Friday, 12 February 2021 10:23

Dealing with ERP security vulnerabilities: four tips from Deltek

Caleb Merriman, CISO Deltek Caleb Merriman, CISO Deltek

Securing your ERP system properly is something that must be keeping CISOs awake, given the endless stories of organisations being hacked on an ongoing basis, and with a ton of sensitive data contained within, it has never been more important to enforce and test the security of everything in your company.

Deltek. The company says it is "the leading global provider of software and solutions for project-based businesses", and that it "delivers software and information solutions that enable superior levels of project intelligence, management and collaboration."

Caleb Merriman is the CISO of Deltek, and he has shared four ways ITSM professionals can double down on the security of their ERP systems.

After all, the various applications integrated in ERP systems collect, store, manage and interpret sensitive data from the many business activities, allowing organisations to improve their efficiency in the long run. "This alone", said Merriman, "means that your IT team should emphasise protecting that data."

Merriman continued: "The technical complexity of ERP systems means that security researchers are constantly finding vulnerabilities in them, and businesses that make them internet-facing and don’t think through or prioritise protecting them create risks that they may not be aware of."

So, what are the four tips that Merriman has shared?

Tip 1:

Ensure the application is secure: Even if an organisation is using a commercial application, new vulnerabilities can be discovered over time. All companies, no matter their size, should actively stress-test their applications on a routine basis.

Typically, this means a security team will be necessary to conduct penetration testing, assumed breach testing, and red teaming – a rigorous challenge to test your plans, policies and systems.

Testing like this should be performed at both the application and network layers – using tools such as dynamic application security testing (DAST), static application security testing (SAST), software composition analysis (SCA), or interactive application security testing (IAST) – all tools that a diligent security team should be using!

Tip 2:

Manage access control: ERP systems often contain data that is essential to your business and may be sensitive. Exposure of this data could lead to compliance, contractual, or operational risk.

In addition, ERP systems are often essential to daily operations, so any lack of availability to ERP systems or inappropriate alterations to the system or data could cause significant impact to your business.

Organisations should enforce strict “least privilege” access to ERP systems and data and consider role based access, or “RBAC” and zero trust access models for their ERP systems, as first steps.

Simple measures that can be put in place, such as ensuring all remote access to ERP systems require multi-factor authentication, can make all the difference in the long run.

Security teams should also perform regular access reviews and implement robust user provisioning, termination, and transfer procedures.

Tip 3:

Use Encryption to protect sensitive data: Use of encryption in ERP systems is essential to protect sensitive data and to address compliance and contractual obligations.

Data should be protected at all times – when in transit and when at rest. Using encryption is especially important for any system integrations.

At-rest data should be encrypted at the storage/volume level and database or field level to protect against more than physical layer access. For encryption work, it’s important to use current strong encryption methods – and appropriate Key Management is essential.

Tip 4:

Transfer some of the risk to a SaaS partner: Given the complexity, cost, and risk of providing ERP system security, it is often beneficial to engage third parties to provide additional ERP security.

The speed at which the security landscape is moving, coupled with the challenges of hiring qualified security staff and the cost of keeping security technologies current, often makes it advantageous to work with partners who can provide these capabilities at scale.

While it is unlikely that an organisation will be able to transfer all of its risk to a third party entity, it is often the case that a well-qualified partner could shoulder the majority of the security and compliance risk obligations.

Read 4443 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Hybrid cloud promises to bring together the best of both worlds enabling businesses to combine the scalability and cost-effectiveness of the cloud with the performance and control that you can get from your on-premise infrastructure.

Reducing WAN latency is one of the biggest issues with hybrid cloud performance. Taking advantage of compression and data deduplication can reduce your network latency.

Research firm, Markets and Markets, predicted that the hybrid cloud market size is expected to grow from US$38.27 billion in 2017 to US$97.64 billion by 2023.

Colocation facilities provide many of the benefits of having your servers in the cloud while still maintaining physical control of your systems.

Cloud adjacency provided by colocation facilities can enable you to leverage their low latency high bandwidth connections to the cloud as well as providing a solid connection back to your on-premises corporate network.

Download this white paper to find out what you need to know about enabling the hybrid cloud in your organisation.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Alex Zaharov-Reutt

Alex Zaharov-Reutt is iTWire's Technology Editor is one of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News