Juan Pablo Perez-Etchegoyen: The State of Cloud ERP Security

As Enterprise Resource Planning (ERP) applications are considered to be business-critical, they are often left exposed by users due to a variety of issues such as: complexity, criticality of the data, strong change management processes and lack of special skill sets required.

Onapsis, a leading pioneer in cybersecurity and compliance solutions for cloud and on-premise platforms, focuses on the security of big ERP applications – mainly SAP and Oracle. As the company has previously focused on the on-prem world, the company has noticed organizations moving to cloud environments, leveraging the latest and greatest innovations, deploying in the cloud itself or in SaaS (Software-as-a-Service), IaaS (Infrastructure-as-a-Service) and PaaS (Platform-as-a-Service) models. This is often in the context of digital transformation projects, leveraging the latest technology from ERP vendors such as in memory, analytics and real-time reporting to make their businesses more competitive.

Juan Pablo Perez-Etchegoyen leads the Research & Development team that keeps Onapsis on the cutting-edge of the business-critical application security market. Responsible for the design, research and development of Onapsis’ innovative software solutions, he helps manage the development of new products as well as the SAP cyber-security research that has garnered critical acclaim for the Onapsis Research Labs.

As a top influencer and global speaker at industry conferences including, Blackhat, HackInTheBox and SAP TechEd/DCode, we’ve interviewed Perez-Etchegoyen about the state of Cloud ERP security.

Why is security one of the biggest concerns preventing the adoption of cloud-based ERP applications and digital transformation projects in masse?

(Market-size projections calculated at between $23-30 billion over the next five years).

JP: When running in the cloud, security really changes. In particular, depending on the cloud model, there is a shift of responsibilities, e.g. what you do and the cloud vendor does, not only in terms of managing the systems but also in terms of security like patching, monitoring, protecting, etc. The vendor will address only what is outlined on the contract and what is negotiated beforehand – so focusing on contracts and knowing where the boundaries are is key to a successful migration to the cloud. Otherwise you might think the vendor is doing something while, in fact, he/she is not, and that is where the gaps are.

What are the biggest challenges when it comes to adopting cloud-based ERP?

JP: A lot of these challenges are similar to the on-prem world. As organizations start to migrate and move their core to the cloud, they need to support the mapping of their business processes into the ERP apps. While some are using SaaS models, many will be moving to IaaS models, where the hosting is handled by Azure, AWS, Google, as well as SAP and Oracle as cloud vendors.

JP: This means customers will be running on a different data center, and they will have to be 100% sure who will deal with the following security requirements: patching, provisioning & authorizations (ERP applications are probably the most complex apps in the world for authorizations), and visibility into what is happening on app and servers and systems, to name a few.

How will the cloud increase the attack surface for ERP applications?

JP: The most critical applications in the organization are now running out of the boundaries of the company, without the traditional controls and processes to secure the applications and data. For example the traditional solutions for packet capture and security protections will potentially not even be available to run in that cloud network therefore organizations need to implement additional controls to understand what is happening on their most critical assets.

Looking for more? Download our ERP Buyer’s Guide for free to compare the top 24 ERP software vendors head to head! The guide also includes 4 key capabilities to consider while selecting a new ERP solution and 10 questions to ask yourself and the software vendor before purchasing.

And don’t forget to follow us on Twitter, Facebook and LinkedIn for all the latest in the ERP space!