Cloud ERP taking off but confusion persists around security and control topics

By: Kurt Marko

Moving ERP workloads to cloud environments appears to have reached the proverbial tipping point. However, well-worn concerns around security and control continue to exercise the minds of IT and business executives.

Key to ERP cloud shape on blue sky © paisan191 – Fotolia.comWhether enthusiastically or begrudgingly adopted, cloud infrastructure and services are a significant part of the IT fabric at most organizations. Nevertheless, as business leaders continue to rightfully fret over data security and potentially introducing new risks, it’s reasonable to conclude that critical systems like ERP might be some of the last to move. That’s not necessarily the case.

As other diginomica writers have detailed, there is a healthy and vibrant market in cloud ERP software and as a new independent survey from the Cloud Security Alliance (CSA) details, these vendors are vying for a growing customer base as more organizations plan cloud deployments.

Cloud ERP vendors pitch cloud benefits such as rapid access to new features, financial efficiency through avoided capital spending and lower operational overhead coupled with the ease of supporting globally distributed workers and business partners. However, the CSA survey suggests that business and IT executive worry about infrastructure and data security and the complexity of complying with a hodgepodge of global data protection regulations when using third-party infrastructure. The clash between cloud convenience and fiduciary and operational realities will significantly shape how the cloud ERP market evolves and grows.

While data from surveys like that conducted by CSA are useful in helping set vendor and buyer priorities, even more important are concrete guidelines for securely operating and using cloud ERP environments. Moving critical business systems to the cloud without such security and governance measures in place is a recipe for future financial and operational disaster.

First, the numbers

The CSA survey is interesting because it doesn’t come from a non-profit standards organization, nor a vendor driving an agenda. However, its numbers jibe with other surveys. While at 60 percent most organizations still deploy ERP systems on-site, 40 percent already use SaaS ERP, another 15 percent are actively planning SaaS deployments and 34 percent are considering cloud ERP. These numbers are consistent with an Oracle 2018 ERP Trends report showing that two-thirds of respondents have or are actively planning for a cloud ERP deployment.

Note that for my purposes, cloud ERP means a SaaS product, not using cloud infrastructure, IaaS, to run a private ERP instance.

Since the survey choices weren’t mutually exclusive and we are in a transitional phase, many organizations already have a foot in both locations, on-premises and in-cloud. The report notes that of those with on-premises ERP systems, 42 percent also have a cloud (SaaS) deployment.

Conversely, of organizations primarily using SaaS ERP, two-thirds also have on-premises systems. Unfortunately, as I’ll discuss later, the data reported doesn’t indicate how CSA ascertained those “primarily focused” on SaaS or on-premises. Although the data show substantial interest in IaaS and PaaS as ERP destinations, I don’t consider these true cloud ERP products and agree with the definition in Gartner’s MQ that the product must provide “a core financial management suite as a cloud service.” That, after all, is the historical basis for most ERP deployments as understood in the enterprise arena.

To no one’s surprise, the CSA survey found that SAP and Oracle are the most commonly used ERP products, particularly among large enterprises where SAP had greater than 70 percent overall market penetration. Coming in third overall, but tops with SMBs is Microsoft Dynamics, with no other product having a meaningful share. Sadly, the report doesn’t break out usage by platform, but given that the majority of respondents primarily use on-premises systems, SAP’s leading position isn’t surprising. The survey would have been much more enlightening had it filtered for those using cloud SaaS products like Oracle ERP Cloud, Microsoft Dynamics, Oracle-Netsuite, and Workday.

It might be possible to discern that data from publicly available financial information but that runs trhe risk of guessing what constitutes ERP when we already know that vendors move the ‘cloud’ measurement goalposts, depending on their investor influence priorities.

Security concerns and protections

Regardless of the cloud service, security is a perennial concern and source of FUD and the CSA results confirm the status quo where security-related issues take the top two spots when respondents were asked to list their top concerns when moving ERP to the cloud. Whether it’s moving sensitive data (65 percent) or generic security exposures (59 percent), protecting an organization’s sensitive financial information is considered an acute challenge when using external ERP systems.

Overall, presumably including both on-premises and cloud installations although the report doesn’t specify, just over half of the CSA respondents haven’t had a security incident in the past two years, although a disturbing 44 percent didn’t know (which is either alarming or might be due to their not being directly involved in ERP administration).

