On May 12th, President Biden signed an Executive Order to help improve the nation’s cybersecurity posture and strengthen Federal networks. This order was preceded by several high-profile attacks like SolarWinds and most recently, the Colonial Pipeline – both of which highlighted key deficiencies in the federal government’s ability to detect, respond, and ultimately communicate about cybersecurity threats.
One of the main contentions was around modernizing and implementing stronger cybersecurity standards. Highlighted specifically, was the need to implement zero trust security models and use multifactor authentication (MFA):
The Executive Order helps move the Federal government to secure cloud services and a zero trust architecture and mandates deployment of multifactor authentication and encryption with a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.
In short, Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters, and instead must verify anything and everything trying to connect to their systems before granting access. Zero Trust is a topic we at Pathlock have written about many times, including here.
Applications that leverage role-based access controls make enforcing Zero Trust very complicated. Simply because role-based access controls use a static rule set to govern access – and those access privileges do not change dynamically with varying contexts of access. Whether a user is accessing from an unknown network, device, location, outside business hours, etc. – their “originally granted” access privileges remain intact. This is the foundation of risk that Zero Trust is meant to mitigate.
In practice, Zero Trust would require the use of context-aware controls for authentication. Controls that are able to identify contextual variables and apply an additional authentication step prior to granting access to an application or data within the application. So, even if a user’s role-based control said they were allowed to view something, an additional authentication step would be required if any of the contextual variables were indicative of risk. The user is never trusted by default – they must re-authenticate if necessary.
ERP applications like PeopleSoft, SAP ECC, and Oracle EBS were designed years (decades) before Zero Trust was recommended. Meaning, the native architecture does not allow for the seamless integration of multifactor authentication solutions that can A) be integrated at the field/transaction levels of workflows or B) deploy MFA dynamically with each unique context of access. In essence, traditional ERP applications create a significant challenge for Zero Trust.
Requiring dynamic MFA that is integrated inside ERP applications is one of the most common use cases our security platform solves. For over 10 years, Pathlock has been working to develop native integrations between Oracle and SAP ERP applications and some of the top MFA providers in the market including Duo, Bio-Key, RSA, Symantec, SecureAuth, and more.
For a demonstration, please reach out to us today! Pathlock can help you remain aligned with information security best practices across your ecosystem.
Share