Is ERP a big Risk to Data Privacy?
How can policy-based access controls together with data privacy solutions help secure ERP in today's changing regulatory landscape?
We recently co-hosted a discussion “Is ERP fast becoming an extreme risk to privacy?” with Mentis Inc. Here is the transcript of that session.
Rajesh is the founder and CEO of Mentis, Inc. He has been working in the ERP world for almost 20 years. In 2002, he restarted the Governance, Risk and Compliance Special Interest Group within the Oracle e-Business Suite community and ran that for several years. Then Adil took over and together they ran it for several years. Rajesh created solutions as well as designed and generated solutions that are now the Oracle GRC product line, as well as the information lifecycle product line. Subsequently, he started Mentis to focus on ERP security at the data layer. As you read through the transcript, you'll understand how the early association between Rajesh and Adil continued, and now, almost 20 years later, they are like “parentheses” around data in ERPs.
Adil is the founder and CEO of SafePaaS, (formerly FulcrumWay, a successful, boutique consulting firm and Oracle’s go-to-partner for GRC.) Adil still sits on the board of the Oracle GRC SIG and presents monthly webinar, panel discussions with partners from around the world on trends in the ERP and applications risk management space.
Transcript
Adil - Compliance became a big issue about two decades ago, here in Texas, where I'm based, when Enron blew up, which was a big employer. Many of our friends and family worked there. It got me thinking about how technology risks can impact the real world - a lot of people lost their jobs. If you've been around this industry, there were five major audit firms back then. Now there are four, Big4, we call them. One of them that actually was a main auditor for Enron blew up, consequently the SEC shut them down.
A lot of laws and regulations came in. I was reading through this, at the time I was running a public company. I wanted to get into this space. So it's been a journey of 20 years. Hopefully, some of the things we'll share with you today are things that, working with customers and the last 20 years in the trenches and before that, in the ERP industry that we've all learned. We're here to share, it's an educational workshop –we’ll share our experiences, give you an opportunity to ask questions. But what's happened in 20 years is when I bumped into Rajesh, at the user group he was talking a lot about data, privacy and state laws. I was worried about financial risks, and he’s worried about data. We overlapped a little bit. But he was really passionate about data. I was passionate about financial risks. We became this, I guess, an odd couple, a couple in business. The market as we talk 20 years later, has emerged. Compliance is a much bigger issue. I got the opportunity to write a book about compliance. It's called Governance Risk and Compliance Handbook for Oracle Applications, with some, again, friends that have been in the trenches for 20 years. We both present quite a bit. I believe I can speak for Rajesh, we both love to share what we learned with everybody else in the industry. Hopefully, that does some good for companies that are impacted with compliance. So that's how I'm coming into this today to really help share my experiences and learn from others. Thanks.
Emma - Absolutely. Thank you. So that brings us on to our first question. As you've heard, they've been in the ERP security space for almost two decades. Adil’s talked a little bit about the challenges that customers faced back then. Rajesh can you also share some experiences and explain the challenges customers faced securing ERP back then when you first started and the challenges that they face now?
Rajesh - Yes. The solution that I built, which is now Oracle GRC, please don't blame me for it. I designed it much better than this! was designed right before SOX compliance became a thing. Then once I built that solution for me, Adil looked at it as a way to create the controls around it. I looked at it as, okay, I've done this, I built this product. Now, what do I do next? I was looking at this way back in 2004, when I realised that developers have access to way too much data. Because customers were copying Oracle e-Business Suite, and PeopleSoft and JD Edwards and all those applications. They were making production clones for development and testing purposes. So DBAs, and developers had access to way too much data. I wanted to build a solution that would automate the anonymization of that data in these non-production databases.I started that in 2004, it was way early. At that point of time, security officers were more interested in firewalls and making sure that the external threat does not become internal. But it took a few years for people to catch up to the data layer issues around protecting data, at the data layer of in addition to protecting at the controls layer. So that's how I ended up starting Mentis. Over a period of time, we've seen the market for that mushroom. Data is not only in non-production instances, it's also in production instances. Then in production instances, you have access at various levels, not just at the database layer, but also through interfaces through the front end. So we've expanded and now if you look at where this has become, privacy laws all over the world are now impacting every aspect of data, even in production. As we go through this set of questions, I think we'll address those as well.
Emma - Adil, do you want to add you want to add anything there?
