SECURING BUSINESS PROCESSES WHEN BUILDING DATABASES IN ERP SYSTEMS

ОБЕСПЕЧЕНИЕ БЕЗОПАСНОСТИ БИЗНЕС-ПРОЦЕССОВ ПРИ ПОСТРОЕНИИ БАЗ ДАННЫХ В ERP-СИСТЕМАХ
Tursynkhan A. Alimzhanova L.
Цитировать:
Tursynkhan A., Alimzhanova L. SECURING BUSINESS PROCESSES WHEN BUILDING DATABASES IN ERP SYSTEMS // Universum: технические науки : электрон. научн. журн. 2021. 12(93). URL: https://7universum.com/ru/tech/archive/item/12822 (дата обращения: 18.12.2024).
Прочитать статью:

 

ABSTRACT

The paper examined the history of the evolution of the database, the problems of information security of recent years and conducted a comparative analysis of information security tools using the example of well-known ERP systems.

АННОТАЦИЯ

В статье рассмотрена история эволюции базы данных, проблемы информационной безопасности последних лет и проведен сравнительный анализ средств защиты информации на примере известных ERP-систем.

 

Keywords: database, database management systems, information security, ERP-systems, RBAC, Critical Patch Updates, Microsoft Dynamics AX, SAP NetWeaver, SAP SE, Oracle E-Business Suite, Oracle Database Server, APS-planning.

Ключевые слова: база данных, системы управления базами данных, информационная безопасность, ERP-системы, RBAC, Critical Patch Updates, Microsoft Dynamics AX, SAP NetWeaver, SAP SE, Oracle E-Business Suite, Oracle Database Server, APS-планирование.

 

I. INTRODUCTION

Operational network databases appeared in the mid-1960s. Operations on operational databases were processed interactively through terminals. Simple index-sequential record organization quickly evolved into a more powerful set-oriented record model. For leading the work of the Data Base Task Group (DBTG), which developed a standard language for describing data and manipulating data, Charles Bachman received the Turing Prize.

At the same time, the concept of database schemes and the concept of data independence were developed in the Kobol database community [1].

The next important stage is associated with the emergence in the early 1970s of a relational data model, thanks to the work of Edgar Codd. Codd's work opened the way to the close connection of applied database technology with mathematics and logic. For his contribution to theory and practice, Edgar F. Codd also received the Turing Prize.

II. EVALUATION OF DATABASE DEVELOPMENT

The term database itself (English database) appeared in the early 1960s and was introduced into use at symposia organized by SDC in 1964 and 1965, although it was understood at first in a rather narrow sense, in the context of artificial intelligence systems. The term came into widespread use in the modern sense only in the 1970s [2].

If it traces the evolution of the database, then with the advent of the earliest means of communication, diplomats and military figures realized the need to develop mechanisms to protect confidential correspondence and ways to identify attempts to falsify it. For example, Julius Caesar is credited with inventing about 50 B.C.E. Caesar's cipher, which was designed to prevent his secret messages from being read by those to whom they were not intended [3]. Although, for the most part, protection was provided by monitoring the very procedure for handling secret correspondence. Confidential messages were marked so that they were protected and transmitted only with proxies under guard, stored in secure premises or strong caskets.

With the development of mail, government organizations began to emerge to intercept, decrypt, read and re-seal letters. So in England, for these purposes in 1653, the Privy Chancellery appeared [4]. In Russia, perlustration has been carried out, at least since the time of Peter I - since 1690, all letters going abroad have been opened in Smolensk. The practice of secretly copying correspondence of almost all foreign diplomats so that the addressee did not have any suspicions acquired a systemic character in the middle of the 18th century - the so-called "black offices" appeared [5]. After the autopsy, it was necessary to carry out cryptanalysis of the message, for which well-known mathematicians of their time were involved in the activities of black offices. The most outstanding results were achieved by Christian Goldbach, who managed to decrypt 61 letters from Prussian and French ministers in six months of work. In some cases, after successful decryption of the letter, its contents were replaced - some semblance of the attack "man in the middle" [6].

