Mobile CRM and Epicor Web Access - Security/Best Practice

You still can host it but allow only access by VPN.

This is a HUUUGE factor. Critical infrastructure and military stuff are going to be… hmm. SHOULD be, following a much more cumbersome and secure set of practices. I think people are just trying to point out that there is no free lunch — security costs you.

If I had to make a metaphor of it, Jose is saying driving a modern car that’s been inspected and has the required safety features, seat belt, airbags, the standard stuff is sufficient for most people.

Whereas you are saying “Look at all the accidents every day, its bound to happen to you eventually so you should drive a literal M1 Abram tank around so if a car hits you it won’t stop you at all”

We all agree driving drunk isn’t a moral choice, but there is a lot of room between motorcycles and armored tanks, and every company/person is going to have to make a choice of what level of risk they are willing to take. And be realistic about it.

Evan I think you nailed it. The analogy I would use is more along the lines of, would you put windows on a room where you store $100 in cash? Probably. $10,000, maybe but you would be checking the locks. $100k or $1 mil? Well then you start removing the windows.

Some of us have more to protect than others, or are considered more directly responsible when loss takes place (internal shareholder vs outside consultant for example, one stands to lose a lot of money while the other might just get scolded). If you have little to protect and/or don’t have any skin in the game, well then yeah, put windows everywhere. Windows are much more pleasant and easier to get fresh air and sunlight.

Alternatively, you could think of it as a well constructed window with all the appropriate controls in place might allow you an opportunity to make $$ more so than no window at all.

Eventually you take off enough windows and doors that sure you are secure… but you are no longer in a house you are now in a sealed well and you’ll die of hunger.

LOL well thankfully my servers haven’t asked for any food for the last 10 years. They seem to be very hunger resistant and are tolerating the well in which they reside. I’ll let you know if that changes.

On the other hand, ransomware is shutting down hospitals, pipelines, and manufacturing plants left and right. A well is the only safe place to be right now. Ransomware is a rapidly escalating threat that isn’t easy to solve and isn’t going away. China is specifically targeting manufacturing. Do you think windows are going to hold up well to an army of 1000 member Chinese hacking teams with multimillion dollar budgets buying up all of the zero days from Zerodium?

If you have a well proven efficient DR PLAN then it doesn’t matter and that’s where the Rub is. If you are doing things right you should be able to pretty quickly get back up if you fall down.

Either way like I said there isn’t a right answer for everyone, i just don’t like dealing in absolutes. The internet is a necessary tool for most businesses these days.

Except that it does matter. If China breaks in and steals 10 years worth of engineering drawings so that they can mass produce what you spent 10 years developing, what kind of DR plan do you have for that? That IP is gone forever. Not every company has that kind of IP, but for those that do the deep well is much preferred.

Perimeter security is necessary but it is not sufficient. Edward Snowden was in a cave - a deep well indeed, and very much without windows. The NSA has better network security (and budget) than all of us combined and yet they were still breached. They made the mistake of assuming that all the bad things are outside the network and only good things are inside the network.

This is why NIST released the recommendation for Zero Trust Architectures and why the DOD is adopting this strategy. (<— shorter and excellent read BTW) If you work with DOD assets, I would count on having to show your Zero Trust plan in order to keep that business in a few years from now.

Having a good Zero Trust strategy will not only limit the blast radius of an attack but should also protect IP. We can build a wonderful fortress/deep well but lose IP with a (relatively small) bribe from a Nation State. If a bribe won’t work, kidnapping/extortion might. Keeping all the eggs in one basket isn’t safe either. A man-made or natural disaster could also lose ten years of IP. Data exfiltration is becoming the preferred method of making money by threat actors. They will threaten to post IP, or worse, customer’s IP if a ransom isn’t paid. (And frankly, even if they do get paid, they will probably sell it on an underground market.)

Network segmentation is one of the tenets of Zero Trust. Putting some assets in the cloud makes perfect sense. Why put your email or webserver on the same network as your operational network? Each company has to know their protect surfaces and deal with each appropriately. Sometimes that will be the cloud, a data center, or somewhere else.

“This is not about technology, it’s about strategy”

— DOD CIO, John Sherman

While for many of us this in this thread this is all theoretical, those on the east coast with gas cars literally can not fill up their cars.

Drivers empty US petrol stations in response to fuel pipeline hack: Subscribe to read | Financial Times

Mark has some great points about zero trust architecture, but I’m still all for reducing the number of windows if it means I can still drive to the store to get groceries. This is no longer a theoretical problem, it is hitting hard in the real world. We can no longer treat this topic lightly. Reducing attack surface is an important and meaningful exercise that we all need to consider, alongside Marks zero trust approach.

