SECURING BUSINESS PROCESSES WHEN BUILDING DATABASES IN ERP SYSTEMS

ABSTRACT

The paper examined the history of the evolution of the database, the problems of information security of recent years and conducted a comparative analysis of information security tools using the example of well-known ERP systems.

АННОТАЦИЯ

В статье рассмотрена история эволюции базы данных, проблемы информационной безопасности последних лет и проведен сравнительный анализ средств защиты информации на примере известных ERP-систем.

Keywords: database, database management systems, information security, ERP-systems, RBAC, Critical Patch Updates, Microsoft Dynamics AX, SAP NetWeaver, SAP SE, Oracle E-Business Suite, Oracle Database Server, APS-planning.

Ключевые слова: база данных, системы управления базами данных, информационная безопасность, ERP-системы, RBAC, Critical Patch Updates, Microsoft Dynamics AX, SAP NetWeaver, SAP SE, Oracle E-Business Suite, Oracle Database Server, APS-планирование.

I. INTRODUCTION

Operational network databases appeared in the mid-1960s. Operations on operational databases were processed interactively through terminals. Simple index-sequential record organization quickly evolved into a more powerful set-oriented record model. For leading the work of the Data Base Task Group (DBTG), which developed a standard language for describing data and manipulating data, Charles Bachman received the Turing Prize.

At the same time, the concept of database schemes and the concept of data independence were developed in the Kobol database community [1].

The next important stage is associated with the emergence in the early 1970s of a relational data model, thanks to the work of Edgar Codd. Codd's work opened the way to the close connection of applied database technology with mathematics and logic. For his contribution to theory and practice, Edgar F. Codd also received the Turing Prize.

II. EVALUATION OF DATABASE DEVELOPMENT

The term database itself (English database) appeared in the early 1960s and was introduced into use at symposia organized by SDC in 1964 and 1965, although it was understood at first in a rather narrow sense, in the context of artificial intelligence systems. The term came into widespread use in the modern sense only in the 1970s [2].

If it traces the evolution of the database, then with the advent of the earliest means of communication, diplomats and military figures realized the need to develop mechanisms to protect confidential correspondence and ways to identify attempts to falsify it. For example, Julius Caesar is credited with inventing about 50 B.C.E. Caesar's cipher, which was designed to prevent his secret messages from being read by those to whom they were not intended [3]. Although, for the most part, protection was provided by monitoring the very procedure for handling secret correspondence. Confidential messages were marked so that they were protected and transmitted only with proxies under guard, stored in secure premises or strong caskets.

With the development of mail, government organizations began to emerge to intercept, decrypt, read and re-seal letters. So in England, for these purposes in 1653, the Privy Chancellery appeared [4]. In Russia, perlustration has been carried out, at least since the time of Peter I - since 1690, all letters going abroad have been opened in Smolensk. The practice of secretly copying correspondence of almost all foreign diplomats so that the addressee did not have any suspicions acquired a systemic character in the middle of the 18th century - the so-called "black offices" appeared [5]. After the autopsy, it was necessary to carry out cryptanalysis of the message, for which well-known mathematicians of their time were involved in the activities of black offices. The most outstanding results were achieved by Christian Goldbach, who managed to decrypt 61 letters from Prussian and French ministers in six months of work. In some cases, after successful decryption of the letter, its contents were replaced - some semblance of the attack "man in the middle" [6].

At the beginning of the 19th century, in Russia, with the advent of Alexander I, all cryptographic activities were transferred to the Office of the Ministry of Foreign Affairs. Since 1803, the outstanding Russian scientist Pavel Lvovich Shilling has been in the service of this department. One of the most significant achievements of the Chancellery was the decryption of the orders and correspondence of Napoleon I during the Patriotic War of 1812 [7] [8].

 In the mid-19th century, more complex classification systems for classified information appeared, allowing governments to manage information depending on its degree of confidentiality. For example, to some extent, the British government legitimized such a classification in 1889 by publishing the Official Secrets Act.

In the interwar period, encryption systems became increasingly complicated. Special machines began to be used to encrypt and decrypt secret messages, of which the most famous is Enigma, created by German engineers in the 1920s. In 1932, the Bureau of Ciphers of Polish Intelligence mana ged to crack the Enigma cipher by reverse development [9].

The amount of information exchanged between the countries of the anti-Hitler coalition during World War II required formal coordination of national classification systems and control and management procedures. A set of secrecy labels available only to dedicated people was formed to determine who can handle documents and where they should be stored, considering the appearance of increasingly complex safes and repositories. The warring parties developed procedures for the guaranteed destruction of secret documents. Some of the violations of such procedures led to the most significant intellectual achievements in the entire war. For example, the crew of the German submarine U-570 failed to properly destroy many secret documents that went to the British who captured it [10]. A striking example of the use of information security tools is the Enigma mentioned above, a complicated version of which appeared in 1938 and was widely used by the Wehrmacht and other services of the Third Reich. In the UK, a group led by Alan Turing was successfully engaged in cryptanalysis of enemy messages encrypted using Enigma. The Turing Bombe decryption machine they developed provided significant assistance to the anti-Hitler coalition, and sometimes it is credited with a decisive role in the victory of the Allies [10]. In the United States, signalmen from the Navajo Indian tribe, whose language no one outside the United States knew, were recruited to encrypt radio conversations in the Pacific theater of operations [11]. The Japanese could not find the key to this exotic method of information protection. In the USSR, since the 1930s, the so-called RF communication, based on voice modulation of high-frequency signals and their subsequent scrambling, has been used to protect the telephone conversations of the highest government bodies of the country from listening. However, the lack of cryptographic protection allowed a spectrometer to restore messages in the intercepted signal. The second half of the 20th and early 21st centuries were marked by the rapid development of telecommunications, computer hardware, software, and data encryption. The introduction of compact, powerful, and inexpensive computer equipment has made electronic data processing available to small businesses and home users. Very quickly, computers were united by the Internet, which led to the explosive growth of the electronic business. All of this, combined with the emergence of cybercrime and numerous cases of international terrorism, has led to the need for better methods to protect computers and the information they store, process, and transmit. As a result, scientific disciplines have arisen, such as "Computer Security" and "Methods of Information Protection" and many professional organizations that pursue the general goals of ensuring the security and reliability of information systems [12].

If we study various schools and countries in the formation of a database, the Japanese government announced its intention to respond to the growing threats of targeted hacker attacks by creating a centralized APT database (advanced persistent threat database). It is designed to manage information on threats, as well as to quickly exchange these data with national security agencies, as well as with foreign governments.

The project, the cost of which, according to preliminary estimates, is 266 million rubles, will be implemented in cooperation with Japanese government agencies and companies and third-party developers from other countries. At the same time, the management of the database will be entrusted to the information security service of the Ministry of Economy, Trade, and Industry of Japan.

It is worth noting that the country's authorities talk about this initiative in the context of the growth of threats originating from abroad and aimed at various organizations within the state. At the same time, according to Japanese officials, the United States is one of the most interested parties in the project.

The Russian market presents a solution of the DAM class "Garda DB" from the company "Garda Technologiya." It is a hardware and software complex that continuously monitors all requests to databases and web applications in real-time and stores them for a long time. In addition, the system scans and detects DBMS vulnerabilities, such as unlocked accounts, simple passwords, unidentified patches. The incident response occurs instantly in the form of alerts to the e-mail and the SIEM system.

The database protection system is installed passively; that is, it does not affect the performance of the company's network. Intelligent storage enables you to create an archive of queries and responses to databases over any period of time for further retrospective analysis and investigation of incidents. This is the first system of the DAM class, included in the register of domestic software and installed in many large Russian banks [13].

When comparing leaders in database building processes, most modern ERP systems use the RBAC (Role-Based Access Control) model to allow users to perform only strictly defined transactions and access only certain business objects. In the RBAC model, decisions to grant access to the user are made based on the user's functions in the organization [14].

Critical Patch Updates is a comprehensive set of patches that address major security gaps and include enforceable patches, prerequisites for correcting security gaps, or both. As a result, administrators receive a quarterly schedule for the application of patches in the system. The use of a single patch once a quarter is more convenient than the use of many patches that need careful testing and can conflict with each other.

The most famous manufacturers and products in Russia are IBM Infosphere Guardium, Imperva, Embarcadero DS Auditor. These solutions support a wide range of DBMS versions and avoid increasing the load on them. In addition, there are also a number of products from DBMS manufacturers that support their databases, such as Oracle Database Vault, which effectively solve the tasks of monitoring, detecting anomalies, and notifying unauthorized transactions [15].

The basic security provisions of the database take into account that intruders are interested in such types of information as internal operating information, personal data of employees, financial information, information about customers/clients, intellectual property, market research/analysis of competitors, payment information [16]. This information is ultimately stored in corporate repositories and databases of various volumes. All this leads to the need to protect not only communications, operating systems, and other elements of the infrastructure but also data warehouses as another barrier to the path of an attacker. To date, however, work on OBD security has focused on overcoming existing and known vulnerabilities, implementing basic access models, and addressing DBMS-specific issues. Many researchers consider a comprehensive approach to systematizing the safety of different databases in the light of new threats as the purpose of their work. In these works, he explores approaches to ensuring the confidentiality, integrity, and availability of the database, preventing, identifying, and ignoring attacks. Among foreign works covering modern areas of research, one can note [17.18].

Many aspects of daily life have now changed dramatically. The universal "remote" and record digitalization of most industries could not but transform the information security landscape.

On the "remote" employee, information security depends only on himself. According to Positive Technologies, by the end of 2020, the number of attacks that exploit the vulnerabilities of Internet services for work tripled. A popular scenario is the theft of credentials for connecting to enterprise systems and gaining unauthorized access to work conferences. According to forecasts, the number of such attacks will increase.

Throughout 2020, the number of encryption attacks grew - malware that encrypts data, blocks work, and often requires a ransom. From the first to the third quarter, the number of such attacks doubled. Moreover, as a goal, their creators choose, as a rule, not an abstract set of users but specific representatives of large companies who can pay a large ransom and for whom it is vital to continue to work.

Blackmail with stolen private data also gained popularity. Examples of blackmail software: Maze, Sodinokibi, DoppelPaymer, NetWalker, Ako, Nefilim, Clop. This turned into a full-fledged industry: attackers even created their own sites and auctions for the sale of stolen information.

Another variation of such activity is that attackers steal compromising activity data from an online store (for example, about shopping in a sex shop) and offer to pay so that information is not sold to third parties. According to some forecasts, ransomware can even reach cloud repositories.

As a result, many new hacker associations and sites on the shadow Internet will soon appear. The motivation is simple - to jointly attack an attractive goal and earn good money from it. They, as before, will be demanded the restoration of the system and the preservation of stolen information. The threat of the publication of sensitive data is still in honor of attackers.

Today, in the zone of special attention of hackers, service providers, and services. In 2020, there were about 200 attacks on energy and industrial companies, when there were 125 of them a year earlier.

There is also a growing trend of attacks on suppliers. As large companies become increasingly complex targets, software and security developers, IT integrators, and IT contractors are at risk.

High-class IB specialists are needed to protect against a well-planned attack, and not all of these companies can afford them. And this increases the likelihood of success for hackers. Furthermore, stopping production is a desirable goal for attackers, because in this case, the victim is strongly motivated to pay money. For this reason, ransom amounts also increased. In June, Honda and Enel Group became victims of the new Snake encoder, created specifically to stop important processes in industrial control systems [19].

One option to avoid this is to spend time and resources on a detailed study of the vendor's entire supply chain to understand the consequences in the event of a hack.

Large banks have done a good job on the security of their applications: they improved fault tolerance by switching to a microservice architecture and reduced the number of standard web vulnerabilities (XSS, SOUNDi, RCE) [20].

However, the number of logical vulnerabilities has grown, which can ultimately lead to the theft of money, hackers receiving sensitive information, and, as a result, denial of service by the bank. The goal of hackers today is not even a complete compromise of the banking application system but the operation of logical vulnerabilities.

Thus, the authors conducted a comparative analysis between information security methods used by various ERP systems:

Table 1.

Analysis between information security methods used by various ERP system

The way to ensure the information security of the network infrastructure is that many modern ERP systems, such as SAP NetWeaver or Oracle e-Business Suite, apply web standards to build the interaction of their components. In this case, HTTPS can be used to protect the traffic.

The effective software for your business offered by ERP products is what will integrate all your business functions into a single centralized structure. Thus, the centralized structure of business management and its data will have a greater effect on its activities and ensure the security of business processes.

References:

1. Gray, J. Data Management: Past, Present, and Future
2. Haigh T. How Data Got its Base: Information Storage Software in the 1950s and 1960s // IEEE Annals of the History of Computing. — 2009. — #4 October-December
3. Guy Suetonius Tranquill. Book One//Life of Twelve Caesars = De vita XII caesarvm: [per. Lat. ]/translation by Gasparov M. - M.: Publishing house "Science," 1964. — 374 pages.
4. Johnson, John. The Evolution of British Sigint : 1653–1939 : [англ.]. — Her Majesty's Stationary Office, 1998. — 58 p.
5. Izmozik, V. S. "Black Offices": the history of Russian perlustration. XVIII - beginning of the XX century. - M.: New literary review, 2015. — ISBN 978-5-4448-0392-9.
6. Soboleva, T. A. Introduction//History of encryption in Russia. - M.: OLMA-Press, 2002. - 510 s. - ISBN 5224036348.
7. Tokareva N. N. On the history of cryptography in Russia//Applied discrete mathematics. — 2012. - December (No. 4 (18)).
8. Nosov V. A. A short historical essay on the development of cryptography//Moscow University and the development of cryptography in Russia, Moscow State University, October 17-18, 2002: conference materials. — 2002. — Page 20 — 32.
9. Singh, Simon. Book of ciphers: The secret history of ciphers and their decryption. - M.: Publishing house "AST," 2009. - 448 sec. - ISBN 5-17-038477-7.
10. Sebag–Montefiore, Hugh. Enigma : The Battle for the Code. — Orion, 2011. — 576 p. — ISBN 9781780221236.
11. Zhelnikov V. Message language//Cryptography from papyrus to computer. - M.: ABF, 1996. - 335 sec. - ISBN 5-87484-054-0.
12. Chapter 24 : A History of Internet Security / De Nardis, L. // The History of Information Security : A Comprehensive Handbook / edited by de Leeuw, K. M. M. and Bergstra, J.. — Elsevier, 2007. — ISBN 9780080550589.
13. Daniel O'Leary. ERP systems: selection, implementation, operation. Modern Enterprise Resource Planning and Management. M.: Vershina,  2004. 272 pages.
14. Nenashev S.A. Cryptographic information protection in SAP ERP systems//Information Security/Information Security. 2009. №3. C. 24-25.
15. Petrenko S.A., Kurbatov V.A. Information security policies. M.: DMK Press, 2006. 400 pages.
16. Business information security. Research on current trends in business information security. 2014. URL: http://media.kaspersky.com/pdf/IT_risk_report_Russia_2014.pdf (case date: 26.02.2016).
17. Burtescu E. Database security – attacks and control methods. Journ. of Applied Quantitative Methods, 2009, vol. 4, no. 4, pp. 449–454.
18. Rohilla S., Mittal P.K. Database Security: Threads and Challenges. Intern. Journ. of Advanced Research in Computer Science and Software Engineering, 2013, vol. 3, iss. 5, pp. 810–813.
19. Egorova G.V., Shlyapkin A.V. Information security of ERP-systems//Information systems and technologies: management and security. 2013. №2. S. 202-211.
20. Calais V. Implementation of SAP R/3. A guide for managers and engineers. M: IT Company, 2004. 511 pages