Moving Enterprise Resource Planning (ERP) solutions to the cloud can yield significant operational, maintenance, and security opportunities. Cloud solutions offer major benefits in scalability, resiliency, recovery, and availability.
Making the move also changes the operational and security responsibilities. Each cloud solution has a shared responsibility model that needs to be reviewed, documented, and integrated into operational practices.
New risks that are introduced from cloud migration include:
- Broader Access – Accessing the solution from anywhere (often with just a browser) is great for flexibility and productivity. Access from anywhere can also introduce additional risk from users accessing the solution using insecure systems and browsers and accessing sensitive data in public areas. Cybercriminals from around the world may now have greater visibility to try and break in.
- Increased Attack Surface – Every addressable system, application, and solution on the internet is under constant attack – attackers are trying to gain access, use the systems to extend additional attacks, or cause disruption.
- Reliance on Solution Providers – Every cloud solution will have a shared responsibility model describing your responsibilities and theirs. Your organization will have to get assurance the cloud provider can and will meet their responsibilities.
Effectively integrating the shared responsibility model involves a combination of the application owner, IT, and security, and the cloud provider. Areas that need to be addressed include:
- User Management – No matter the solution, you still have to provision users, assign groups, and manage access within the ERP solution. Depending on the cloud solution in use, you may also have to manage access to the supporting environment and systems.
- Encryption Settings – Settings for encrypting data in transit and at rest, as well as the type of encryption, are generally settings your organization will need to determine and manage.
- Authentication – Ideally the cloud solution in use can integrate with your single-sign-on solution so you can enforce your multi-factor authentication requirements. If not, you may need to define and implement the authentication requirements.
- Monitoring – Monitoring will be highly dependent on the type of cloud solution in use, but will always require changes to processes to monitor security events with the ERP.
- Incident Response – The Incident Response Plan and specifically the breach analysis process will need to be updated to reflect the use of the cloud solution and detail the shared responsibilities in the event of a suspected breach.
- Security Awareness Training – The existing training programs will need to be updated to address any specific requirements or issues for the new ERP.
- Solution-Specific Controls – Thoroughly read and understand the shared responsibility matrix and where possible, leverage the cloud solutions capabilities to enhance and support your security posture. Some solutions will provide capabilities with geolocation blocking, anomalous user activity, log collection and analysis, and security alerts.
- Vendor Risk Management – A little due diligence is required to verify a cloud solution provider’s security practices and reliability. You will then have to periodically re-verify they maintain their practices. Most cloud solution providers will have a third-party audit report (e.g., SOC 2, FedRAMP, or similar) detailing their controls and how they address those controls – so always request and check those reports.
At Knowledge Path, we encourage every organization to embrace cloud solutions that match their requirements, enhance business operations, and reduce on-site overhead. We highly encourage every organization to review security controls, processes, and supporting solutions as part of the design, implementation, and deployment process. A well-architected solution with security integrated throughout the design will protect the solution and the organization.