At the beginning of the 19th century, in Russia, with the advent of Alexander I, all cryptographic activities were transferred to the Office of the Ministry of Foreign Affairs. Since 1803, the outstanding Russian scientist Pavel Lvovich Shilling has been in the service of this department. One of the most significant achievements of the Chancellery was the decryption of the orders and correspondence of Napoleon I during the Patriotic War of 1812 [7] [8].

 In the mid-19th century, more complex classification systems for classified information appeared, allowing governments to manage information depending on its degree of confidentiality. For example, to some extent, the British government legitimized such a classification in 1889 by publishing the Official Secrets Act.

In the interwar period, encryption systems became increasingly complicated. Special machines began to be used to encrypt and decrypt secret messages, of which the most famous is Enigma, created by German engineers in the 1920s. In 1932, the Bureau of Ciphers of Polish Intelligence mana ged to crack the Enigma cipher by reverse development [9].

The amount of information exchanged between the countries of the anti-Hitler coalition during World War II required formal coordination of national classification systems and control and management procedures. A set of secrecy labels available only to dedicated people was formed to determine who can handle documents and where they should be stored, considering the appearance of increasingly complex safes and repositories. The warring parties developed procedures for the guaranteed destruction of secret documents. Some of the violations of such procedures led to the most significant intellectual achievements in the entire war. For example, the crew of the German submarine U-570 failed to properly destroy many secret documents that went to the British who captured it [10]. A striking example of the use of information security tools is the Enigma mentioned above, a complicated version of which appeared in 1938 and was widely used by the Wehrmacht and other services of the Third Reich. In the UK, a group led by Alan Turing was successfully engaged in cryptanalysis of enemy messages encrypted using Enigma. The Turing Bombe decryption machine they developed provided significant assistance to the anti-Hitler coalition, and sometimes it is credited with a decisive role in the victory of the Allies [10]. In the United States, signalmen from the Navajo Indian tribe, whose language no one outside the United States knew, were recruited to encrypt radio conversations in the Pacific theater of operations [11]. The Japanese could not find the key to this exotic method of information protection. In the USSR, since the 1930s, the so-called RF communication, based on voice modulation of high-frequency signals and their subsequent scrambling, has been used to protect the telephone conversations of the highest government bodies of the country from listening. However, the lack of cryptographic protection allowed a spectrometer to restore messages in the intercepted signal. The second half of the 20th and early 21st centuries were marked by the rapid development of telecommunications, computer hardware, software, and data encryption. The introduction of compact, powerful, and inexpensive computer equipment has made electronic data processing available to small businesses and home users. Very quickly, computers were united by the Internet, which led to the explosive growth of the electronic business. All of this, combined with the emergence of cybercrime and numerous cases of international terrorism, has led to the need for better methods to protect computers and the information they store, process, and transmit. As a result, scientific disciplines have arisen, such as "Computer Security" and "Methods of Information Protection" and many professional organizations that pursue the general goals of ensuring the security and reliability of information systems [12].

If we study various schools and countries in the formation of a database, the Japanese government announced its intention to respond to the growing threats of targeted hacker attacks by creating a centralized APT database (advanced persistent threat database). It is designed to manage information on threats, as well as to quickly exchange these data with national security agencies, as well as with foreign governments.

The project, the cost of which, according to preliminary estimates, is 266 million rubles, will be implemented in cooperation with Japanese government agencies and companies and third-party developers from other countries. At the same time, the management of the database will be entrusted to the information security service of the Ministry of Economy, Trade, and Industry of Japan.

It is worth noting that the country's authorities talk about this initiative in the context of the growth of threats originating from abroad and aimed at various organizations within the state. At the same time, according to Japanese officials, the United States is one of the most interested parties in the project.

The Russian market presents a solution of the DAM class "Garda DB" from the company "Garda Technologiya." It is a hardware and software complex that continuously monitors all requests to databases and web applications in real-time and stores them for a long time. In addition, the system scans and detects DBMS vulnerabilities, such as unlocked accounts, simple passwords, unidentified patches. The incident response occurs instantly in the form of alerts to the e-mail and the SIEM system.

The database protection system is installed passively; that is, it does not affect the performance of the company's network. Intelligent storage enables you to create an archive of queries and responses to databases over any period of time for further retrospective analysis and investigation of incidents. This is the first system of the DAM class, included in the register of domestic software and installed in many large Russian banks [13].

When comparing leaders in database building processes, most modern ERP systems use the RBAC (Role-Based Access Control) model to allow users to perform only strictly defined transactions and access only certain business objects. In the RBAC model, decisions to grant access to the user are made based on the user's functions in the organization [14].

Critical Patch Updates is a comprehensive set of patches that address major security gaps and include enforceable patches, prerequisites for correcting security gaps, or both. As a result, administrators receive a quarterly schedule for the application of patches in the system. The use of a single patch once a quarter is more convenient than the use of many patches that need careful testing and can conflict with each other.

The most famous manufacturers and products in Russia are IBM Infosphere Guardium, Imperva, Embarcadero DS Auditor. These solutions support a wide range of DBMS versions and avoid increasing the load on them. In addition, there are also a number of products from DBMS manufacturers that support their databases, such as Oracle Database Vault, which effectively solve the tasks of monitoring, detecting anomalies, and notifying unauthorized transactions [15].

The basic security provisions of the database take into account that intruders are interested in such types of information as internal operating information, personal data of employees, financial information, information about customers/clients, intellectual property, market research/analysis of competitors, payment information [16]. This information is ultimately stored in corporate repositories and databases of various volumes. All this leads to the need to protect not only communications, operating systems, and other elements of the infrastructure but also data warehouses as another barrier to the path of an attacker. To date, however, work on OBD security has focused on overcoming existing and known vulnerabilities, implementing basic access models, and addressing DBMS-specific issues. Many researchers consider a comprehensive approach to systematizing the safety of different databases in the light of new threats as the purpose of their work. In these works, he explores approaches to ensuring the confidentiality, integrity, and availability of the database, preventing, identifying, and ignoring attacks. Among foreign works covering modern areas of research, one can note [17.18].

Many aspects of daily life have now changed dramatically. The universal "remote" and record digitalization of most industries could not but transform the information security landscape.

On the "remote" employee, information security depends only on himself. According to Positive Technologies, by the end of 2020, the number of attacks that exploit the vulnerabilities of Internet services for work tripled. A popular scenario is the theft of credentials for connecting to enterprise systems and gaining unauthorized access to work conferences. According to forecasts, the number of such attacks will increase.

Throughout 2020, the number of encryption attacks grew - malware that encrypts data, blocks work, and often requires a ransom. From the first to the third quarter, the number of such attacks doubled. Moreover, as a goal, their creators choose, as a rule, not an abstract set of users but specific representatives of large companies who can pay a large ransom and for whom it is vital to continue to work.

Blackmail with stolen private data also gained popularity. Examples of blackmail software: Maze, Sodinokibi, DoppelPaymer, NetWalker, Ako, Nefilim, Clop. This turned into a full-fledged industry: attackers even created their own sites and auctions for the sale of stolen information.

Another variation of such activity is that attackers steal compromising activity data from an online store (for example, about shopping in a sex shop) and offer to pay so that information is not sold to third parties. According to some forecasts, ransomware can even reach cloud repositories.

As a result, many new hacker associations and sites on the shadow Internet will soon appear. The motivation is simple - to jointly attack an attractive goal and earn good money from it. They, as before, will be demanded the restoration of the system and the preservation of stolen information. The threat of the publication of sensitive data is still in honor of attackers.

Today, in the zone of special attention of hackers, service providers, and services. In 2020, there were about 200 attacks on energy and industrial companies, when there were 125 of them a year earlier.

There is also a growing trend of attacks on suppliers. As large companies become increasingly complex targets, software and security developers, IT integrators, and IT contractors are at risk.

High-class IB specialists are needed to protect against a well-planned attack, and not all of these companies can afford them. And this increases the likelihood of success for hackers. Furthermore, stopping production is a desirable goal for attackers, because in this case, the victim is strongly motivated to pay money. For this reason, ransom amounts also increased. In June, Honda and Enel Group became victims of the new Snake encoder, created specifically to stop important processes in industrial control systems [19].

One option to avoid this is to spend time and resources on a detailed study of the vendor's entire supply chain to understand the consequences in the event of a hack.

Large banks have done a good job on the security of their applications: they improved fault tolerance by switching to a microservice architecture and reduced the number of standard web vulnerabilities (XSS, SOUNDi, RCE) [20].

However, the number of logical vulnerabilities has grown, which can ultimately lead to the theft of money, hackers receiving sensitive information, and, as a result, denial of service by the bank. The goal of hackers today is not even a complete compromise of the banking application system but the operation of logical vulnerabilities.

Thus, the authors conducted a comparative analysis between information security methods used by various ERP systems:

Table 1.

Analysis between information security methods used by various ERP system

Product

Developers

Technologies

Scope of application

Opportunities

Cost

1

SAP NetWeaver

SAP SE

Enterprise Portals, Application Development Tools

Defense enterprises, oil and gas companies, metallurgy, energy telecommunications, banking sector.

Integration (ETL) of data from different sources;

Data quality assurance;

Graphical development environment;

Pre-built "data marts" for SAP and non-SAP systems;

Loading the SAP BW DataStore with data from non-SAP systems

Extracting data from external applications;

Quality assurance of analytics.

$350 thousand.

2

Oracle E-Business Suite и Oracle Database Server

Oracle

ERP, DBMS, Application Development Tools

Heavy industry (mainly metallurgy), telecommunications companies, the financial sector, the chemical industry.

1) Oracle erp:

Production Management: Discrete, Design, Process;

Financial Management: General Ledger, Fixed Assets, Transaction Costing, Cash Flow, Accounts Receivable and Payable, Treasury, Global Consolidation System, Tax Accounting;

Logistics Management - Supply, Sales, Warehouses

Human Resources: Personnel, Salary, Personnel Accounting;

Project management;

Operation Management: Equipment Maintenance, Complex Repairs, Maintenance and Modernization, Materials Management, Advanced Material Flow Planning.

2) Oracle CRM (Customer Relationship Management): Marketing; Sales; Contracts; Service; Call-center.

3) Electronic marketplaces (Exchange).

$5 thousand.

3

iScala

Epicor Software Corporation

ERP

Engineering, telecommunications, food processing.

Support for multiple payroll methods within a single installation

Self-service for employees: allows employees to manage data, including filling out time sheets, receiving reports on personal data;

Payroll Budget Management: enables the forecasting and analysis of current and planned ratios and the improvement of budget decision-making;

Compliance with approved regulations: iScala Advanced Payroll is an "active" payroll system,

which itself requires the entry of data and the execution of procedures based on the results of certain business transactions;

$2-5 thousand

4

ERP Galaxy

Galaxy Corporation

ERP

Oil and gas industry, mechanical engineering, chemistry, energy, metallurgy, etc.

Product Data Management

Order management

Volume scheduling

MRP and APS planning

operational management of production;

logistical support;

production logistics;

operational control of production at the shop floor;

product quality control;

Cost Management, Controlling.

14,000 rubles

5

Microsoft Dynamics AX

Microsoft

ERP

Enterprises of the oil industry, food industry, trading companies, metallurgy, distribution, telecommunications industry.

Material and Capacity Requirements Planning

Maintenance of regulatory reference information:

Detailed planning of production tasks;

Resource Management:

Manage the distributed warehouse structure

Inventory Management

Trade agreements

Working with Prospective Orders

Track movements and reservations of goods and items

$3.5K

 

The way to ensure the information security of the network infrastructure is that many modern ERP systems, such as SAP NetWeaver or Oracle e-Business Suite, apply web standards to build the interaction of their components. In this case, HTTPS can be used to protect the traffic.

The effective software for your business offered by ERP products is what will integrate all your business functions into a single centralized structure. Thus, the centralized structure of business management and its data will have a greater effect on its activities and ensure the security of business processes.

