I have asked a similar question recently but I need a little clarification.
When you have an ERP system that is hosted and supported by the ERP supplier, what is best practice for controlling their access?
I fully appreciate that they need access and this is all part of a SaaS implementation, I just don’t think the supplier should be saying, we have highly privileged access to your system whenever we want because that’s what you signed up for. Surely access can be controlled in someway to give our company assurance that data is protected from unauthorised access by the supplier whilst not preventing them being able to effectively support the system.
There are two ways that access can be gained, 1) Directly to the database 2) through the application.
1) As a company we don’t have access to the database, so I can understand they will need access to this in order to provide support. But is access given to 100+ techies in the suppliers business or just a handful of people who are managing our support contract?
My understanding is that direct access to the database isn’t that easy in terms of just having a browse through our data and committing fraudulent transactions.
2) I understand they will need some access and no doubt highly provided access to the application, but realistically does this need to be enabled all the time. If we have an issue, but the system is still live and working we just need some assistance, surely we would have more control if their accounts are disabled by default, then in this scenario we can enable them until their work is complete. However I’m not sure how this works if the system is down and we can’t access it from our location. If their accounts in the application are disabled, can they still support the system in this type of event?
Like I said, I understand they need access but I think this needs to be balanced with securing our data from a free for all access from the supplier and still being able to effectively support the system.
From the previous question I know there are specific products that can be used like DB Vault for Oracle, but I think this is more about accounts and whether these remain enabled or can be disabled. Or any other way just to give some control over the access by the supplier.