Adil - I think just to add to what Rajesh just said is, I mean, what were the challenges then versus now? When we first got into that, I mean, the first challenge was, “hey, do you have password change policy on your ERP system?” There were some basic things people just weren't doing. We were trained as consultants. I had option to work at Oracle and it was like, “Hey, you want to keep your users happy? They're all moving off Y2K. You want to get them on to this great new ERP system, which integrates all your businesses together? Give everybody superuser.” We used to encourage our customers, “hey, look, you can get in there to look at journal ledger transactioning here, you can go look at the liability account and accounts payable and now you can see the full flow of your ERP.” That was the value proposition of ERP. We were at the front end of promoting that value proposition making it a reality for our customers. So we give them a ton of access to everything, that they did have, in the old days of mainframes because everything was siloed. We had a separate accounting system and separate inventory system, MRP systems. We were integrating all these businesses capabilities into a platform and that was the beauty of ERP, the value proposition why companies spend billions of dollars in the marketplace to get these systems. But what we didn't realise, what we realise now, is the challenge of what we created as a result of that. So because we gave people a lot of access, as you know, Rajesh picked up on that, that we weren't thinking about what happens when all these people have all this data, Rajesh, I think I'm stealing one of your stories from 20 years ago, some contractor gets upset and he posts the payroll information on the internet that was up and running, right? You can easily become a target, and that becomes a reputational risk. Those are the kinds of things that we're hearing in the marketplace. I was obviously focused more on the financial risks. From a financial risk standpoint what we were seeing as people can go and flip switches, on key setups, supplier bank account, data can be changed. I can change it to my bank account, just as an example, to commit fraud and then change it back and Rajesh would never find out as my architect because when his team logs in, they'll say, “Oh, well,” you know, they'll change it to the right bank account. But he would know that I changed it back. So those are the kinds of challenges our customers were facing then and now what's happened as you think about this question, what's happening now is that you have things like, GDPR, CCPA, all these acronyms that have become, the lifeline of data protection, your cyber attacks. So, the ERP systems that were really developed and designed to share information are now becoming targets of people with bad intentions to harm the companies and businesses, through various things you read about in the papers.
Rajesh - Yeah, and parallel to everything that Adil was talking about. At the data layer, something similar was happening. So initially, we gave access to everything to everybody. As a developer, I could get access to production, if I needed to run an update statement, to fix a problem in the database. People will share Sys Admin, and apps passwords easily at the data layer. A lot of SQL servers just had the SA account, there was no password. So we were there. Then slowly as Sarbanes Oxley was coming in, and the news stories were not as interesting as the ones that are happening now. Now you look at the news stories, Facebook lost 930,000 accounts, JPMorgan Chase lost 53 million accounts. Then the data theft itself is now inundating the news. That's all at the data layer. So the financial controls cost immediate financial problems but the data problems, when you have the data breaches cause a bunch of problems. One, there are studies that say 32% of your customers will not do business with you again, 7% market capitalization drop when there is news about a data breach. So these are all real issues that are also happening in the data layer. The battle that we were giving away apps passwords easily. Then suddenly we grew up we figured out that we just cannot give developers update access to production data or production, like data or non-production. And then we say oh, we just given them select any table. But all the privacy regulations now are worried about people having Select Access also to data. So that's the shift that has happened over 20 years when we were not worried about anything and then we started worrying about people having update and delete access. Now we're worried about people having access to any data.
Emma - Let's move on to our next question. With all these privacy regulations, GDPR, SOX, etc? How can these ERP systems that are so complex, how can they succeed in scenarios when it comes to data security?
Rajesh - Let me answer that from the data layer, and then you can add to it from the financial controls layer. Let's take an Ivy League university in the US, very different business from an oil and gas business in Texas, which is very different from a bank in the UK, and a very different business from a healthcare company in Singapore. What is common is they all use the same ERP platform. So, there is the application is supposed to be the same, then what application can do supposed to be the same, but the data that they capture and store might be different. What is also affecting it is, Europe has GDPR, South Africa has POPI, Canada has PIPEDA. There is a Data Protection Directive in Singapore, the US does not have a federal law but there are state laws like CPRA, in California, that all first document that what type of data is sensitive and these all vary. 127 countries across the world have some form of privacy regulation or the other and each of them have, they have a lot of commonalities on what data is sensitive like low hanging fruit, like names, addresses, date of birth, your social security numbers, these types of national identifiers, credit card numbers, bank account numbers, this is all low hanging fruit, everybody talks about them. Adil, you might remember that I used to joke that sometime in the future shoe size is going to be sensitive data that has actually happened now. GDPR talks about shoe size, height, weight, all of these are attributing elements to finding a person, just a simple way of looking at it. But most of an organisation will be within a height range, but then if you employ Shaquille O'Neal, suddenly you have an outlier. From a privacy standpoint, that one outlier will help people reverse and figure out whose data you're talking about. So they looked at all of those types of identifying information that could either be a direct identifier or indirect identifier. And now, applications are the same geographies are different, the privacy laws are different, but the need to protect it stays the same. So, somehow solutions have to be deployed that is able to understand what geography the customer is in and then you also have industry specific regulations like HIPAA, then you have to overlay those types of industry specific regulations, and then consider what data stores, what applications that you have, and then come up with a matrix on what data needs to be protected, where it needs to be protected from and who needs to be protected. So that's how it's impacting organisations across the globe, where you might be using the same system, but then you might have to do different things to protect that data.
Adil - Absolutely, I think the key there that I think is very important for us to learn from this session is one size does not fit all. I think that's so true, because even in from a financial controls perspective, when we first got in this business, it was all about, hey, if anything impacts your financial statement and you got a configuration in your ERP system, mark that up as a risk. So, we have 1000s of 1000s of risks, and companies just got tired of it. They said, we can't operate our business, everything is a risk, of course, but we still have to satisfy customers, build products and ship them across the globe. So, I think that's very true, what you said about, these ERP systems are supposed to be very configurable. That's why they became so popular not only that, they integrate our business processes, but they also made it very flexible so the banks and the oil and gas companies and Ivy League universities are all using them for different methods and different purposes to streamline their own processes. So that's the benefit of having an ERP. But as today's session is all about, okay, what are the risks that we created. One of the things from a data security perspective that our customers are worried about today is they're operating these global processes, and they're subject to different regulations and where they operate. But because these ERP systems store the data in a common repository, a database, and using the same data model, it makes it very difficult for our customers to determine who can see what data so an example of a customer that recently went live with SafePaaS in Europe, in UK specifically, operates in many countries. They have different data protection laws, and they have compliance laws, they're also listed on stock exchanges. It's a good example of where they are modernising their ERP system, they bought a cloud system. They can be their residency requirements, they do operate in some, let's just say high risk countries, where they have to protect the identity of their own staff, back to the example of shoe size. So here, we see a convergence of data security with financial controls, because for their auditors, to be able to ensure that the controls are operating effectively, they need to know the information about the key data, master data elements and how they're processed within their customer credit limits, supplier bank account changes, employee benefit updates, all those sensitive data issues that are across the world. These are examples of scenarios that our customers are facing because of the multi mandate issue. The way we're helping our customer and we hope you get something out of today's session on how to do things better, is to really break that down into control objectives. You know, your control objectives define how you implement the control. So instead of having 1000s of risks that are impossible to monitor, what the approach that our customers are taking, and what the audit firms and the guidance from the regulators is and on the financial risk, we take a risk based approach. Look at the impact and likelihood and make decisions based on that. Because if you take the opposite approach, which was how we entered this market, foolishly 20 years ago, that we can really slow down the business in some cases, shut it down. Like if I didn't have to worry about a customer and a supplier and I just shut all that down I would have a perfect data protection, but I can't do that because I’ve got to sell and I’ve got to buy so that's where the challenges are and those who ask for ERP systems that were really wide open built for that monolithic, free for all access is now being challenged. The way we're addressing that challenge is through a lot of monitoring of those key data access, data distribution, data residency, those kinds of things.
Emma - I just wanted to interrupt here and Rajesh a question. A typical ERP system, they're very complex, they have really complex architecture. How can we ensure data relations are maintained in such complex architecture, through the use of data security solutions?
Rajesh - Most enterprise applications are complex. Typically, it's large enterprises that have these really complex systems that can afford ERP systems and implement them and keep them up. They have lots of data, they have lots of applications, they have connected applications. Even outside ERP, the data landscape, for most organisations that can afford an ERP are extraordinarily complex. They have multiple data stores, they have cloud access, they have cloud data, they have SQL servers, they have Oracle, they have mainframes, they have Snowflake. They've got multiple data platforms. So even outside the ERP, it is a much bigger problem for organisations. So the way to go about all of that is to first document and classify your data across all of your systems, know exactly where your sensitive data is, and how it is being accessed and who has access to it and what are they doing with that access. First, make that intelligence layer. Then you can create appropriate rules on protecting the data. I think later on, Adil will talk about policy-based access controls. So those policies come into play, attribute-based access control comes into play. So the documentation of that is critical. Once we understand where the data is, if not the usage of the data, then we can do many things about protecting it. There are enough technologies in the world, including Mentis that can help you protect that and keep that referential integrity, keep those complex data landscapes intact, make sure you don't have any issues with your vendor support contracts by not changing data structures. There are many ways to address that. It’s been done for a few years now so, there is some good news at the end of it.
Emma - Excellent insight there. Okay, based on customer feedback, we've been talking about access and solving data security issues together, what's the biggest challenge that your customers currently face based on customer feedback, customers you've been working with recently?
Rajesh - I'll go first. Very interesting point that you made about your customer that is in Europe and has operations in multiple geographies. They represent the most complex of issues, because by examples where a university in the US being very different from a healthcare organisation in Singapore. Yeah, they have very, in a way, like narrow focus compliance objectives. But when you have complex organisations that are in multiple geographies, then they are actually multiplying those complexities geometrically and it becomes very difficult to comply with it. So, what we are seeing is when you have you, even if you have just to comply with GDPR, or CPRA, or with PDPA, in Singapore, or POPI, or whatever it is. They, most of them, are now talking about data subject rights, they provide a few rights to the subjects or the citizens of those geographies. So if you are a US company, for example, and you have some information about European Union citizens, then you have to comply with GDPR because you hold that data. Some of the state legislations in the US actually give some ways out because they say if you're not selling the data, you don't have to comply with it. So first thing that organisations are dealing with is figuring out what data, what privacy law to comply with. Then how do you take that and how do you apply it to these complex ERP systems? One of the biggest problems that everybody who's not yet seen this challenge that you're about to see this challenge over the next coming year, couple of years, is the data subject access rights for right to erasure. So, let's say you are a US retail giant, like Macy's for example. Macy's does a lot of work with seasonal workers around Halloween and around Thanksgiving, Christmas time, they bring in a lot of seasonal workers to help with the rush and help with sales. So many people have worked there. I would say if you look at the Human Resources system, only 20% of their actual employee base will be permanent employees. The other 80% generally are seasonal workers. So let's take for example, a celebrity who’s not a celebrity now, in your Human Resources system, you store information about where they live, their social security number, their date of birth, their mother's name, their mother's maiden name, other addresses, all this information is stored there. The minute you give them the right to ask you for erasure, how are you as Macy's is going to delete that data from an ERP system without compromising the entire integrity of that application? When you start deleting operational data, if you start deleting employee data, what happens to all the paychecks? What happens to all the performance ratings? What happens to all the salaries that are then loaded onto your general ledger and your other sub Ledger's? How does that system even work? So this is going to be the challenge that you're going to face in the upcoming months. I will give you another anecdote that both Adil and I will connect on. Sarbanes Oxley passed, and then we became live in 2004. It took a few years before enforcement happened until they're just doing spreadsheets, they're trying to understand all of the issues. Two or three years later is when actual enforcement started and people started using solutions like SafePaaS to monitor those controls and to prevent those controls from being changed. Same way. GDPR, passed in 2018. So three years 2021, a little delayed because of the pandemic. Now we are seeing enforcement start. In Europe, we're starting to see enforcement in other geographies. So this is what's upcoming if you have operations in multiple geographies get ready for right for erasure in ERP systems.
Adil - I think you're covered most of the topic, I'll just add to the customer challenges and feedback that we see around ERP challenges, so I sort of covered that with our customer being in many countries and trying to solve different mandates. But I think the part that I did want to talk about today from what our customers are solving, using, technologies that I see in the market, including ours, is to move to what's called a preventive control method. You know, the old days, we did a lot of detective work. We would find problems, go running to the CIO, or CFO and say, “hey, look, we found all these problems, now you got to go fix them.” They would just roll their eyes and say, “I don't have time to fix 10,000 things, why don't you guys just, go find a little hole and do it or outsource it or do something.” It was a very difficult conversation to have, because all you're doing is reporting a lot of problems. What we're seeing now is, as this question asked about access security issues so customers want to move to more preventive controls. That's kind of building on what you said, about, early days, people just go in and try to figure out what the control is that we need to have on this data. As they get more mature about it, they say, “Okay, oh, gosh, we figure out we're doing the same thing over and over fixing it breaks again, let's figure out a preventive approach.” So, I think that's some of the things that customers are asking us to help solve today.
Emma - Okay, let's move on to the next question. What are the shortcomings of ERP systems when we talk about employee rights, versus data integrity, the right to be forgotten versus the right to know that kind of thing?
