As enterprises continue to move more workloads to the cloud, they need to pay special attention to the effects that cloud migrations will have on their business-critical ERP systems.
That's a core conclusion of a recent research paper, The State of ERP of Security in the Cloud, from the Cloud Security Alliance, a global organization which works on security issues facing cloud computing environments. The 18-page report, which was sponsored by cloud security and compliance vendor Onapsis, was compiled by the CSA's ERP Security Working Group.
Enterprise Resource Planning (ERP) systems are core applications for many large companies. Advantages of ERP include bringing together data from a wide range of departments and systems, while automating related back office functions and operations.
Because ERP systems are central to enterprise operations, their security is a huge responsibility for companies, especially as they work on cloud migrations, according to the report.
"It is vital for organizations to understand and evaluate all the risk factors involved with ERP migration, provisioning and consumption of such services," the report states. "At the end of the day, an organization's critical data should be protected both on-premises and in the cloud, and the implementation of security controls will help minimize an organization's risk of being exposed and ultimately breached."
Those responsibilities have so far been why some organizations continue to have concerns about adopting cloud-based ERP applications, even though cloud security measures have been improving over the last five years, the report continues.
The critical security issues addressed by the report include:
- Where the data will reside due to regulatory compliance and security worries. "Most cloud ERP vendors will allow the customer to choose the data center, and therefore the geographical location of its data. In light of the upcoming European General Data Protection Regulations (GDPR), there are restrictions and considerations which need to be addressed in regard to the privacy of personal data, the controls used and where that data resides. Compliance with these regulations may add some restrictions to customer flexibility, one of the advantages of ERP.
- User provisioning, authentication, authorizations and single sign-on matters, which all must be addressed to ensure proper security procedures.
- User activity and access monitoring to provide visibility around what the users are doing at any point in time, while also detecting malicious and anomalous user behavior.
- Security vulnerabilities management to ensure that patches are applied and system availability is quickly and properly done if using a SaaS ERP provider.
- Including disaster recovery planning, to ensure that whether ERP services come through IaaS or SaaS, that plans are in place to use the benefits of the cloud to provide backup operations in the event of outages or disasters.
- Due diligence and Service Level Agreements to measure and validate the compliance status of ERP vendors.
- Detailed incident response plans must be in place in case a security breach occurs.
"Migrating large ERP systems can take months if not years of planning," John Yeoh, research director for the CSA, said in a statement. "These deployments involve significant investment of time and money and are extremely complex. It's these complexities that make standard security measures difficult to implement. We hope this paper initiates much-needed discussion of how to comply with security and privacy guidelines to protect organizations' critical infrastructure."
Juan Perez-Etchegoyen, the co-chair of the CSA's ERP Security Working Group, told ITPro Today that the report graphically shows "what we are seeing in the market and within ERP customers, around cloud migrations and adoption of Cloud ERP applications."
Perez-Etchegoyen, who is the CTO for Onapsis, the study's sponsor, said the cloud transition for enterprises contemplating a cloud move for their ERP systems "is complicated by the fact that cloud service providers must be depended on to solve many security challenges."
That means that businesses and IT leaders must be sure they have answers to all of their questions and concerns before making their move and realizing the advantages of ERP in the cloud.
"Business transformation projects drive most cloud ERP adoption, therefore customers planning on executing such projects should ensure security is amongst the key requirements of the effort," he said. "If security is not addressed at the front line of these projects, the costs could significantly increase, potentially compromising project deadlines."