With remote work expanding exponentially, malicious actors are targeting corporate networks more than ever. Remote users accessing corporate networks with (potentially compromised) mobile devices and on home wireless connections increase the potential for a variety of attacks. With a myriad of employees and contractors given ubiquitous access to business data, one thing is clear; identity has become the new security perimeter. Ensuring Enterprise Remote Planning (ERP) data security, privacy and compliance can no longer rely solely on network threat monitoring but requires using a layered identity defense to limit access to and within mission-critical applications. Why? Because malicious access to your network is no longer preventable, but inevitable. Ultimately, the strength of your identity and data security postures will determine your data’s integrity.  

Increased dark web sales of network access  

Cybercriminals have identified the expanded threat surface from remote access and responded with an increased interest in acquiring large amounts of personally identifiable information (PII.) Primarily through corporate ERP applications, as this is where the most HCM and financial data is typically stored. According to research by Positive Technologies discussing dark web information sales in 2019, the average price for privileged access to a single local network was approximately $5,000. Globally, malicious actors sold credentials across a variety of industries.   

In the US, the top three industries were:  

• Service (20 percent)  
• Industrial (18 percent)   
• Government (14 percent)  

Meanwhile, in Italy, industrial and service companies topped the list. The United Kingdom’s most targeted industries were service, science, education and finance. Brazil saw attacker interest in government and healthcare.   

In short, no industry is safe. All organizations need to focus on securing their most vulnerable access points to prevent financial losses associated with data breaches.   

Start with securing your crown jewel ERP systems  

Organizations looking to accelerate their data security maturity can choose to lock down access across their ERP systems for a “quick win.” According to the 2020 Verizon Data Breach Investigations Report, 67 percent of 2019 data breaches arose from credential theft, social engineering attacks, or errors that enabled malicious actors to gain unauthorized access to sensitive data.   

Many organizations apply role-based access controls (RBAC) that align data access privileges to resources based on job functions. However, in a cloud-based ecosystem, RBAC’s static nature creates a productivity barrier. Cloud resources require a more dynamic approach to access that incorporates additional user attributes such as geolocation, device, IP address, or time of day.   

Attribute-based access controls (ABAC) enable organizations to purposefully limit access according to the principle of least privilege. For example, if the organization knows that an employee should be working from Connecticut, ABAC can prevent access to resources, mask highly sensitive data, or prevent a transaction entirely if the user’s location is suddenly California – or a foreign country.  

These granular, data-centric access privileges can help an organization prevent malicious access to important ERP data, proactively mitigating data security, privacy and compliance risks.   

Continuously monitor privileged user activity and behavior  

With ABAC, organizations can set fine-grained access controls that mitigate risks. However, cybercriminals stealing privileged credentials may enter the organization’s IT ecosystem then move around within it unnoticed.    

Privileged users, such as system administrators, need superuser access to do their jobs. While ABAC provides some level of control that can limit the data they access, their job functions require them to add users, delete payees and engage in other potentially risky activities across the ERP ecosystem.   

Thus, privileged credentials are highly sought after on the dark web. Once attackers obtain these privileged credentials, they can move within the organization’s cloud infrastructure nearly unfettered. While ABAC provides a baseline for limiting access, organizations need to layer their defenses at the identity perimeter the same way they created layered defenses at the infrastructure perimeter.   

Continuously monitoring activity and behavior provides valuable visibility into how users engage with data and what they do with their access. For example, organizations may be able to apply time-based ABAC for standard users, since the general human resources employee likely works during daytime hours. However, privileged users may need 24-hour access to respond to outages or other IT events.   

Continuously monitoring their access and behavior provides the additional needed layer of defense at the identity perimeter. By monitoring the privileged user’s activities, the organization can “watch the watchers” and gain visibility into potential credential theft. If the account engages in unusual access, the organization can review whether that access was necessary and document the findings. By tracking the activity back to the user, the organization proves governance and proactively protects data.   

Creating layered defense at the identity perimeter to strengthen data security   

With organizations seeking to proactively secure data as part of the move to a distributed workforce, they should draw their first line of defense at the identity perimeter. By establishing dynamic, attribute-based controls, companies can more precisely define access to ERP resources. However, limiting access itself may cause productivity issues, especially when users need to contact IT departments to request additional access.   

Data masking or hiding sensitive information not necessary to the job function creates an additional security layer. Users not only are limited in their access but by masking the data, the access granted eliminates excess access risks associated with visibility of unnecessary, sensitive data. An organization’s payroll manager may not need to see employees’ account information to process the payments. Thus, limiting access and masking data create a double layer of defense.   

Finally, by continuously monitoring user activity and behavior, organizations add a third defensive layer. They limit access on a fine-grained level, mask unnecessary sensitive data and ensure that they investigate irregular activity within their ecosystem.   

By creating a three-layered identity defense, organizations can proactively mitigate many of the risks associated with the increased malicious actor interest in corporate networks.