Rajesh - One of the rights, the reason this question is asked with employees is, GDPR provides some rights to citizens of European Union, as does PDPA in Singapore and other regulations. Generally, customers do not know how much information is stored about them, but your employees know. If you're looking at all the early parts of the right to know and the right to data request, these are our data subject access rights, and access requests about data subject access rights request. The early part majority of the DSARs, were all from employees, because employees kind of knew that you've got a lot of data about them. If you think about your bank. Let's say you bank with Citibank, you will probably think that they've got your information and their KYC know your customer database, they will have it in their core banking platform, but you probably won't have an idea how widespread information about you is at the bank. But as an employee, you'll at least know that they have a human resource system. So they have some payroll system, they've got some systems and they're storing that data about you. So that's why this question is more about employers. So when an employee then says,” Okay, I'm invoking my right to know what data you store about me.” All ERPs basically don't have that ability to document where a person's identity information is. It is stored not only in the standard tables, sometimes stored in Custom Tables Sometimes people will go with some other code and loaded in some other undocumented tables. It's a very tricky exercise, even before data integrity, even fulfilling the request is a problem. But then the data integrity problem comes in. So if Rihanna goes to Macy's and says, “I worked there in the summer of 2002, so I want you to delete my data now that I'm a citizen of California, and I've got the right,” any system like a PeopleSoft or an Oracle EBS, or JD Edwards, or SAP, you just cannot delete employee data. Because that would mean that any piece of information that is connected to it in a referential table, you just can't do it, like you cannot delete that it's massive data, it’s connected data everywhere, your systems will all fail. And you've posted information to the general ledger. So general ledger balances on foot. So that is not even possible. These ERPs were not built about thinking about deleting data at a later date, they were only built to hide that data. We also have other issues, like an employee might say, “Okay, go ahead and delete my data, you got my last W2 in January of 2021 so today, I'm asking you to delete my data, because you have no business to keep my data.” That's not possible. You've got audit requirements, you've got to keep that data for eight years, even though you have data subject access rights. So what do you comply with? Do you comply with data subject access request? Would you comply with audit requirements and then if it is a student, and you're a US university, they have to maintain that data for 99 years, basically, forever. These are some of the shortcomings, ERP systems that were engineered in the 90s are not able to address easily in today's day and age.
Emma - Wow, great insight there. How does this translate into Access Rights Certification Adil?
Adil - We wrote the paper last year that was published in the Oracle User Group magazine. We went through the principles are some of which were talking about in the previous question around, right to be forgotten, and so forth. So when you think about access rights demand, translate your demand into access rights, and certification. That's one of the things that we're seeing a big tick up among our IT general controls population. So I'd what we call it ITGC, they're different methodologies that companies adopted, which are taken from the versions we have COBIT, and so forth under those principles. The guidance that we've seen from European Union, for example. What customers are asking us to do is a periodic certification of user rights. There's debate within that too. What access rights should be included in the scope of that certification? Our initial thought was a few years ago that, okay, if they can do damage to the financial statements, so they can create a journal entry or move cash from one account to the other that's a big risk. So let's get them to certify that. But recently, when we're talking to customers, what they're telling us no, that's not good enough, as Rajesh said, you know, somebody can view shoe size, just to pick a silly example. You know, we care about that. So it's kind of evolving, if I use that word requirement for our customers, is creating scope creep for them, it is creating burden on them. And I don't have a really good answer where it's going to ultimately end up because rules are changing. But we'd like to be able to do is give the flexibility to our customers to be able to scope as these rights are getting written and rewritten, and mandates are changing. But the methodology and the approach is pretty solid. What essentially, our customers are doing on a periodic basis, some are doing it quarterly, or they're going to do it semi-annually. They take a dump of all their user rights that they have in their applications, and in some cases database as well. They basically identify the managers that have to then review those rights and say, “hey, this person, do they really need that for their current job”, because at the enterprise customer, there's a lot of changes happening throughout the year. COVID has made it even harder because of people working remotely and so forth, some people are in the office, others not. So there's been some elevated access granted to people to do their jobs again. So certification of the rights is difficult. In fact, what also concerns me is that when people are overworked and this is not their day job. They are simply blindly just certifying to things that are maybe not accurate. So we'll try to make that progress. Think about how to make that more useful. Do some kind of reconciliation. So we're seeing a lot of, for example, IDM systems becoming popular among our customers, where the rights are basically hosted with the IDM system, whether using Okta, Azure or something like that. Oracle IDM, I guess. We see that customers are relying on those systems to ensure that all the rights are inventoried there then using, tools like SafePaaS to take all those privileges and suck them into a platform and then send it out for certification. So that's sort of the emerging solution that we see. It's not a perfect world, even though we have a pretty good process down, because the scope of rights is changing as debatable customers are constantly thinking about what is what is the right, you know, there's a concept of data processor versus data controller under GDPR. So the thinking about where do we fit in? How do we implement these rights? You need a lot of flexibility and agility today to be able to do certifications, how I would put it. What do you think Rajesh? Do you want to add something to that?
