Enterprise resource planning (ERP) continues to be a mainstay of corporate IT, providing the backbone for a variety of business processes including finance, human resources, procurement, and services.
Increasingly, organizations are moving to cloud-based ERP platforms, for some of the same reasons they move other applications to the cloud: cost savings, increased flexibility and easier scalability compared with on-premises ERP.
“Modern organizations have long relied on legacy and on-premises systems to manage a host of automated services and data, from inventory and order management to human resources and customer relationship management,” said Charlie Singh, co-chair of the ERP Security Working Group at the Cloud Security Alliance (CSA).
However, as the technology driving these systems is increasingly becoming obsolete, Singh said, enterprises are realizing they must shift these business tools to the cloud if they are to remain agile and competitive.
As with any other move to the cloud, shifting ERP to a cloud environment raises questions about data security and privacy. And given how critical these applications are to the business, these are not small considerations. Unfortunately, many IT executives are still unfamiliar with the intricacies of securing such systems in the cloud, Singh said.
To explore where organizations are at when it comes to securing ERP in the cloud, CSA—an organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment—recently released a study on the topic.
The research, “State of ERP Security in the Cloud,” is the first in a series planned over the coming year from the CSA ERP Security Working Group, with the aim of providing IT and management professionals with an overview of cloud security for ERP systems.
Migrating large ERP systems can take months if not years of planning, noted John Yeoh, research director, Americas for CSA. The deployments involve significant investment of time and money and are extremely complex, he said, and it’s these complexities that make standard security measures difficult to implement.
As with any technology implemented in the cloud, however, security risks and challenges need to be managed and overcome. ERP applications are particularly at risk given the nature of their functions, the study said. In addition, as the technology continues to develop maturity in the cloud space, organizations rely on the cloud service provider (CSP) to deploy better security measures than they would have otherwise used on-premise.
Organizations need to consider those security challenges when migrating their ERP solutions to the cloud. Potential considerations might range from general security concerns to complications specific to the cloud service model being adopted, CSA said. The cloud service model will drive the responsibilities and ownership of some of the key characteristics of business-critical applications.
It’s vital for enterprises to understand and evaluate all the risk factors involved with ERP migration, provisioning, and consumption of services. An organization’s critical data should be protected both on-premise and in the cloud, and the use of security controls will help minimize the risk of being exposed and ultimately the victim of a breach.
CSA has developed the Cloud Controls Matrix (CCM), a guide specifically designed to provide fundamental security principles that can assist cloud vendors and prospective cloud customers in assessing the overall security risks of a cloud provider. The CCM consists of 133 security controls categorized into 16 domains that can be used to secure a cloud computing environment.
Companies migrating ERP to the cloud should use these controls as a base framework to start analyzing cloud options, while complementing it with upcoming publications of the CSA ERP Security Working Group, the report said.
CSA notes that the cloud computing ecosystem is maturing rapidly, and organizations are starting to explore what options they have in the cloud and if it’s possible that a cloud environment might alleviate traditional challenges business-critical applications normally face. On the other hand, it says, moving to the cloud raises its own security challenges as well.
The transition organizations face when deploying or operating critical applications in the cloud is complicated by the fact that cloud service providers must be depended upon to solve many of the security challenges. The key security concerns include clearly defined security responsibilities; visibility of cloud software-as-a-service (SaaS) applications; and keeping up with the security of ERP applications when running them through third-party providers, such as infrastructure-as-a-service (IaaS) offerings.
In addition, as business transformation drives most cloud ERP adoption, organizations planning to execute such projects should ensure that security is among the key requirements of the effort. If security is not addressed at the front line of these projects, CSA says, the costs could significantly increase, potentially compromising project deadlines.
CSA’s ERP Security Working Group plans to address all of the ERP-related cloud security concerns in the coming months. The group’s goal is to provide appropriate and comprehensive guidance for enterprises looking to operate and deploy business-critical applications in the cloud.