Acumatica · Security

Acumatica Data Loss Prevention — A Complete Guide

Acumatica Data Loss Prevention — A Complete Guide — a complete, field-tested reference by John Kihiu, Acumatica developer in Nairobi.

John Kihiu12 min read

Acumatica Data Loss Prevention — A Complete Guide is the Acumatica security topic that is invisible until it is breached. By the time you have a security incident, the questions are being asked at the board level and the answers are due yesterday. This guide is what to do before that point. It is the threat model, the controls, the operational hygiene, and the runbook that keeps the data safe and the auditors happy.

The threat model

Start with a clear threat model. Who can attack, what do they want, how do they get it?

Threat actorWhat they wantHow they get in
External attackerCustomer data, financial data, ransomwareAPI, weak credentials, unpatched vulnerabilities
Malicious insiderData exfiltration, sabotageLegitimate access, privilege abuse
Negligent insiderAccidental data lossMisconfiguration, weak passwords, lost devices
Compromised vendorSupply chain attackCustomisation code, ISV solution
Document the threat model

The threat model is the basis for every security decision. Without it, you are guessing at controls. With it, every control has a justification and every gap has a reason. Review it annually; update it when the system changes.

The controls

Acumatica's security model is layered. The layers, from the outside in:

  1. Network. Firewall, VPN, IP allowlist for the admin surface.
  2. Authentication. Strong passwords, 2FA, SSO via Azure AD or Okta.
  3. Authorisation. Role-based access control at the screen, row, and field level.
  4. Audit. Every change logged, every login logged, every sensitive action logged.
  5. Encryption. TLS in transit, encryption at rest for the database, field-level encryption for sensitive fields.
  6. Data lifecycle. Retention policy, archival, secure deletion.
CONFIG · STRONG PASSWORD POLICY
// Acumatica password policy
Minimum length: 12 characters
Require: upper, lower, number, symbol
Rotation: 90 days (privileged), 180 days (standard)
Lockout: 5 failed attempts, 15-minute lockout
Reuse: cannot reuse last 5 passwords

For the broader authentication configuration, see the 2FA and password policies guide and the Azure AD SSO guide.

API security

The REST API is the most common attack surface. The controls:

C# · SECURE API CLIENT
public class SecureApiClient
{
    private readonly HttpClient _http;
    public async Task<T> Send<T>(HttpRequestMessage req)
    {
        var token = await GetAccessToken();
        req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
        req.Headers.Add("X-Correlation-ID", Guid.NewGuid().ToString());
        var resp = await _http.SendAsync(req);
        resp.EnsureSuccessStatusCode();
        return await resp.Content.ReadFromJsonAsync<T>();
    }
}

For the broader OAuth pattern, see the OAuth setup guide. For the API security model, see the REST API definitive guide.

Row-level security

Acumatica's row-level security controls which rows a user can see within a screen. The configuration:

GIs bypass row-level security by default

A GI returns rows from every tenant unless you filter explicitly. Always test your GIs with a restricted user before publishing.

For the full row-level security playbook, see the row-level security best practices and the GI row-level security guide.

Encryption

Three layers of encryption to consider:

LayerWhat it protectsImplementation
In transitNetwork trafficTLS 1.2+ everywhere
At restDatabase files, backupsSQL Server TDE; storage-level encryption
Field-levelSensitive fields (PII, financial)Application-level encryption with key in a vault
C# · FIELD-LEVEL ENCRYPTION
public string Encrypt(string plaintext)
{
    if (string.IsNullOrEmpty(plaintext)) return plaintext;
    var key = _vault.GetKey("pii:encryption-key");
    using var aes = Aes.Create();
    aes.Key = key;
    aes.GenerateIV();
    var iv = aes.IV;
    using var encryptor = aes.CreateEncryptor();
    var plainBytes = Encoding.UTF8.GetBytes(plaintext);
    var cipherBytes = encryptor.TransformFinalBlock(plainBytes, 0, plainBytes.Length);
    return $"{Convert.ToBase64String(iv)}.{Convert.ToBase64String(cipherBytes)}";
}

For the broader secrets management pattern, see the secrets management guide.

Audit and monitoring

You cannot defend what you cannot see. The minimum audit configuration:

For the broader audit configuration, see the audit trail guide.

The incident response runbook

When (not if) a security incident happens, the runbook:

  1. Detect. The alert fires. Confirm the incident is real (not a false positive).
  2. Contain. Disable the affected user / API key / IP. Isolate the affected system.
  3. Eradicate. Remove the attacker's access. Patch the vulnerability.
  4. Recover. Restore from clean backup. Rotate all credentials. Verify integrity.
  5. Notify. Notify affected parties (customers, regulators) per the regulatory timeline.
  6. Post-mortem. Document the incident; identify the root cause; implement the control that would have prevented it.
Test the runbook

An untested runbook is a wish. Run a tabletop exercise annually. Walk through the steps; identify the gaps; update the runbook. The cost of the exercise is one afternoon; the cost of a real incident with an untested runbook is the incident itself.

Regulatory compliance

Most Acumatica deployments in Africa are subject to local data protection regulations (Kenya DPA, Rwanda data law, South Africa POPIA). The compliance checklist:

For the broader compliance patterns, see the GDPR guide.

Wrapping up

Security is a discipline, not a product. The threat model, the controls, the audit, the runbook, the compliance — each is a habit, not a checkbox. The cost of doing it well is small and ongoing; the cost of doing it badly is large and sudden. Invest in the habit.