Rajesh - Oh, that was that was very clear. The only thing that I would request is when we send out this recording for this session, we should also probably send the link to that paper that you mentioned, I think it'd be very helpful.
Emma - Sure, absolutely. We can do that. And talking about now we've touched on different regulations and the fact that they're constantly changing. So how do ERP systems deal with this?
Rajesh - Yeah, these systems are too complex, they're monolithic. They're not agile, like the borrower term that is more popular now than it was in the early 2000s. So, again, what data was sensitive, was very different 12 years ago, was very different 20 years ago, and what data sensitive today is different from that. And you can also expect more areas to come in to being sensitive in the next few years. There's a reason for that. Some, in the past, we have had customers think, if you just change somebody's social security number, the data's protected. That world is gone. Now, there was an article by somebody from Harvard or Latanya Sweeney, she did a study and she compared all of the information from the US Census from 1978. She took just three elements that do not directly identify a person, she took the gender, she took the date of birth, and she took the zip code. She was able to reverse engineer 67% of US population 1978 census, the population was lower but the combination of indirect identifiers that can together isolate a person that is important that we have to keep those things in mind. And these ERPs, these are not built for that type of regulations that are coming in, they're coming in a fury. Again, so far, three states have passed something. California passed CCPA and two other states have passing it. West Virginia just failed it, but then they will try it again. These regulations keep coming up and regulations keep changing. Some regulations are different. But the ERP is still exactly the same. So it's hard for these ERPs to automatically be ready for these types of regulations. That's what vendors like SafePaaS and Mentis will help you do because we keep on top of those types of regulations. And then we keep on top of the way this where ERPs are going to help them address it. Because you need third parties with expertise to help with them. The ERPs themselves want changes, it's very hard for them to change, but built over several years, they have a large installed base, it's just not easy to change those types of applications that impact so many people. What do you think?
Adil - You know, I think you covered it very broadly, I just want to maybe add some examples again, just to make it possible for people who are listening to this to help them get some value out of what they have today in ERP. So I would say that, you know, ERPs most of them have the same concept which is to integrate data across the enterprise and therefore it's a common challenge whether you're using a PeopleSoft Oracle E-Business a lot on premise or the newer ERP. I'm working with a customer recently in Oklahoma that has recently taken their on-premise business and moved to the Oracle Cloud. They are using some data, they are implementing some of their data protection policies using the newer capabilities without getting to bits and bytes. I mean, in the Oracle E- Business world, they have the profile options to separate out responsibilities and now they have data groups which are more flexible, so you can control the data rights a little bit better. However, the challenge is that they're still not agile. So you set one thing up, and then someone comes up with “Hey, but that's not covering my state or my residency.” So you still got to go back and build out these highly customised, hundreds of different data protection rules within the ERP system, which takes up a lot of resources, that companies don't have today. So while they're doing their best efforts, without having some automated way to monitor that, it's a big challenge for the customers even in the newer, more modern cloud platforms.
Emma – You mentioned data protection access controls, what about policy-based access controls? You know, it's a word that I've seen, or I'm seeing more and more. So how can that help?
