Juan Pablo Perez-Etchegoyen leads the Research & Development teams that keeps Onapsis, a leading pioneer in cybersecurity and compliance solutions for cloud and on-premise applications, on the cutting-edge of the business-critical application security market.
Onapsis has special focus on the security of big Enterprise Resource Planning (ERP) applications, as they run the biggest companies throughout the world.
Perez-Etchegoyen is responsible for the design, research and development of Onapsis’ innovative software solutions, and helps manage the development of new products as well as the SAP cyber-security research that has garnered critical acclaim for the Onapsis Research Labs. As ERP applications are considered to be business-critical, they are often left exposed by users due to a variety of issues.
The Cloud Security Alliance (CSA) recently released a report titled, “State of ERP Security in the Cloud” which is the first in a series planned over the coming year from the CSA ERP Security Working Group and aims to provide IT and management professionals with a sound overview of cloud security for ERP systems while simultaneously examining the privacy challenges involved.
Below are the top general security concerns in cloud-based ERP applications that the working group have analyzed and come to the consensus on. Perez-Etchegoyen touches upon these seven concerns, describing them as “a guide to the core steps for a safe shift of ERP applications to the cloud,” and should be part of every ERP cloud risk management program.
1. Data Residency
“An ERP application’s most important asset is the data it holds, and this information is often subject to multiple regulations. In particular, in light of the upcoming European General Data Protection Regulations (GDPR), there are restrictions and considerations which need to be addressed in regards to the privacy of personal data, the controls used and where that data resides.”
2. User Provisioning, Authentication, Authorizations and Single Sign-On
“Security considerations must be given as to whether the organization uses its own identity management solutions or a third-party identity provider to deliver SSO to cloud services.”
3. User Activity and Access Monitoring
“The day-to-day functioning of large organizations require employees of various trust levels and roles to have access to ERP solutions and other business-critical applications, as well as the highly sensitive data that resides in them – and having visibility around what the users are doing at any point in time to detect malicious and anomalous user behavior is important. Different cloud service models will likely require customized solutions and audit trails are required.”
4. Security Vulnerabilities Management
“Organizations may need to agree to specific maintenance periods when patching can be done if a SaaS (Software-as-a-Service) provider operates their change management. A failure to understand the importance of these steps could lead to a loss of service, corruption of data or system unavailability. In IaaS (Infrastructure-as-a-Service) models, patching can be either outsourced to the cloud service provider or controlled by the organization’s technical team but, ultimately, it is always the customer responsibility.”
5. Disaster Recovery Planning (DRP)
“DRP is considered one of the direct benefits of shifting business applications to the cloud because, whether IaaS or SaaS, the cloud provider can shift to other data centers around the world in case of a major disruption.”
6. Due Diligence and Service Level Agreements
“Many ERP vendors provide compliance checklists, but other vendors will not be so forthcoming. As a preventative measure, organizations are encouraged to exercise due diligence and check ERP vendor standards and attestations that have been claimed as valid. Confounding the problem, many SaaS vendors host their products on third-party IaaS infrastructure. Further, if a cloud service is compromised, customer data may also be compromised, leading to regulatory control and possible fines if data is lost.”
7. Incident Response (IR)
“Due to the nature of ERP applications, organizations need to be ready for a compromising incident. While this preparation starts with an IR plan, organizations must also be able to secure the correct data at the appropriate time from the cloud provider when an incident does occur. This should be highlighted in the cloud provider service contract.”
Looking for more? Download our ERP Buyer’s Guide for free to compare the top 24 ERP software vendors head to head! The guide also includes 4 key capabilities to consider while selecting a new ERP solution and 10 questions to ask yourself and the software vendor before purchasing.