A policy is a deliverable from the governance function created by senior executives to establish measurable guidelines and expectations for the effective performance of all security, risk, and compliance activities. Policies are often captured into a Microsoft Word document and distributed to the responsible managers to ensure they understand the policy and will comply.
The effectiveness of these policies depends on how they are enforced across the various ERP applications deployed in the organization. For a long time, policies were enforced based on roles that were defined within the ERP applications. However, application security today has changed to become more dynamic to effectively safeguard systems and data. In addition, many organizations are adopting flexible options like remote work and Bring Your Own Device (BYOD), which present more challenges to the policy enforcement process.
As a result, your policy enforcement program needs to be dynamic and adaptive. Furthermore, organizations also need to deal with the ever-changing compliance obligations from sources like GDPR, CCPA, HIPAA, PCI-DSS, Sarbanes Oxley, etc. These regulations require a much greater degree of agility to configure and update effective access, transactions, and data field level controls based on policy requirements. These changes present challenges to your policy enforcement program that the default application security model (role-based access control) cannot effectively address.
Most ERP applications still use the static role-based access control (RBAC) security model to manage access and authorizations. As a result, Gartner recommends switching to an attribute-based access control (ABAC) security model, often called a policy-based access control security model. This shift of focus from a role-based to a policy-based security model is because of the ease of configuring and updating combinations of policy requirements into the access, transaction, and data field level controls when using ABAC, enabling an adaptive security model.
The RBAC security model simply cannot enforce policy requirements into the authentication and authorization process, nor the transaction and data field level like ABAC can. RBAC typically requires a manual policy enforcement process, but ABAC can automate policy enforcement with combinations of contextual attributes allowing security teams to create more effective detective and preventative transaction and data controls that enable continuous monitoring even after the user has logged into the application. The adaptive security capability of ABAC not only enhances transaction and data security but also allows organizations to better align security and compliance requirements with “intelligent controls” that adapt to the inherent risk exposure.
Gartner called the RBAC security model static, meaning it provides no adaptive capabilities. As a result, it is not as effective at detecting and preventing threats. Instead, ABAC can leverage policy requirements as key risk indicators designed into the access, transaction, and data field level controls, enabling more effective monitoring, detection, and prevention capabilities.
Policies are the baseline used to monitor, detect, and correct performance variances. It’s not uncommon for organizations to have hundreds or even thousands of policies relevant to security, risk, and compliance initiatives. As a result, a lack of policy effectiveness negatively impacts the organization’s governance and oversight effectiveness.
Learn how to manage your policies effectively with the Pathlock Platform: Schedule a demo with our ERP experts.
Share