All the major ERP providers are pushing their customers to move to Cloud ERP solutions. “Worldwide end-user spending on public cloud services is forecast to grow 20.4% in 2022 to total $494.7 billion, up from $410.9 billion in 2021,” according to one report from Gartner Research, which also predicts that end-user spending will hit nearly $600 billion next year.
On-premises software packages are being phased out. In many cases, that leaves the organizations that are reliant on those systems no choice but to migrate to the cloud-based offerings or risk running with no support or security patches available.
The advantages of Cloud ERP are many, so those companies will gain significant advantages in the process, but might still be concerned about security. One question that’s often raised is: “How can I be sure that my ERP system will be secure when it’s not in my own data center, behind my own firewall and other defenses?”
Cloud ERP Security Advantages
The most popular Cloud ERP solutions are being deployed as SaaS (Software-as-a-Service), which means that the cloud provider takes on most of the responsibility of cybersecurity. The top cloud ERP providers are aware of the liability that this puts on them, so they are investing massive amounts into ensuring that those resources are well-protected.
For example, Microsoft employs a “Zero Trust” model to cloud security and invests more than $1 billion each year into cybersecurity research and development. It also provides the CDOC (Cyber Defense Operations Center) that brings together world-class cybersecurity specialists and data scientists in a 24/7 facility to combat threats in real time. Many of the security threats and concerns that your organization is responsible for protecting against on-premises systems are now handled much better by cloud providers.
Cloud ERP Security Best Practices
So, does that mean we don’t have to take any responsibility for cybersecurity once we move to Cloud ERP? Not quite. I like to use this analogy: Imagine your home has the best security system available, with all the latest features and functions. If a criminal comes to your front door and you invite them in, or if you hand someone a key and give them all the entry codes, the security system probably won’t do much to protect your home. The same is true for a Cloud ERP system.
There are still areas of responsibility that you need to be aware of and establish good policies. Here are three best practices as a starting point
I hope the day will come when we don’t need passwords any longer. Coming up with and memorizing or securely storing unique, complex passwords for every site is difficult, which often results in password re-use. The many major data breaches reported regularly tell us that our passwords are being downloaded and made freely available or for sale on the dark web.
It is critical that you do two things to keep these events from letting unauthorized users into your Cloud ERP system.
- Use unique passwords: Since these are hard to come up with and remember, use a password utility such as LastPass, Dashlane, or Keeper. Never use the same password on multiple systems.
- Set-up multi-factor authentication: Don’t let the password be the single point of entry for any of your systems. All of the major cloud providers allow your logins to require more than one form of identification. It can be a thumbprint, facial recognition, a random number generator, or even a text or email message. That way, even if someone did find out your password, they will still need to also have the secondary authentication method.
2. Software Updates
Although some Cloud ERP systems receive automatic updates with no action needed from the customer, others are a bit more flexible, letting you skip or postpone updates. This may be necessary in order to allow adequate time for testing, but it is imperative that you stay as current as possible, particularly when the updates contain security fixes. One of the most common ways criminals gain access to systems is through unpatched software.
3. Access Rights
ERP systems are very complex. Additionally, fine-tuning access privileges can be time-consuming. It is tempting to just grant full access or administrative privileges to a user to ensure that they can get to everything they need in the system.
However, this shortcut exposes your system and data to unnecessary risk. It is crucial to set up security roles and privileges that provide only the access each user needs, and no more. This way, if someone gains unauthorized access via that user’s credentials, at least the damage they can do is more contained.
We no longer have to worry that moving our ERP systems to the cloud will unnecessarily make them more vulnerable to cybersecurity threats. However, we shouldn’t just assume that all security measures are adequately handled by the cloud provider either. As you plan your Cloud ERP migration strategy, look into what mitigation measures are provided out-of-the-box, as well as what third-party services you might also need. Finally, don’t forget to learn and understand which areas are still your responsibility and make sure that you have a plan for handling those.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: