Enterprise Resource Planning systems

4 12 2012

Enterprise Resource Planning (ERP) systems integrate core business functions into one system that maintains all assets and resources. ERP applications are found in many companies and each system spans the entire company, often integrating with their customers and suppliers to become a single fluid system. With so many touch points on the system it is important to have procedures governing the policies and technology factors of each ERP system.  As an Undergraduate student, I had the opportunity to take an ERP systems course.  Throughout the class there were labs where the student used a SAP GUI interface to simulate a muffin-making company. Through this simulation, we had to use the ERP system to produce a large batch of muffins from the preliminary stages of acquiring raw materials all the way the production stages of mixing the ingredients, baking, and distributing. The final labs included the accounting and finance modules of the ERP system as well as a customer-relationship management component. While this lab was fictional, and each student had access to every part of the SAP ERP system, it demonstrated just how connected each part of the system was to every other module in the ERP system and how important a secure system is in an enterprise.

As ERP systems are being implemented and configured it is important to integrate security features from the start. Security can often be over-looked as companies strive to complete ERP projects on time and on budget. Security features should be factored into the development and deployment of an ERP system from the start to avoid major revisions to the system in the future. “ERP systems must be able to process a wide array of business transaction and implement a complex security mechanism that provides granular-level access to users” (Pandey 1). Having a system that can process large amounts of data across various departments while still being secure from unauthorized users or hackers can prove to be a challenge. Integration of suppliers and customers throughout the supply chain increases the number of authorized user accounts but also “introduces new entry points to business systems from outside the traditional IT security perimeter” (VanHolsbeck 1). This forward and backward integration of customers and suppliers on a collaborative ERP system can be a high vulnerability if critical measures are not taken to ensure security.

An ERP system consists of a three-tier client-server architecture. The first layer is the presentation layer that consists of a Graphical User Interface (GUI) that allows input to be entered and generates the output back to the user (She 154). The application layer uses the input entered from the presentation layer and processes it. The database layer manages the data for the entire company and often includes the Operating System and hardware components of an ERP system (She 154). In addition to each layer of the tier, ERP systems also use web-based services to complete tasks. A variety of mark-up languages including SAML (Security Assertion Markup Language) and XACML (XML Access Control Markup Language) can be used within an ERP system to aid in securing web technologies (She 162). ERP systems are easily customizable to different industries such as manufacturing, finance and banking, healthcare and retail firms. With the large amount of customization, companies should be aware of security issues with implementing an ERP system with custom codes for transactions, programs, roles and authorizations (Medvedovskiy 26). Since each ERP system contains a multitude of modules for each functional business area, patching weaknesses within the ERP can be very costly but are important for the longevity of the system.

ERP systems are most secure following the Role-Based Access control model. As personnel within a company move around and change jobs, their job description should determine what areas of the ERP system they have access to and what areas they no longer need to view. Following this access control model as well as the Principle of Least Privilege, companies can mitigate the insider threat by reducing their exposure. Constraints such as time and day restrictions should be in place to limit access for authorized users. If the company works with a decentralized system and there are multiple administrators, the most senior administrator should allow or deny access (She 158). Having thorough audit logs is another important component of a secure ERP system. With so many transactions across different departments, managers can often be concerned with the performance speed of the system if every transaction is being recorded. “In a compromise between security and performance, enterprises can avoid logging every detail of system activity and focus on meaningful information that’s relevant to the transaction” ( VanHolsbeck 2). Audit log systems can also be programmed to identify and alert an administrator if an anomaly occurs which would help utilize resources more efficiently. Since ERP systems also include maintaining financial accounting information, having efficient audit logs is necessary due to the Sarbanes-Oxley legislature from 2002. Along with the audit logs, enterprises should also practice sound internal control monitoring to be a deterrent to malicious insiders and work to protect the system (VanHolsbeck 4). Since each ERP system is company- wide it is vital to have a strong password policy in place to authorize use as well as a method to change the passwords if necessary. Allowing weak passwords for users on the ERP system could allow for outside attackers to gain proprietary knowledge about the business and cause damage. Purchasers of ERP systems should validate that vendors have a means to encrypt passwords that are stored on the system (Hughes 1). Encrypting passwords for the ERP system is another level of security that can protect the system if it was ever compromised.

A variety of different sized businesses are now using ERP systems as the costs of implementing and maintaining the systems continually decrease. Ensuring that all authorized users of an ERP system have secure access, while still achieving a high degree of availability, can be a continuous goal to achieve. Information security policies should not only focus on perimeter security relating to networks but also to in-house ERP systems that manage day to day business functions.


Medvedovskiy, Ilya, and Alexander Polyakov. “ERP Security. Myths, Problems, Solution.”Digital Security (2010): 1-75. Digital Security. Web. 6 Nov. 2012. <http://dsecrg.com/files/pub/pdf/ERP%20Security.%20Myths,%20Problems,%20Solutions.pdf&gt;.

Pandey, Santosh K. “Major Challenges in Auditing ERP Security.” IT Harmony, n.d. Web. 3 Nov. 2012. <http://www.icisa.cag.gov.in/Background%20Material/Audit%20of%20ERP%20Systems/Security%20issues%20in%20ERP.pdf&gt;.

She, Wei, and Bhavani Thuraisingham. “Security for Enterprise Resource Planning Systems.”Information Systems Security 163rd ser. 16.152 (2007): 152-63. UTDallas.edu. Information Systems Security. Web. 5 Nov. 2012. <http://www.utdallas.edu/~bxt043000/Publications/Journal-Papers/DAS/J46_Security_for_Enterprise_Resource_Planning_Systems.pdf&gt;.

Van Holsbeck, Mark, and Jeffrey Z. Johnson. “Security in an ERP World.” Net-security.org, 24 May 2004. Web. 5 Nov. 2012. <http://www.net-security.org/article.php?id=691&gt;.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: