterfilinovich,2011,importantissuesinERPoutsourcing,http://www.isaca.org/Journal/PastIssues/ 2001/Volume-4/Pages/Risk-and-Governance-Issues-for-ERP-Enterprise-Applications.aspx downloaded on 30-3-2012 Anonymous,2010,FastTrackingFinance:ERPintheCloud,http://www.alvarezandmarsal.com/en/a bout/action_matters/FTFCloudCompu_MMtmp7e8e6d02/FTFCloudComputing.aspx,downloade d on 31-3-2012. RobertaS.Russell,2011,AFrameworkforAnalyzingERPSecurityThreats,http://www.cimap.vt.edu/ CIIA/Papers/Session1-4-Russell.pdf downloaded on 30-3-2012. Anonymous,2012,privacy poicy, http://www.starfisherp.com/privacy,downloded on 30-3-2012 Anonymous,2010, The advantages and disadvantages of erp, http://www.erpwire/erparticles/erpadvantages and disadvantages,downloded on 30-3-2012 Anonymous,2010,securityandprivacy,http://www.gartner.com/technology/core/products/researc h/topics/securityPrivacy.jspdownloaded on 30-3-2012 Anonymous,2011,continuous auditing, http://en.wikipedia.org/wiki/Continuous_auditing downloded on 30-3-2011 Anonymous,2009,erpsecuriytychallenges,http://www.csoonline.com/article/216940/The_ERP_S ecurity_Challenge,downloaded on 30-3-2011 Bakry, A. H. and Bakry, S. H. 2005 Enterprise resource planning - a review and a STOPE view, International Journal of Network Man-agement 15. pp. 363-370. Kumar, K. and van Hillegersberg, J. (2000). ERP Experiences and Evolution. Communications of the ACM, Vol. 43. Goodman, E. 2004. Security Evaluation and Management for the SAP R/3 Environment, GSEC Certification Practical. Marnewick, C. & Labuschagne, L. 2005. A Conceptual Model for Enterprise Resource Planning (ERP). Information Management and Computer Security. Volume 13. Hossain Liaqut, Jon David, 2006, ERP global opportunities and challenges,idea publishing house,first edition