Adil - The awakening for me was I was a big fan of RBAC when it came out, I've written some papers on role based access control back when I was at Oracle, and working, implementing RBAC for customers, I really bought into the idea that if we just got the roles right, role based access controls life would be much better because, well, the roles are done. So people will be granted those roles, and the roles have to start with clean roles. I mean, you solve the root cause problem. But what I didn't realize, and many of my colleagues that are in the space didn't realise is that roles change as the companies change, the process change. So all that effort really didn't produce the results because customers merged, they had new technology, new business processes. They wanted to buy things in China and sell them and US but whenever all that happened, I mean, you basically ended up with different problems. We realised that we were just not really solving the problem because whether it was technology, the business itself or the external factors, the roles were not constant. So that assumption, we were working under a RBAC so the alternative that has emerged for our customers, and what we're doing at SafePaaS spending a lot of time on is make it more policy-based, as opposed to robust yet, still start with good roles where possible, we still have customers that use our roles management tools to really start with a good inventory for certification. But that's not sufficient. That doesn't give you enough coverage. I'll give you a very basic example my customers are coming to me with, they're saying, “Okay, I've got my roles, I built a Roles Management System, a global role system, and I’m provisioning them. And then I have my ERP system. And my auditor comes in, and they look at my roles and what's been requested in the ticketing system, let's say ServiceNow, or SailPoint, whatever. Then I'm looking at what's actually in the ERP. And then I can’t reconcile, because some people are going directly into ERP, some people are coming through email request because their senior executive, they're starting, the new CFO is coming in, they're not going to go log a ticket. So I've got this hodgepodge of provisioning happening. And some people are told, “Hey, give John what Mary had.” So they're just kind of, there's normal human beings, not a bunch of controls, IT freaks. So they just do as normal humans do. They say, well give Mary what John had, when Mary starts and takes over. So what that does is it creates a lot of complexity. We can’t eyeball the infrastructure, it’s huge today, you can't just eyeball 1000 privileges and say, “oh, yeah, give Mary three less privileges, because John was doing this other job.” So you have this big mess. What we're doing is helping our customers augment their roles management strategy with policy based access. This is the fastest growing demand that we see in our customer base today, is they're saying, “yeah, what we can do with policy based,” as I mentioned, the word preventive controls earlier, we can actually prevent people getting access, or the role has not changed in 10 years, or it's changed yesterday, because we're coming at it from policy perspective and we take a fine-grained approach to that. So that says the data policies and this data, so we don't want everybody to get supplier bank account access. They can look up maybe supplier name and address, but they can't get to it or is we're talking, from an employee perspective, we don't them we don't want certain fields to be visible to certain people in the organisation. So you've got the role, but you also have a policy. So whoever requests that the policy drives the provisioning. And so we're building for our customers deploying these provisioning capabilities that were just not thought about in the ERP system. The ERP system, back in the Oracle days, as Rajesh, you were saying, you know, you could log in, give everybody SIS admin and login and give yourself other access you want. We have come a long way from those days. But still, the problem without putting some sort of policy based access controls is that you're as good as your last rule update. And if the role changed, you're back to, an inefficient control, basically ineffective control, basically.
Rajesh - And then that attribute based access controls it like remember, I was talking about parentheses how Adil comes at the problem from one side, I come in from other side, and together we protect it. Now, anybody that's worked with ERPs knows that they are really complex applications. Oracle EBS is famous for having things like descriptive flex fields, and to those that are not comfortable with Oracle EBS think about key value pairs. So the old model was thinking about how do I protect this particular table or this particular column from this employee, but things are now changing to, I need to protect this sale value from this employee at this time from this location. Because of this cross -border data requirements, the data residency requirements that Adil mentioned, where some geographies don't not want you to show their data to people from other geographies. Switzerland is a big example. India has passed some laws like that. So now the controls happening at the data layer, not necessarily at the application layer, but the data layer where data is being presented, you have to be cognizant of the fact that any cell you need to have special rules for it at a special time. So, if I'm in Switzerland, I can look at Swiss bank data of customers. But if I leave that, so that at that particular point in time I was provided access to that cell. So now if I go to Jersey, then I cannot see Swiss data, but I can see Jersey and US data. If I go to Singapore, I cannot see Switzerland, Jersey or Guernsey but I can see all US right of Singapore data, so those types of location based buying based on who the user is, determines which cells they even look at. So that's basically what attribute based access controls are. So at the data layer, it's actually going way deeper to actual cells and when and where you're accessing the data from.
Emma - Okay, absolutely. So let's go back to the fact that we all know that you know, ERP is a very complex and securing them is very complex, customer has been years and years and years customising them. So how can organisations maintain security and compliance, yet be flexible and agile address future regulations and legislation?
Rajesh - So this is just a job for a specialist, that's the simplest way that I would do it. ERPs are built for a special purpose, and they are extraordinarily good at it. And then you need vendors like SafePaaS, and Mentis who are very, very good at what we do to enable the security of these types of systems. We are looking at data threats, we are looking at evolving regulations, we are looking at the evolving landscape of data and evolving landscape of regulation, and we're building solutions for them. So, it is always better, especially in if you're in a simple application, you’re probably doing it yourself, you could probably do it yourself privacy, you can do it yourself security. Fantastic. But once you have complex applications, like ERP that are huge, and very, very, very difficult to even understand the ramifications of things, you need specialists who work on this to actually make your investments in your ERP safer, and also protect your bottom line from staying away from breaches and staying away from non-compliance.
