But from a cybersecurity standpoint, it brings a whole new set of challenges because increased integration means more potential vulnerabilities. This general trend will affect most enterprise applications, Infor M3 included.
In the past, many Infor M3 customers based their API security on the simple fact that setting up access via API was technically complex and therefore difficult to exploit. But maturing API technology that allows APIs to run through a web browser and the introduction of REST APIs (among other things) has made this process far less technical.
On the one hand, this is great for Infor M3 users, making it easier than ever to integrate Infor M3 with other systems. But less technically complex APIs also make M3 easier to exploit, meaning robust API security is absolutely vital.
And herein lies the problem, because managing API security in Infor M3 can be extremely challenging.
There are several reasons for this, but perhaps the most important is that API security is managed completely separately from functional security in Infor M3 (something we’ve found many Infor M3 customers isn’t even aware of!). There are good reasons for doing this, but the upshot is that setting up and maintaining API security in Infor M3 is extremely time-consuming.
API security is binary: it’s either switched ‘off,’ and everyone can run APIs, or ‘on,’ and no one can. For businesses already using Infor M3, simply turning API security on then is not an option, as it would restrict Infor M3 users from running APIs altogether, grinding workflows across the business to a halt. Instead, the relevant permissions must be set up individually for each staff member using Infor M3, which is in itself a huge task.
Let’s take the Smart Office APIs as an example. There are 5 in total, and each API has 5 corresponding transactions. That’s 25 permissions to configure per employee to integrate Smart Office successfully. Scale this up for a medium-sized company of 300 people. We’re talking 7000 individual permissions to configure—all of which must be done manually—to integrate just one of the many programs users need access to.
For most companies, the human resources required to administer this process is simply unsustainable, particularly when factoring in the ever-changing landscape of joiners, movers, and leavers, and the fact that Infor is constantly striving to develop and implement new APIs regularly—again, great for Infor M3 customers, but a real headache for the security admin who’s trying to keep up.
This has led to some companies forgoing API security altogether. Still, the consequences of doing so can be severe, opening up your ERP and data to exploitation both from internal and external attacks.
At Vince, we believe your ERP solution’s security is non-negotiable, which is why we created VSE — Vince Security. With VSE, we’ve dramatically simplified security for Infor M3, allowing you to quickly and comprehensively protect your ERP solution.
API security comes as standard with VSE. We’ve mapped every single Infor M3 API against its relevant functions, meaning API security is taken care of automatically in line with your Infor M3 settings. This means granting an employee access to a function automatically gives them the relevant API permissions at the transactional level, turning what was once an extremely time-consuming and manual task into something that takes just a couple of clicks.