Security Experts:

Security Expectations and Mis-Conceptions in Migrating ERP to the Cloud

Digital transformation is increasing the need for enterprise resource planning (ERP) systems to allow organizations to manage the entirety of their business in a coordinated manner. Globalization is forcing organizations to consider cloud solutions to prevent disjointed business operation across multiple global locations -- and even smaller companies are simply attracted by the economies and potential security of cloud operations.

The specific arguments for migrating ERP to the cloud are faster time to value, increased innovation, and scalability with growth.

The effect of these arguments is to persuade organizations to migrate existing on-premise ERP solutions to the cloud, and for companies considering their first ERP system to consider going straight to the cloud. Cloud migrations are never easy, particularly when the data concerned is business operational critical.

To better understand the practical concerns of ERP in the cloud, and migrating to it, the Cloud Security Alliance (CSA) -- sponsored by Onapsis -- queried 199 managers, C-level executives, and staff from enterprises in the Americas (49%), APAC (26%) and EMEA (25%).

"As moving to the cloud raises its own security and privacy challenges, we wanted to provide some benchmarks regarding the myriad issues surrounding cloud migration and security," explained John Yeoh, director of research, Americas for the CSA.

Noticeably, the Americas and APAC regions (both at 73%) are more likely to be migrating to a cloud solution than EMEA. "Regulations in EMEA, such as the European Union General Data Protection Regulation (GDPR) impacted organizational plans for technology purchases, cloud services, and third-party policies," notes the report (PDF).

Compliance challenges are the third most concerning issue for all companies in the survey at 54.29%. The biggest concern is over the practical issues around migrating sensitive data (64.76%), with general security concerns second at 59.05%.

Less concerning is disruption of business operations (46.67%) and the time it takes (45.71%). The former is somewhat surprising since organizations -- especially at senior management levels -- usually give operations a higher priority than security. It is unlikely that this issue is given less thought than the other concerns. It is more likely that this is given extra consideration, to the extent that companies migrating to the cloud become quite confident. "Business planning, proper architectures, and proper third-party procurement and management of services should be included in ERP strategies," says the CSA, "and can aid in ensuring a smooth transition into cloud services."

The relatively low concern over the time required for migration suggests organizations accept it is a lengthy process, and don't mind spending the time to get it right. This is probably a good thing, since only 26% of the respondents achieved data migration within their expected time frame.

The security issues are largely being tackled by identity and access management (IAM) (68%), firewalls (63%), vulnerability assessments (62%), and IDS/IPS applications (59%). Single sign-on (SSO) is an important part of IAM solutions, with 79% of respondent organizations using SSO to authenticate their ERP solutions.

Cloud access security broker (CASB) solutions are no longer a new technology, but are still an emerging technology for use with ERP in the cloud. They are most commonly employed in the Americas (42%), but are less popular in the APAC region (19%) and EMEA (only 11%). Nevertheless, this is expected to grow. Gartner predicts that by 2022, 60% of large enterprises will use a CASB to govern some cloud services, up from less than 20% today.

"In any cloud migration, regardless of the provider, security must be implemented from the start and implemented in phases throughout the project. Organizations are concerned about moving sensitive data across environments, then addressing the security and compliance implications that come of that migration. Our studies have found that implementing security in each phase of the migration could save customers over five times of their implementation costs," commented Juan Pablo Perez-Etchegoyen, CTO of Onapsis and Chair of the CSA ERP Security Working Group. 

A slight majority of respondents expect an increase in security incidents with ERP in the cloud. More than a third expect a slight risk increase, with a further 20% expecting a significant risk increase. However, these figures are not as surprising as the apparent confusion over responsibility for security incidents. Seventy-seven percent of respondents believe they are responsible for the security of their ERP applications, with 48% saying the cloud provider is responsible. Cloud providers (AWS and Azure are the two top providers chosen for data migration) operate a 'shared responsibility' model where the provider is responsible for the infrastructure, but the customer is responsible for data.

The survey differentiates between 'responsibility' and 'accountability'. Here the figures are reversed with more respondents holding the cloud provider accountable (60%) than themselves (41%). How the providers will be held to account is not discussed. Nevertheless, the CSA suggests the 'troubling misconception' needs to be addressed by organizations taking more ownership of their business-critical applications while migrating them to the cloud.

Related: Four Ways to Mitigate Cyber Risks for ERP Applications 

Related: SAP Resolves High Risk Flaws with February 2018 Patches 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.