By: Juan Perez-Etchegoyen
Have you considered security when migrating enterprise resource planning (ERP) applications to the cloud? This is a question you may often hear if you are the chief information security officer (CISO) or the chief information officer (CIO) of an organization that is:
1. Planning to run your existing applications and workloads in a cloud environment, typically a hosted environment but it could also be a migration to a completely new technology.
2. Already running your most-critical business applications in the cloud, but without a clear understanding of the security challenges it may bring.
Migrating to the cloud is not always a simple process and has many nuances, mainly due to the complexity of business-critical applications or ERP applications.
Cloud ERP Applications
Over time, security and data privacy have become some of the biggest roadblocks for cloud adoption, especially in the space of business-critical applications such as ERP, customer relationship management (CRM) or supply chain management (SCM), due to the critical nature of the data and processes that these applications support. Push-back has relented recently as organizations now have more security-focused tools that they use to build and maintain trust with cloud and application providers. Because of this, migrations to the cloud and hosted environments are happening more often.
Migration to the cloud is not something that happens overnight, especially not for the biggest organizations in the world. It is also not as simple as a “lift and shift” approach that many organizations believe when they begin the project. These organizations run extremely complex and customized business processes, which in many instances cannot be mapped to cloud ERP in software as a service (SaaS) mode. This means that their migration to the cloud starts with running their former on-premise systems in hosted environments.
Because of all of the complexities, ERP applications running in the biggest organizations in the world will typically migrate into hybrid cloud environments. Some business processes and data are executed in the on-premise applications, while other processes are executed in hosted environments with complex integration scenarios.
Organizations need to ensure an efficient and smooth transition while maintaining security throughout each phase of the process. This is key not only to the security of the critical data in the company but also to continue maintaining compliance with external regulations such as the Sarbanes-Oxley Act (SOX) for publicly traded organizations or the General Data Protection Regulation (GDPR) for organizations that process EU citizens data. It also keeps companies honest about their internal security standards and metrics.
In order to ensure a secure migration, especially when it comes to migrating to a hosted environment, users must ensure they are properly addressing the following topics. These are the main challenges organizations face when it comes to cloud ERP applications running in infrastructure as a serivce (IaaS) environments:
• Implementation of security patches
• Hardening and securely configuring the application
• User provisioning and authorizations
• Secure integrations of ERP applications
• Application monitoring
These challenges are further detailed in the first guide released by the Cloud Security Alliance (CSA) cloud ERP working group, titled The State of Enterprise Resource Planning in the Cloud aimed to set a basis and explain the current status of the security of ERP applications running in the cloud.
Cloud Security Alliance And ERP Applications
As a result of our research, Onapsis reported the vulnerabilities that lead to almost 70% of the security patches that SAP released for its main component called SAP HANA. This contributed to more than 100 vulnerabilities subsequently fixed in that platform. Along the same lines, Onapsis reported 154 vulnerabilities (representing around half of the patches since 2016) on its most widely adopted financial ERP, called Oracle E-Business Suite, which also runs in the cloud, working closely with Oracle on the patches. This document was created by a group of over 80 volunteers, helping the CSA to generate the content that ERP customers really need to address their most immediate concerns.
If security in your existing or upcoming cloud ERP is still an open issue for you, here are some initial steps that you can take:
1. Understanding the cloud models you will be le
veraging to support your business-critical applications — IaaS, platform as a service (PaaS), SaaS — as that will lead to different security considerations you will have to address.
2. Making sure the boundaries are clearly defined in terms of securing your most critical applications: You will have to know who is maintaining the security, who is applying patches and who is provisioning users and limiting access to your data.
3. Incorporate compliance and legal as soon as possible as they will have to define what type of data has to be specially protected and which are the mandates you will have to comply with (SOX, GDPR, etc.).
4. Incorporate security requirements, objectives and key performance indicators (KPIs) as part of the overall objectives of the digital transformation or cloud migration projects, as that will keep your costs low in terms of running secure applications.
5. Leverage all assets available from the CSA, especially the ones that will be released soon by the ERP Security working group.