Series 1 EpiSode 5: ERP Security with Mark Wonsil

In this EpiSode:

We tackle ERP Security! How do you secure the crown jewels in a world filled with thieves when every user has a key to the vault?

We go over a neat feature in SQL called Dynamic Data Masking, and then we delve into a lively discussion with @Mark_Wonsil from PTI Engineered Plastics about security, the cloud and how to protect yourself.

Resources:

Also Available in the following platforms:
image image image image image image google_podcasts

Thanks to everyone who made this episode possible:

Hosts: @josecgomez , @bderuvo
Producer: @Banderson
Video Editor: @jgiese.wci Producer: @Banderson
Video Editor: @jgiese.wci Music by: @Chris_Conn
Sampled Music for Outro Track by: The Passion HiFi
Graphic Design / Concept by: @hkeric.wci
Guest: @Mark_Wonsil

We hope you all enjoy the episode and let us know below your thoughts. If you have any questions you’d like answered by either us, or someone at Epicor in a future episode please send us a PM or an email directly to podcasts@epiusers.help and we will do everything we can to get you an answer.

We are looking for suggestions on additional guests we can have on the podcast so please send suggestions for that too.

Stay tuned for the next episode dropping on October 20th!!! :trumpet:

10 Likes

Nice work guys.
I guess I came away from that call with about the same opinion of Epicor security as I went into it with, which is there is room for improvement. Epicor is moving in the right direction but they are playing catch up with their competitors. A unified and clear security vision is needed from them and it needs to be communicated effectively.

There are many layer even inside the application that could be unified (I’m looking at you menu security vs. process security). Outside the application, there is security of the machines and network that need consideration, regardless of if it’s on the LAN or on the WAN. Multi-factor authentication should be the default for both your network, your machines, your services, and your applications inside it. When MFA is not feasible, it should be identified and remediated to offset the risk, not ignored.

Epicor should provide native and easy to use functionality for identifying PII, PHI, or really any sensitive data and a tokenization solution to offload it from the standard database and mask it in the client after it’s retrieved. This stuff isn’t going away and it’s getting more eyes on it all the time.
Next time you apply for cybersecurity insurance, I guarantee you they’ll ask about your MFA for network and applications. How your data is being secured at rest, in transit, etc. How about securely deleting your data when it’s lifecycle is over? How about a built in functionality for a development environment that can de-identify production data? Even access audits are jenky as hell in Epicor (for me, again I don’t speak to your situation). Who can access and change financial data, the auditor asks? Wellll, it depends. Bad answer! And that’s just a financial audit.

Epicor designed their security with configuration in mind. Most companies probably are not going to put as much thought into it as they should, thus leaving gaping security holes in their implementation. Pre-defined roles and access should be shipped with the product and customization of the role should be an option for those who need to.

I think @Mark_Wonsil said it best when asked about who’s job security is? It’s everyone’s. Everyone from the end user to the developer to the CTO has a role to play and the layered approach of everyone doing what they should doing will go a long way in preventing a breach and containing it if one does happen.

6 Likes

Oh, we could spend a lot of time talking about this. I would like to see a better integration with the various identity providers so all authentication AND authorization are in one place. We should be able to create authorizations (part.view, apinvoice.create, apinvoice.post, etc.) and combine them into custom roles. From here, we can do our SOX checking to make sure there are clear separation of duties. These authorizations would map to the Security table (which holds all security: Menu, BO, Field, Service, etc.), and the custom roles would map to Groups.

We could then do more Zero Trust strategies by providing least privilege and grant access as needed for a limited amount of time and also include extra verification through MFA for certain operations.

7 Likes

All the pieces are there to build upon. I love the idea of “authorizations” that are generic enough to understand without needing to look under the hood for all the menu, BO, field, service etc. security components accompanying them.

3 Likes

Security always makes me sweat! This was like sitting though a black-hat conference for Epicor. I certainly don’t feel more secure after having listened.

I like this idea of dynamic data masking. Where does this masking get implemented? We are dedicated cloud tenancy. Does Epicor support implement masking for us? Who is the person that decides what fields to mask, and how much to show? Can we use this feature in Epicor yet? Does the masking happen at the BAQ level or the table level? Is there a working example in a BAQ we can look at? Is anyone using this? Once the masking is implemented, if I don’t have the keys to my “entire” kingdom, who does?

We use MFA for AD, but we don’t have Azure. How can we implement MFA for Epicor? Does MFA protect REST calls?

Thanks for a great episode guys!

1 Like

As Aaron mentioned, the system CAN be secured. It is not systemically insecure.

There is room for improved tooling to make this an easier job: supporting secrets management, using DevOps to bake security into the process of developing and deploying the system and customizations, using APIs instead of direct connection to the database, adding a layer to manage the relationship between groups and the security ID, etc.

Epicor also has masking for character fields, but I’ve learned that sometimes the masking ends up in the data… Ouch. Maybe start with masking for read-only fields? :person_shrugging: There is also an Epicor Idea for adding masking to other datatypes like costs, salaries, birthdates, etc.

AD, by design, is a perimeter-based security strategy. This makes it difficult to do Zero Trust. While you can do MFA, once in the castle… However, on top of MFA you could add Privilege Access Management (PAM) to improve AD security. I know there’s an Epicor Idea to support other Identity Providers besides EpicorID and AzureAD.

2 Likes

I agree on that point…Try listening to This week in Enterprise Tech when they start talking about Darkreading.com… That will make you feel better!

Haven’t listened to all the podcast yet, but one issue I see is with context menus. If you haven’t paid close attention to your menu security you can inadvertently create holes where the knowledgeable end user can open forms that they are not really supposed to have access to.

