The Security Challenges of Moving ERP to the Cloud

A new report from the Cloud Security Alliance examines how organizations are moving business-critical ERP applications to the cloud and potentially exposing themselves to new risks.


Enterprise resource planning software is a business-critical application for many organizations, and when moving to the cloud from on-premises deployments, there are some key security concerns that need to be considered, according to a study from the Cloud Security Alliance.

The CSA study, titled Enterprise Resource Planning (ERP) Applications and Cloud Adoption, was sponsored by Onapsis and released on Jan. 11. The study found that 69 percent of organizations are moving data for popular ERP platforms including SAP and Oracle to the cloud. While many organizations are moving ERP to the cloud, the study also found a number of misconceptions about security.

"Given the complexity of ERP applications, we still see organizations focusing their ERP security strategy in foundational security such as IAM [Identity and Access Management], GRC [Governance Risk and Compliance] and SoD [Segregation of Duties]," JP Perez-Etchegoyen, Onapsis CTO and CSA ERP Security Working Group chair, told eWEEK. "But security must be addressed holistically, and it should consider other aspects such as ERP customizations, ERP configurations, ERP monitoring, ERP integrations, ERP vulnerabilities and other ERP risks."

The study found that among the security controls used to help protect ERP deployments in the cloud, IAM controls are used by 68 percent of organizations. Other tools used include firewalls (63 percent) and vulnerability assessment (62 percent). 

Cloud ERP Deployment

Organizations have traditionally been deploying ERP systems on-premises, but that has been changing in recent years. Perez-Etchegoyen commented that SAP and Oracle are definitely helping and pushing organizations to migrate to the cloud. Additionally, he noted that the partner ecosystem is the one that is providing the real scale to help organizations adopt the cloud.

The cloud is not a uniform concept though and has different types of deployment models that organizations are using for ERP. One model used is cloud infrastructure-as-a-service (IaaS), in which organizations deploy Oracle, SAP or other ERP products in AWS, Azure, GCP and any other hosted environment. 

"This is pretty much like running on-premises but in a hosted environment," Perez-Etchegoyen said. "Depending on the service agreements, you could be responsible for the security of those applications as a customer, or it could be a shared responsibility with the provider."

The cloud software-as-a-service (SaaS) model is another popular approach for ERP deployment. Perez-Etchegoyen explained that with the SaaS model, applications are available in the cloud for organizations to subscribe to based on the number of users per year. Some examples of this are NetSuite, Oracle Cloud ERP, SuccessFactors, Ariba and SAP S/4HANA Public Cloud.

The other cloud service model that is used for ERP deployment is the platform-as-a-service (PaaS) approach. Perez-Etchegoyen said the PaaS cloud service model is used primarily to extend SaaS applications with functionality not available in the application. 

"It [PaaS] is the only way to develop custom functionality for the SaaS apps," he said. "The example of installing WebLogic on Oracle Cloud would be IaaS as you are actually buying compute power and deploying the application on your own."

ERP Security

Moving to the cloud is also about understanding the shared responsibility model for security. Perez-Etchegoyen said that ERP cloud security isn't just about providers but is also about the customers. 

For example, both Oracle and SAP deliver products with good security standards, but organizations still need to implement the additional controls around security and visibility as if they were running those applications on-premises. He added that most ERP applications are customized so there are a large number of potential security vulnerabilities that can be introduced by the customer while extending the provider's functionality, and that needs to be properly controlled too. 

Some examples of controls that organizations should implement, according to Perez-Etchegoyen, include ERP vulnerability assessments, ERP monitoring, interface data security and secure configuration.

"ERP applications are complex, therefore securing ERP applications involves a degree of complexity that requires both customers and providers working together," he said. "There will be security controls that should be implemented by the provider, but there are security controls that need to be implemented by the customer and understanding that is the key."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.