the Log4Shell The crisis has raised awareness: Companies need to pay more and more attention to ERP security. Today, ERP software is only one part of a highly networked information system that is increasingly being moved to the cloud. At the same time, attacks of all kinds on these structures are increasing.
Increasing security requirements for ERP systems
When it comes to the topic of security, experts point out that the safeguarding of ERP systems is not automatically synonymous with general IT security. Often, specific vulnerabilities of ERP systems need to be considered.
At the same time, these experts assume that attacks on ERP installations will increase sharply, which is not least due to the increasing shift of business software into the cloud to do.
The Covid 19 pandemic can also be seen as an accelerator. The widespread relocation of many workplaces to the home office has forced many companies to establish new structures that are often vulnerable to cybercrime.
Increasing learning curve of the attackers
Some time ago, attackers focussed on the weak points of the IT infrastructure. Cyber attacks were increasingly automated and the corresponding expertise was made available to the "market" in the form of tools and information.
Increasingly, the possibilities of using the gateways of ERP and other business software are now becoming known and widespread. The increasing networking and integration widely distributed systems of different participants seems to be ideally suited for this. The increasing dialogue capability of the systems is both a curse and a blessing. From a security perspective, often more of a curse than a blessing.
Security know-how of the administrators
The ERP security we offer especially for medium-sized companies is a staff dependent problem. The people responsible for IT security often do not have the necessary knowledge of ERP systems. In the past, it was enough to take care of sealing off the infrastructure and preventing the emergence of shadow IT in the company. Today, the danger lies increasingly in the business software itself. In order to be able to act, however, detailed knowledge about the functions of the ERP software landscape is required.
At the same time, ERP administrators are often not aware of IT security concerns. Sometimes the respective departments operate completely in parallel. Such structures invite attackers to look for and exploit an emerging gap.
Complex safety requirements
The mix of knowledge that must be used in an integrated security strategy is challenging. Know-how is needed regarding ERP databases and their application-specific characteristics. Knowledge about the various possibilities of integrating different applications up to web and cloud services is also required.
ERP-specific security measures often include user access control. This involves more than just user administration. The security requirements for ERP systems have become increasingly complex due to the integration with other systems or applications.
The Cloud Security Paradox
However, integration is not the only reason for complexity. The growth of e-commerce and the desire of vendors to migrate ERP customers to the cloud are also drivers of multi-layered structures that are difficult to control.
However, one realisation has become more and more prevalent: The migration of an ERP system to the cloud does not necessarily make such a system more insecure, but on the contrary more secure. Cloud providers are better able to deal with security requirements than their customers. This is especially true when it comes to specialised cloud providers who offer not only a kind of extended hosting but also application know-how as a service.
Security alarm for ERP systems
Log4Shell (Log4j vulnerability) & SAP Business One
Two-factor authentication for MariProject
Data secure in the cloud