Sorry if it feels like I’m going on and on about this but I am genuinely concerned for the well-being of our country right now and have fears about how much worse cyber attacks are going to get before it gets better.

I am afraid. I think we all should be. We need fear in order for change to take place.

I am in the process of building the security program at my company and I can certainly empathize. I’ve also learned that security is a spectrum not a destination. Reducing blast radius, reducing surface area, and zero trust are all parts. We are choosing to adopt the NIST cyber security framework for critical infrastructure, which is something I doubt these fuel providers did (and justifying even more the entire reason for the csf for critical infrastructure).
The whole point being, it’s less about reducing windows (anyone else tired of the analogy yet) and more about the strategy around it. There are perfectly valid and secure ways to integrate over the internet. There are also ways to be breached even if you don’t have an exposed web server. With the proper strategy in place for the 5 categories of the NIST csf, one stands a very good chance of building a robust and resilient environment

I am in the midst of the CMMC certification process (built upon the NIST 800-171 framework that I assume you are referring to) to be compliant with DHS contractor and subcontractor requirements. We have a lot of CUI (controlled unclassified information) along with a lot of IP to protect. I realize not everyone is in this situation, but for context that is where I am coming from. Downtime for us is very expensive, as is the potential loss of IP.

Sorry for wearing out the “windows” analogy for you Aaron, but thank you for contributing to this thread.

It seemed like this thread was on the verge of going off the rails and becoming too heated but everyone kept civil and it ended up being a good conversation. Good job everyone

Intellectual discourse is critical for us all!

Thank you all, it has been a great discussion. @Mark_Wonsil and @MikeGross chimed in that they would use an application proxy. @aaronssh uses a very segregated approach to ensure maximum security as his costs of being down and losing proprietary info are extremely high. @josecgomez spoke about the need to utilize the internet and noted the many corporations that are using ssl and IIS to the best of their ability… it would be nice to hear more about 2nd factor authentication with Epicor and if anyone is having success using that with mobile CRM yet. He also mentioned the access scope for API.

I was really hoping that between at @aaronssh 's take on this and maybe some examples of attacks that he has, and @josecgomez ‘s approach (as well as others’ opinions who have opened up websites that integrate with their app server) I could understand “the pros and the cons of each approach and take that which you are comfortable with.”

I just do not see a very “defined” approach. What approaches are there? Is this also too broad of a question, so broad that I am going to get broader responses back? @aaronssh gave a pretty concrete example of his approach, but I haven’t seen any others chime in with how they have approached integrating with CRM or exposing their app server. Can anyone speak to that? Did you just use port 443 and an SSL cert and call it a day or what else is there? What are we fighting against?

I am leaning more towards what @josecgomez said because there are pros and cons to each decision and to speak only in absolutes about security will take some of your technological capabilities off of the table, the same capabilities that could give your company a competitive advantage (think CRM, Ecommerce, etc.), but at the same time could risk increasing the attack vectors and cost you money.

In short, it would be nice to know what the “approaches” are as @josecgomez said in his post. Are there any typical approach paths that someone can speak to or lay out? An external link to someone else’s approaches for web apps would suffice too. Really hoping for a flow chart/architecture chart to visualize these approaches, but hey I am not picky, I like to read too. It would help to understand these approaches if we can define them and then list out the pros and cons. I just don’t have the understanding of cybersecurity to answer these questions and was hoping to find someone who does. Any contacts are much appreciated.

Thank you all again.

We use second factor via Azure AD. We authenticate Epicor with Azure Active Directory and forced second factor on there. So to login to Epicor if you are in our internal network it uses SSO, but if you are coming from anywhere external you need to authenticate against AD and provide your second factor, works great and right out of the box.

AppProxy is great approach that has already been recommended.

We wrote a portal that allows customers to access their data we did it via a Proxy on the DMZ which sits between them us and our network.
That server can only communicate with Epicor via port 443 (our Epicor server is not exposed directly) I covered this in more detail in a prior post… (let me look for it)

here you you

Which is basically similar to what AzureAppProxy does

With Epicor SaaS, it just worked.

@josecgomez - curious as to how did you did this? the appserver looks for AD auth… how did you split it up for internal vs external - different appservers and different config files (or URLs now)?

Nah if you run Azure / ADFS you can respond via DNS differently. External points to plublic endpoint while internal points to internal ADFS.
Think Internal Auths to 10.xx
While External Auth: azure.microsoft.com (or whatever)

If you’ve logged in to the workstation with you azure credentials (via ADFS) then it is smart enough to know you are.

That’s where this little magic happens

Click Login and it just knows who I am.