ERP Security: Defending the Crown Jewels#
ERP systems contain an organisation's most sensitive data: financial records, customer information, employee data, and intellectual property. They are high-value targets for attackers and must be defended accordingly.
The security challenge: ERP systems are complex, with extensive functionality and integration points. Each feature and integration is a potential attack vector. Security hardening must be comprehensive without breaking functionality.
---
Defence in Depth#
ERP security requires multiple layers:
Network Security#
Perimeter: - Firewalls - Web application firewalls (WAF) - DDoS protection - Intrusion detection/prevention
Internal: - Network segmentation - VLAN isolation - Micro-segmentation - Traffic monitoring
Application Security#
Authentication: - Strong password policies - Multi-factor authentication (MFA) - Single sign-on (SSO) - Session management
Authorization: - Role-based access control (RBAC) - Least privilege principle - Segregation of duties - Regular access reviews
Input validation: - SQL injection prevention - Cross-site scripting (XSS) prevention - Input sanitisation - Output encoding
Data Security#
Encryption: - Data at rest encryption - Data in transit encryption (TLS) - Database encryption - Backup encryption
Data masking: - Non-production environment masking - Sensitive data redaction - Test data management
Endpoint Security#
User devices: - Endpoint protection - Device management - Patch management - Access restrictions
---
Access Control#
Identity Management#
User provisioning: - Automated provisioning/deprovisioning - Joiner/mover/leaver processes - Identity lifecycle management
Authentication: - Password policies - MFA enforcement - SSO integration - Session timeout
Authorization#
Role design: - Business function-based roles - Minimal necessary access - Clear role documentation - Regular role review
Segregation of duties: - Conflict identification - Compensating controls - Exception management
Privileged Access#
Administrator accounts: - Separate admin accounts - Privileged access management (PAM) - Session recording - Just-in-time access
---
Vulnerability Management#
Vulnerability Scanning#
Regular scanning: - Infrastructure scanning - Application scanning - Database scanning - Container scanning
Remediation: - Prioritise by severity - Define remediation timelines - Track remediation progress - Exception process for accepted risks
Patch Management#
Process: - Monitor vendor advisories - Evaluate patch impact - Test patches in non-production - Deploy during maintenance windows - Verify successful deployment
ANZ timing: - Consider time zone for vendor support - Plan for ANZ maintenance windows
---
Security Monitoring#
Security Information and Event Management (SIEM)#
Log collection: - Application logs - System logs - Access logs - Security events
Correlation: - Identify attack patterns - Detect anomalies - Alert on security events
Security Operations#
Monitoring: - 24/7 security monitoring - Incident response capability - Threat intelligence integration
Response: - Incident response plan - Escalation procedures - Forensic capability - Recovery procedures
---
ANZ-Specific Considerations#
Privacy Regulations#
Privacy Act 2020 (NZ): - Data protection requirements - Breach notification - Cross-border data transfer
Privacy Act 1988 (AU): - Australian Privacy Principles - Notifiable data breaches - Data handling requirements
Industry Requirements#
Financial services: - APRA CPS 234 (AU) - RBNZ guidance (NZ)
Healthcare: - Health information protection - Patient data security
---
Monday Morning Action Plan#
- Conduct Security Assessment: Identify current security posture and gaps.
- Enable MFA: If not already enabled, implement multi-factor authentication for all users.
- Review Access: Audit user access and remove unnecessary privileges.
- Verify Encryption: Confirm data is encrypted at rest and in transit.
- Test Incident Response: Ensure your security incident response plan works.
---
Conclusion: Security Is Ongoing#
ERP security is not a one-time project—it's an ongoing programme. New vulnerabilities emerge, threats evolve, and systems change. Continuous attention to security is essential for protecting business-critical systems and data.