BPM Security and Privacy: 17 Must do Checks for your BPM Installation (Free Download)
Is your BPM Installation secure enough? Are you making sure that product loopholes are not compromising security? BPM stands for control, ownership, answerability and auditability. Without proper security these could be meaningless. If you feel the list makes you nervous, find a BPM Security expert.
Read through the list and test your BPM Product. Also included are questions you should ask your IT if you are at threat.
1. Access Control – Authentication and Authorization
Perhaps the most important aspect of BPM Security: your install should have an access control. Having just a username and passwords is merely not enough. That will only provide authentication. You need to have proper authorization procedures as well. Many systems have a dependency on LDAP Groups to control who has access to what. If a user can figure out how to get into that LDAP group, he would have access to everything. Your BPM Server should have some way to determine Super user access.
Ask these Questions to your IT:
- How is super user access determined?
- Will we come to know if someone gets super user access?
- Are we dependent on 3rd party system for authentication?
- Is our policy restrictive enough?
2. Password Encryption
Password storage should be encrypted. This includes user passwords as well as passwords to databases, external systems. Systems which use one way Hashes like MD5 are far better than those who store plain text. And beware; often junior developers make the mistake of storing passwords in text files, sometimes even in their class files (if using java). Beware, decompiling a class and getting those passwords out is a child's play.
Ask these questions to your IT
- What all passwords are we storing?
- Are the passwords encrypted?
- If we are on a distributed file system, can that server file system/database be accessed easily?
- Do we have a code review policy for every line of code?
3. Field level Security
Processes are often made with Fields and Data. Are you making sure that data level security is in place? It might come as a surprise to you that several BPM Products do not have field level security available. You can secure entire form but not an individual field. This means a clever hacker who can access the master object which has all data can easily determine (and change) critical fields like Price, Rate, Authorizer.
Ask these questions to your IT:
- Do we have field level security?
- How do we determine who should see what fields?
- Are the developers just hiding the field on front end or they are being blocked right from the backend?
- What data happens to be critical and confidential?