On-Premises to SaaS: Identity Management Is Critical for ERP Security
Are you moving from Microsoft Dynamics 365 Business Central (or any other ERP) from on-premises to SaaS?
If so, we must discuss Identity Access Management (IAM).
What is IAM?
In a nutshell, IAM is the process of identifying the users who request access to your systems, granting them access, and controlling their level of access. IAM secures sensitive company information based on the user’s role and identity.
Security in Microsoft Azure
Moving your apps to Azure allows you to make use of Microsoft Azure’s security, a tool that typically goes beyond the security capabilities of most organizations, regardless of size. Azure security provides:
- Controlled access to the building
- Controlled access to the servers
- Virus and intrusion detection and removal
- Regular backups
- Geographically dispersed servers
- High-availability and failover capabilities
- And more!
With all the security included when moving to Azure, what could go wrong?
The difference between IAM on-premises vs. IAM SaaS
In theory, there should be little or no difference between how user roles and access privileges are handled on-premises vs. how they are handled in the cloud. However, the reality is that many companies are lax in enforcing security in on-premises environments because they assume logins from within the company are trusted users, employees, and contractors who pose no threat. They are under the mistaken impression that a valid username and password are all that’s needed to identify the person trying to gain access to the system. Unfortunately, internal fraud poses a genuine risk: In 2022, the global loss due to internal fraud cost companies an estimated $5 trillion, and nearly half of those fraud cases were because of a lack of internal controls or an override of existing controls.
The problem of identity management is amplified in a SaaS environment, where login attempts can come from anywhere in the world, not just from within the company. If the only mechanism you have to identify an individual requesting access is through the combination of username and password, you are putting your company’s cloud-based systems and data at risk if a user’s credentials are compromised.
IAM techniques and practices
Identity Access Management represents a collection of technologies and procedures that go beyond username and password to validate the identity of the person requesting access before allowing them into the system. Here are several ways to enforce IAM in a SaaS environment:
- Multi-Factor Authentication (MFA) – You’ve probably experienced MFA if you ever tried to log into an application with your username and password and were then sent a code via text or email to enter before you were granted permission into the system. The username and password were one authentication method, and entering the code using a different communication channel was another. MFA capabilities are provided free of charge for every Entra ID on Azure.
- Conditional Access – While MFA is a good start, it is not bulletproof. Another technique that helps prevent unauthorized access to your cloud-based apps is through conditional access. Administrators can set up a number of rules and filters to detect suspicious activity and prevent unauthorized access. Login attempts can be filtered by time of day, geographic location, IP address, device type, OS, or other criteria. For example, wouldn’t you like to know if someone using the login credentials of a person from your Finance department attempted a login from Russia over the weekend? Perhaps it was a legitimate login attempt, but having a conditional access policy in place would alert your IT staff before granting access. Stopping a suspicious login is better than coming to work Monday morning and finding that all your data was trashed over the weekend.
- Authentication app (passwordless authentication) – Most mobile phones support an authentication app that provides additional security. During login attempts, the user is sent a notification to the authentication app on their mobile device. The user is granted access by providing the required code along with the phone’s security mechanism (password, PIN, fingerprint, facial recognition, etc.).
- Zero Trust—The zero-trust security model assumes that no one should be trusted to access any system, whether the login attempt originated inside or outside the company’s network. This model enforces valid login and access credentials whenever a user requests access to an application.
- The Principle of Least Privilege—When assigning permissions to user roles, the principle of least privilege grants only the minimum amount of system access necessary for that role to perform its job functions. Assigning the least privilege to a user will mitigate the risk if a user’s credentials are compromised.
- Regular access reviews—It is important security hygiene (and a regulatory requirement for some companies) that companies perform periodic reviews of user identities and their access privileges. As users leave, change work assignments, or are promoted, their access privileges should change to reflect their new roles.
- Educate users – Companies should regularly train new and existing employees about the importance of protecting their login credentials and identifying and avoiding hacking attempts.
- Monitor for suspicious activity – Companies should continuously monitor user activities to identify suspicious activity that might represent a security threat and implement an action plan if a threat is detected.
- Consider purchasing Cyber insurance – Cyber insurance can help companies who fall victim to an attack with crisis management, legal services, forensics, and more.
How ArcherPoint can help transition you to the cloud
There are many advantages to moving your NAV or Business Central ERP from on-premises to the Cloud.
ArcherPoint offers cybersecurity help for clients who are transitioning to the Cloud. ArcherPoint’s Managed IT services include 24/7 cybersecurity monitoring, cyber insurance qualification assistance, and cloud security assessments.
And be sure to download our eBook for more information on protecting your company from cyberattacks.