ERP Risk Management: Don't Rock the Cradle?

ERP Risk Management- don't rock the cradle_.jpg

By Sean Martin, host of At The Edge and An InfoSec Life

I recently had a chance to connect with Alex Horan, Director of Product Management at Onapsis to discuss the risks inherent in ERP systems. The catalyst behind this conversation is driven by research the team at Onapsis routinely performs.

Findings from their research and connections with businesses around the world show that there are certain systems that are deployed for the sole purpose of running the business; systems that are so critical to the business that nobody wants to mess with them. The fear in many cases they find is that any change—large or small—could knock the system offline and cause a disruption to business operations. Or, more importantly, directly impact revenue generation. ERP systems such as Oracle and SAP fall squarely into this category.

The challenge with this mindset of 'don't rock the cradle,' as is described to me Alex during our chat, is that these systems are so critical that the risk should really be identified and tackled head on; business teams need to join forces with infosec teams to look at all aspects of the information security CIA triad - confidentiality, integrity, and availability.

In this episode of At The Edge with Sean Martin, Alex shares some insights coming from the continuous research his team does for these systems, looking at the risks and vulnerabilities associated with versioning, configuration, patch management, logging, and monitoring. Have a listen to learn more about the risks and compensating controls organizations need to be aware of.

Here are the four key tips from Alex - do you have them all in place?

- Know what you are running
- Have solid security practices in place that include these systems
- Patching is just as critical for these systems - in the cloud and on-premises
- Employ logging and monitoring

Listen to the podcast

During Black Hat USA, ITSPmagazine's Sean Martin had a chance to connect with Alex Horan from Onapsis. The two had an informative conversation surrounding the risks associated with critical business systems such as those found in the world of enterprise resource planning (ERP).

The main risk inherent in ERP systems—such as Oracle and SAP—is that they can be deployed, configured, and maintained in either secure state or an insecure state. The goal with the Onapsis research released is to provide visibility into these risks. Alex isn't just talking about risks associated with vulnerabilities and patch management; rather that plus how these systems are configured and monitored.

The biggest challenge, Onapsis finds, is that most organizations don’t look at these systems from a security perspective. Why? Alex notes that it’s usually a case of everyone thinking that everyone else has it covered.

Want to learn more about what these risks entail? Listen in as Alex shares some of the findings from their research and the impact these findings can have to the business.