When the terms business critical and cloud computing are in the same sentence, it’s a good bet security will closely...
follow. The Cloud Security Alliance, a nonprofit organization that works to establish guidance for safe cloud use, strung them together in a new report on cloud ERP systems, "State of Enterprise Resource Planning Security in the Cloud." The report outlines challenges organizations face when moving ERP -- which includes important business processes such as financials, customer service, human resources and supply chain management -- to off-site servers.
The purpose was to issue guidance on a popular cloud service -- cloud ERP systems offer convenience, centralizing an assortment of business technologies, and their total cost of ownership is lower than for on-premises ERP, the CSA wrote in the report. ERP vendors, which peddle on-premises and cloud versions of the software, reported double-digit, year-on-year growth in cloud revenue in 2017. On-premises software revenue grew, too, but at a much slower rate.
Also, securing ERP in the cloud is tricky because it's ERP. A "business-critical application" -- which the CSA defines as software that supports daily business operations -- ERP is integrated with systems throughout a business; it's accessed by employees of all stripes; and perhaps most important, it houses highly critical and sensitive data.
"This integrates really all your core business processes; it affects how your business operates," said John Yeoh, director of research at the CSA and one of the authors of the report. Yeoh spoke to SearchCIO in an interview. "So let's really talk about how migrating ERP or adopting something like ERP really impacts your business when it comes to cloud."
ERP systems are particularly at risk of cybersecurity breaches, "given the nature of their functions," the report warned. The CSA listed general security concerns organizations need to address should they wrap up their business processes into a cloud ERP system.
Where's the data?
Data residency, or the physical location of data, is a perennial issue with cloud computing of all types, since information can be stored in data centers anywhere in the world -- and local laws and regulations may apply. One relevant law is the European Union's General Data Protection Regulation, which goes live in May, putting restrictions on where personal data of European citizens can be stored.
"An ERP application's most important asset is the data it holds," the report read. Most vendors let customers pick a data center, so they have some control over where their data resides. During the software evaluation process, "it is imperative that organizations consult with their legal and compliance teams to determine appropriate next steps in the process, while also confirming a cloud service provider's commitment of regulatory adherence."
Who has access?
When contemplating cloud ERP systems, organizations need to think about how they're going to grant system access to users and make sure they are who they say they are, the report continued -- so identity management, authorization and single sign-on, or access to multiple applications with one set of credentials.
There are various options. For example, for identity management, customers can use the ERP vendor's own system, or they can go with a third-party provider. To determine which option is best, they should do a custom assessment of the size of the organization and how many users will need to have access to the system, Yeoh said.
User activity and access monitoring is also important, the report read, to reveal "what the users are doing at any point in time and detect malicious and anomalous user behavior."
Who handles security?
In a cloud ERP provider-customer relationship, determining which party is responsible for what security measures is "always a challenge," Yeoh said. He pointed to the "Cloud Controls Matrix," a compendium of security safeguards. It serves as a resource for cloud customers to determine how secure a provider needs to be. It can also help customers and providers figure out who is responsible for what.
Patching, for example, is the provider's job -- it needs to ensure its products and services "are free of vulnerabilities," the report pointed out. But the customer has to figure out when the patching can be done so it doesn't experience a loss of service; it also has to ensure that the provider is doing the work in the first place.
When evaluating cloud ERP providers, organizations need to do their due diligence, the report continued. They need to determine which cybersecurity frameworks providers conform to -- for example, the ISO/IEC 27000 series, jointly published by the International Organization for Standardization and the International Electrotechnical Commission. They should receive full disclosure from the provider and then do a risk management assessment to weigh the risks and benefits of a cloud move.
Which as a service?
A cloud ERP system can come as a cloud application, a SaaS offering, available through the internet. Or they can be built onto an infrastructure as a service (IaaS) deployment -- think cloud infrastructure by Amazon Web Services or Microsoft Azure.
Each presents issues potential customers need to address. SaaS applications, for example, are "a primary attack surface," the report read, since they are on the web and accessible through a browser from anywhere. For ERP on a cloud infrastructure deployment, the IaaS provider secures the operating system and database, but customers need to manage the security of the application "just as they would on-premise."
There are steps to take to alleviate issues in each type of cloud ERP. Companies contemplating a SaaS offering can use a cloud access security broker, or CASB -- it's a kind of gatekeeper that monitors online activity. And an organization with ERP on a big cloud provider's infrastructure can ensure it has the proper visibility over security aspects by working closely with cloud providers to "ensure that all relevant security requirements are adhered to," the report read.
On cloud ERP security, organizations are more informed but still learning. Read about it in this SearchCIO blog post.