 

References:

  1. Gray, J. Data Management: Past, Present, and Future
  2. Haigh T. How Data Got its Base: Information Storage Software in the 1950s and 1960s // IEEE Annals of the History of Computing. — 2009. — #4 October-December
  3. Guy Suetonius Tranquill. Book One//Life of Twelve Caesars = De vita XII caesarvm: [per. Lat. ]/translation by Gasparov M. - M.: Publishing house "Science," 1964. — 374 pages.
  4. Johnson, John. The Evolution of British Sigint : 1653–1939 : [англ.]. — Her Majesty's Stationary Office, 1998. — 58 p.
  5. Izmozik, V. S. "Black Offices": the history of Russian perlustration. XVIII - beginning of the XX century. - M.: New literary review, 2015. — ISBN 978-5-4448-0392-9.
  6. Soboleva, T. A. Introduction//History of encryption in Russia. - M.: OLMA-Press, 2002. - 510 s. - ISBN 5224036348.
  7. Tokareva N. N. On the history of cryptography in Russia//Applied discrete mathematics. — 2012. - December (No. 4 (18)).
  8. Nosov V. A. A short historical essay on the development of cryptography//Moscow University and the development of cryptography in Russia, Moscow State University, October 17-18, 2002: conference materials. — 2002. — Page 20 — 32.
  9. Singh, Simon. Book of ciphers: The secret history of ciphers and their decryption. - M.: Publishing house "AST," 2009. - 448 sec. - ISBN 5-17-038477-7.
  10. Sebag–Montefiore, Hugh. Enigma : The Battle for the Code. — Orion, 2011. — 576 p. — ISBN 9781780221236.
  11. Zhelnikov V. Message language//Cryptography from papyrus to computer. - M.: ABF, 1996. - 335 sec. - ISBN 5-87484-054-0.
  12. Chapter 24 : A History of Internet Security / De Nardis, L. // The History of Information Security : A Comprehensive Handbook / edited by de Leeuw, K. M. M. and Bergstra, J.. — Elsevier, 2007. — ISBN 9780080550589.
  13. Daniel O'Leary. ERP systems: selection, implementation, operation. Modern Enterprise Resource Planning and Management. M.: Vershina,  2004. 272 pages.
  14. Nenashev S.A. Cryptographic information protection in SAP ERP systems//Information Security/Information Security. 2009. №3. C. 24-25.
  15. Petrenko S.A., Kurbatov V.A. Information security policies. M.: DMK Press, 2006. 400 pages.
  16. Business information security. Research on current trends in business information security. 2014. URL: http://media.kaspersky.com/pdf/IT_risk_report_Russia_2014.pdf (case date: 26.02.2016).
  17. Burtescu E. Database security – attacks and control methods. Journ. of Applied Quantitative Methods, 2009, vol. 4, no. 4, pp. 449–454.
  18. Rohilla S., Mittal P.K. Database Security: Threads and Challenges. Intern. Journ. of Advanced Research in Computer Science and Software Engineering, 2013, vol. 3, iss. 5, pp. 810–813.
  19. Egorova G.V., Shlyapkin A.V. Information security of ERP-systems//Information systems and technologies: management and security. 2013. №2. S. 202-211.
  20. Calais V. Implementation of SAP R/3. A guide for managers and engineers. M: IT Company, 2004. 511 pages
Информация об авторах

Student, Al-Farabi Kazakh National University, Kazakhstan, Almaty

студент, Казахский национальный университет им. аль-Фараби, Казахстан, г. Алматы

Candidate of engineering science, associate Professor, Al-Farabi Kazakh National University,  Kazakhstan, Almaty

канд. техн. наук доцент, и.о профессора, Казахский национальный университет им. аль-Фараби, Казахстан, г. Алматы

Журнал зарегистрирован Федеральной службой по надзору в сфере связи, информационных технологий и массовых коммуникаций (Роскомнадзор), регистрационный номер ЭЛ №ФС77-54434 от 17.06.2013
Учредитель журнала - ООО «МЦНО»
Главный редактор - Ахметов Сайранбек Махсутович.
Top