Organizations have come a long way in their understanding of fast-developing cloud computing applications – they know how to evaluate cloud offerings and incorporate them into their IT operations. But knowledge gaps still exist, said John Yeoh, director of research at the Cloud Security Alliance.
“They still don’t quite understand compliance, the shared responsibility model,” Yeoh said, referring to the IT security obligations shared between a cloud provider and a cloud customer. They also often don’t know how to properly configure ERP applications, which have notoriously complex architectures with lots of specific software vulnerabilities. “These are the really important things I think that we need to highlight.”
The CSA published a report last week on securing cloud computing ERP — core business processes like payroll, financials and procurement bundled together and offered as a cloud service. The nonprofit organization, which promotes guidelines for secure cloud use, wanted to put forward a “step-by-step approach” for safely moving such important business data into the cloud, Yeoh said.
To do that, companies need a grasp of the differences between on-premises and cloud computing ERP systems, he said. Data residency, which refers to the physical location of the servers the data is stored on, is one of them. Multinational companies moving the personal data of customers need to take local regulations into account – or they could face stiff penalties. For example, the EU’s General Data Protection Regulation, which goes into effect in May, mandates that companies gather and manage data under strict conditions. That requires technical and operational changes that many have not, even now, made, Yeoh said.
“Some people are still preparing,” he said. Others are finding the design and architecture challenges difficult to handle. “They’re not going to be ready by May. So they’re just preparing to face some of these fines, and then hopefully they’ll be able to build out the compliance before any data protection authority comes at them.”
Another aim of the report, Yeoh said, is to strengthen consumer confidence in the cloud. It has been building over the years, with many companies coming to the realization that big cloud providers offer better IT security than they can. But recent high-profile, events such as the Equifax data breach still rattles nerves.
“People freak out — ‘Oh my gosh; it’s another cloud breach,'” Yeoh said. But understanding how breaches happen, and how to prevent them – by architecting properly and using the right cloud tools – could shrink such fears.
Specifically for cloud computing ERP, Yeoh said, it’s important to understand that different offerings will present different challenges. Companies going with ERP software as a service won’t have a lot of visibility into how the application is being managed and secured, especially if the application is hosted on another cloud provider’s infrastructure — for example, on Amazon Web Services. And companies that build SaaS applications on their own cloud infrastructure deployments need to take charge of nitty-gritty IT security tasks such as patching and configuring the application, authorizing users and monitoring their activity.
Yeoh said the report shows “where we see ERP today.” In the future, the CSA plans to issue prescriptive guidance on SaaS ERP and ERP infrastructure as a service.
For more on the Cloud Security Alliance’s report on cloud computing ERP, check out this SearchCIO article.