Візуальний аналіз політик безпеки в ERP-системах

Abstract

The visual analysis of information systems on the presence of problems in the establishment of security policies gives the administrator an opportunity to extract useful data from a large amount of redundant and at the same time noisy security journaling information. For the graphical representation of information, an approach was proposed in which all the events associated with the security of the system are represented in circles whose radius corresponds to the time scale. Events have a different color, which characterizes them according to certain features, defined as initial data. In an ERP system that is being implemented or already functional, the following aspects must be implemented to meet the security requirements: authentication of users; login authorization; audit and logging of the course; the integrity of the data; confidentiality. To do this, the system offers the following services: rules for password management; monitoring unauthorized access to the system; appropriate response to unauthorized access. The data is stored in the database (the level of the DB), processing is performed on the application server (application level), and the direct interaction with the user takes place through the client program (level of representation). The quality of such a program is recently used as a client GUI application, as well as an ordinary web browser. Most modern ERP systems use the RBAC (Role-Based Access Control) model to allow users to execute only certain transactions and access only for this business entity. In the RBAC model, decisions to grant access to the user are taken on the basis of functions performed by the user in the organization. It is possible to obtain information about the activity of the users who perform daily work in the SAP ERP system associated with the creation, processing, editing and saving of data, by executing the SM20 transaction. Of great interest is the fact that all the events and errors that arise in the system are represented by a different color, which can be used advantageously during the visual analysis method. For graphic presentation of information we use the approach proposed in work, where the events of the ERP system security journal are displayed in circles whose radius indicates the time scale. Unfortunately, the author’s proposed model of information visualization does not allow to fully assessing the correctness of the use of the enterprise security policy, since it only provides data on the availability of hazardous elements in the system, and not the reasons for their manifestation. Therefore, there is an urgent need for additional analysis of the results obtained with the possibility of further formation of variants to support decision-making in the security sector. But the combination of this technique with a number of others who also use the capabilities of human perception in conjunction with information technology can bring stormy results. Therefore, other methods and their rational combination need to be deeply investigated in subsequent scientific papers.