The Cloud Security Alliance (CSA), a coalition of security vendors, service providers, and other technology companies, is turning its attention to ERP security. Today the CSA published its first paper on the topic: “The State of ERP (Enterprise Resource Planning) of Security in the Cloud.”
The organization will release others throughout 2018 that aim to provide IT and management professionals with an overview of cloud security for ERP systems.
“The biggest ones are SAP and Oracle applications,” said JP Perez-Etchegoyen, co-chair of the CSA ERP security working group and CTO at Onapsis, which also sponsored the paper. “Every single business process of the biggest organizations in the world are being executed through Oracle and SAP ERP applications. They are running the lifeblood of these organizations.”
As such, two of the future research papers will specifically take on SAP and Oracle technology and security. Additional security topics will include infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS), Perez-Etchegoyen said.
The first paper takes a more general overview of cloud ERP security.
ERP in the Cloud
When an enterprise deploys ERP applications in its on-premises data center, the enterprise is responsible for securing and managing the servers that house the workloads as well as the data. But when these workloads move to the cloud, both the enterprise and the cloud provider share responsibility.
“When we are running applications in the cloud, there is a shift of responsibility — what we are responsible for and what the cloud vendors are responsible for, not only in managing these systems but also in securing these systems,” Perez-Etchegoyen explained.
For example: security patches. Vendors of ERP applications are constantly publishing new patches to address vulnerabilities. It is usually the customer’s — not the cloud provider’s — responsibility to ensure its patches are up to date.
User provisioning and authorizations are another key security concern, the report says. “You really need to make sure all of your thousands of employees can only do what they are supposed to do, and access only the data they are supposed to access,” Perez-Etchegoyen explained.
As with on-premises ERP applications, he added, visibility is key. But now that applications are running in the cloud, enterprises need to work with the cloud providers to ensure they have visibility and control over security aspects.
“Now you have applications running in another data center — in a cloud vendor’s data center — so you need to maintain visibility into what is happening in that application and what is happening on those servers that are out of your traditional controls.”