Which leads me onto the other gripe, when security ids are shared across menus. For the unfamiliar Admin it can mess with your head a bit when you change the security on one menu item and it inadvertently changes it on another menu item that you did not intend it to. I remember some rather grumpy users getting losing menu access, when I first started doing administration in E9. We live and learn.

Several years ago I had heard there was an obfuscation tool kicking around in the background somewhere, but when I enquired with support I got crickets. It must have been a myth.

Epicor has had SQL Transparent Data Encryption (TDE), that checkbox in the admin console for a while, sadly that only protects data at rest.

I am liking the DDM, it will be a great to see an addition to the data admin to be able to set a flag and regenerate/create the database with masking, as well as an option on UD fields, and the ability to add masking to the extended properties (as a placeholder at least for the regen to know what fields to mask over and above Epicor supplied base masked fields)… Anyway just some thoughts.

These podcasts are great by the way, thanks again to all involved.

3 Likes

IDP supports MFA. and you can use it to do REST calls as well

4 Likes

I wish he talked more about the Cloud and not Security.

Because im finding on-prem is much more cheaper than Cloud… Not my story, but similar to my story with Azure :slight_smile:

3 Likes

I’m happy you listened to the whole thing!

1 Like

Well, cloud doesn’t have to mean cloud of course. It could be on-prem equipment that you manage but virtualize the servers on there and make your own cloud.
One major advantage of SaaS cloud vs. self managed cloud or self managed on prem is the ability to offload some security via contracts and service level agreements instead of making it a full time job or paying a team of people to do it. That is savings right there.
Security is a goofy thing too because it’s critically important yet doesn’t always add value to the business. It’s something we have to do to exist and protect ourselves yet it doesn’t necessarily enhance our business. I’d wager that this is also a growing pain at many companies who, even 5 years ago, relied on perimeter security as their security. Those days are fast approaching ancient history and lots of on-prem applications are going to be left with their pants down.
Cost savings is important for sure, but it’s easier to spend more and offset the security risks that way than to wing it and try to manage all of it in house, in my opinion.

2 Likes

Who’s the “He?”

1 Like

I wasn’t sure if you meant me or Zsolt Varga from the Medium article.

Assuming me, yes, there are certain workloads that may not be cost-effective in the cloud. In the case of Prerender, I can see that using Amazon S3 buckets (or Azure Blob Storage) to store and serve terabytes of prerendered html files quite expensive indeed! Interesting architectural choice. :thinking:

I wonder if they looked at a CDN to put in front of their S3 buckets? That would have sped up access, cut down outbound traffic, and saved transit costs. I also wonder why they didn’t store the files on their clients’ systems where the robots are crawling anyway? :person_shrugging:

They didn’t mention how many datacenters they used on-prem. Often people say cloud is expensive but they are not getting the equivalent capabilities. Did they have redundant hot sites far enough away? Do they have guards protecting those datacenters 24x7? Operators 24x7? Do they have redundant networking, cooling, and power across all these datacenters? Backups at all locations? SOC capabilities?

Cloud can be very expensive if you run it as one would on-prem. On-prem can get very expensive if you provide all the same capability that you get with the cloud. It’s all about choices.

3 Likes

Most Manufacturing plants don’t need that many choices. We keep trying to upsell them as if they are consumer facing… a tiny tire manufacturer in Ohio keeps getting bombarded with Cloud is the future, all they need is a Raspberry Pi :smiley: They dont care about a co-location in Tokyo.

Yes I meant you, would have been nice to have you talk Cloud, I think you know alot more on that topic and have a big passion for it and it would be valuable :slight_smile:

1 Like

I’d argue the tiny tire manufacturer in Ohio is much better served with SaaS than on prem for basically every system they need. Let them focus on doing what they do best, which probably isn’t infrastructure and security management.

3 Likes

They probably already have a Managed Services provider local in their area who acts as their IT Helpdesk, Fixes Printers, Swaps Monitors… they simply handle all that. A DELL-T710 can last you for 10yrs for 8000$. They still run it, I setup the Raid and they have 0 failures to this day. They also grow slowly, they can predict and acquisition 5yrs ahead.

Id like to one day sit-down have a deep conversation about this. I don’t believe the Manufacturing Industry cares about any of it. Especially Automotive, they dont care AT ALL. Period, Been in that industry for 8yrs and oh my god! Administrator password is shared in the company like candy. Everybody knows the Admin password was dontforget1!

Some even run Windows 2008 R2 still – you tell them about the security flaws, they simply dont care, they hold no trade secrets, most are tier 2, 3 suppliers.

Some don’t even connect to the internet and run it all on LAN.

I am not anti-cloud. But sales people think everyone needs it :slight_smile: Mark you need to come to Grand Rapids, hang out with me and @utaylor

3 Likes

I got to hang out with Mark a ton during insights this year, it was nice!

He is welcome any time to a cook out on the west side though!

2 Likes

Of course. I was replying to the article about Prerender and their move away from AWS.

As for most manufacturing plants, I agree with Aaron that most don’t have the IT talent to do infrastructure and security well. We had a Small Business Server years ago at my first Epicor job. Those people still on that system (or had Exchange on-prem) got crushed by Hafnium at the beginning of 2021 because they weren’t applying patches as quickly as they should have.

The truth is, most companies are hybrid like we are here. Some systems are services in the cloud and others are on-prem. Having access to your internal network is something else the MSP has to do, and well. MSPs have huge targets on their backs since infiltrating one gets them multiple companies. Zoho’s ManageEngine is being exploited as we speak.

And YAAS, we need a Michigan Meetup my friend!!!

4 Likes

We DID have a good time. I’m all about the West Side.

image

3 Likes