Adil - Yeah, no, I think that's a such an important point that it's not possible for a company to just hire hundreds of people to just secure an ERP system, it doesn't make any business sense. But the risk is there. So how do you deal with it? It's difficult to do it on your own unless, you just have, I mean, very few companies, when the US government, has the ability because they have unlimited budget to tax us. They could do it. But I think the problem is that you need people with such specialisation, just you know, between you and me Rajesh, we specialise in different areas, But I call you when I'm hearing about this customer really wants to protect so one of the big four audit firms called me the other day, they were talking about protecting specific things in a specific customer. And I said, Look, I'm not gonna be able to do that I have a specialist, Mentis software that I’ve worked with for 20 years, you need to call them, right. So that's kind of where I come from, is that we have become more specialised in this industry, around data. And security, like other industries have done for many years, healthcare, whatever. So we've become more specialised, and we know a lot about a small space and, and then we're building this what I call best practice. I know it's an overused cliché, but we're talking to hundreds of customers on our platforms, because now we're all on this cloud and everything, we can do more metadata analysis than we could 10 years ago. So we're seeing, , for example, on SafePaaS platform, we're seeing what are the top 10 risks across 100 customers that use Oracle, that keep popping up? What are the findings that auditors so we can bring that knowledge today that we couldn't do it ourselves. I mean, we had deliverables and methodologies and stuff in our head. But now we can give you more numerical answers to what's the cost and the risk compared to your peers on the platform? So those kinds of things is where I think we can think about the future of regulations is like we have some leading, thought leading companies on our platform, that are dealing with things in Europe that you know, US is not quite there yet, in some cases, US is ahead. So we're seeing this on five continents. As we're learning across these different regulations, and mandates, and best practices are developing, we're able to share with you as specialists, so certainly, we're building our technology and constantly improving it so it's more agile. And frankly, we can, we're more nimble. So for a company like Oracle or SAP to go and redesign their ERP system is at least a 10 year process. So, if there's a regulation they want to even implement in their ERP, it'll take them 10 years to get there. So the answer customers have come to is to pick out specialists like us that can that can that are nimble that can provide the solution today to detect the problem and prevent it. That's where I think you can benefit from not only all the knowledge on our platforms and metadata that we can share with you, as well as, the technology that we can quickly innovate in our development shops, within literally days, for example. At SafePaaS last year, we put out 350 updates on our platform in one year, this year's going to be probably 400 plus, well, at the current pace. So we do a lot of updates. I know you and I were talking one on one the other day, I mean, you guys are doing more of that. You’ve been doing it a lot longer than we have. But I think that's something that we're able to innovate a lot faster because we have less red tape. And, you know, we just get up every morning thinking about this stuff.
Emma - We did mention auditors. How can auditors navigate this challenge?
Adil - Yeah, I spend a lot of time because one of our missions is to transform audit, going back to my introductory comments about how I got into this business, it was, my friends and family that got impacted with Enron. So I would say that's something that is very close to me, I want to make it possible. My basic problem that we're trying to solve is that companies are spending what, a half a trillion or more just with the top five audit firms in the world, and there's still $2 trillion plus of fraud happening. So clearly, the problem has not been solved. So I'm trying to figure out how can we play our little part, and help this challenge around data? What I find is, you know, auditors basically like to be able to look at a control design, and then look at the operations and see if that control is operating effectively. That's essentially what audit is. You have some document that says, people with access to suppliers should not be paying those suppliers, and that’s basic segregation of duty policy, and then they go in to an ERP system, and they say, Oh, well, 50, people are doing that, and they write you up. So that's an example of a simple example of access policy that our customers are dealing with. Now what what's happening with auditors and we're just, you know, we're looking for you to help our customers and our audit partners is now they're being asked. So this is what they come from finance background, most auditors come from an accounting background like mine, we can analyse the financial statement inside out. But when it comes to all these things that Rajesh talks about, on how now our financial statements, and our audits are dependent on these data elements. And now we're being told that not only we want you to audit with the audit objective financial statements, but also for the risks we have on our business through these potential unlimited liabilities, essentially, that are mandated by the European regulators, American regulators, etc. around the world, we want you to protect our businesses, and give us an opinion as auditors that this will not happen and then we have good controls in place. That's what the market is looking for. So that's where you need, these new methods and new technology to enable it. I think starts with training. You know, a lot of auditors have not been trained in data protection, I'm not trained in it. So when I need some help, I will call Rajesh say, what do you guys think about discovering, this basic data that exists in these tables? And how can we protect our customer? You need specialists, and you need education. I think training like these kinds of sessions are a good start. But what you really need to sit down with folks, specialists like Rajesh, he will show you things that I know I blow my mind away, and auditors need that training that they don't have today, frankly.