54 percent of respondents thought that moving to the cloud would increase the security risk, while 16 percent think it would improve security. Count me in the latter camp for when organizations take advantage of the many controls and security service cloud providers offer. A key benefit of cloud services is the sophisticated and robust security controls the providers incorporate into their systems, software, and facilities. Research has consistently demonstrated that cloud infrastructure and networks are more secure than those at most enterprises.

A significant challenge with cloud deployments is the shared security model, where both the cloud provider and user are responsible for different security layers. Unfortunately, many CSA respondents don’t seem to understand this, since 41 percent think their organization is responsible for ERP security breaches in the cloud while 60 percent think the blame lies with the cloud provider. In most cases, the correct answer isn’t either or, but a mixture, although I’d lean towards organizations bearing more of the responsibility as a result of mundane issues like poor password choices or password sharing.

The survey shows that most cloud ERP users have plenty of security work to do since the deployment of even basic security measures is far from universal. About one-third or more of deployments don’t use IAM and firewall services and only 56 percent of those with both on-premises and cloud ERP environments use SSO for a consistent authentication and security policy across platforms.

One would think that an organization founded to promote cloud security would have recommendations for cloud ERP users. Sadly, although it does have a white paper on the topic, it sorely lacks specifics. Among its general guidelines, the paper advises buyers to understand a SaaS provider’s security practices in the following areas:

  • Encryption or tokenization of sensitive data, including options for key management
  • Use of multifactor authentication (MFA) to secure user accounts
  • Security mechanisms for APIs including input/output validation to protect against common attacks like buffer overflows, code injection and Web XSS.
  • Event logging and auditing
  • Security of infrastructure and facilities including isolation measures to protect data and applications on shared systems.

CSA also advises ERP users to consider a cloud access security broker (CASB), products that monitor and enforce security policies, detect unauthorized system access and prevent or detect data leaks. The survey shows only 29 percent have deployed a CASB so far, but given the immaturity of the CASB market, such a low level of penetration is understandable. As cloud ERP usage expands and organizations understand the changed risks of having their most sensitive data on cloud infrastructure, more of them will realize the need for more proactive, systematic, automated security methods which a good CASB can provide. Indeed, expect cloud providers to directly provide such features whether through buying, as Microsoft (Adallom) and Oracle (Palerra) already have, building or partnering with a third party.

My take

Financial management is a core IT service common to all organizations that’s ripe for delivering as a managed cloud service. I expect cloud ERP usage to significantly increase in the coming years. However, I agree with my colleague Dennis Howlett that the market is fragmented, confusing and ripe for innovation that pushes ERP beyond the boundaries of traditional financial management and incorporates other core business functions. As I detailed in a previous column, I believe that the cloud opportunity for enterprise software companies like Adobe, SAP and Oracle is SaaS, not user-managed IaaS packages. As I wrote of Oracle,

I believe that SaaS is the bigger cloud opportunity for Oracle as customers like Birmingham City University reason that if they are going to move to the cloud, why take half steps by continuing to operate their applications? Instead, they will see the wisdom of allowing Oracle to manage, secure and update the infrastructure and applications. Indeed, given Oracle’s unparalleled expertise in its own applications, it is highly likely to do a better job than the customers could do themselves.

One frustration I have with CSA’s survey, typical of many others, is methodological: questions often lack precision such that they provide for multiple answers and don’t reveal the extent of usage of a particular product or environment.

For example, the results of current ERP deployments sum to more than 140 percent, implying that many respondents use more than one environment. Such redundancy is problematic when the topic is a critical financial system since we can’t discern the significance of the usage. For example, are most business units on a centrally-managed on-premises system with a couple of smaller organizations or recent M&A additions using a cloud ERP vendor? If so, which one is strategic and does the organization plan to converge on a single platform? The survey provides no way of knowing.

As executives gain confidence in cloud applications, expect the pace of cloud ERP migrations to quicken, which as Den mentions, given the current market is a recipe for big consulting contracts. The still nascent state of the market is also an opportunity for cloud-native innovators to disrupt the market with a product that synergistically combines or integrates multiple back-office functions into a SaaS portfolio.

By way of postscript, I received an email attributed to Juan Pablo (JP) Perez-Etchegoyen, Onapsis CTO and CSA ERP Security Working Group Chair which said:

We are in the last phase of releasing the Top 20 Critical Controls for Cloud ERP Customers which will actually do exactly what you are asking, i.e. offering ERP-specific prescriptive standards. The documents will outline how to implement those controls for different ERP technologies, starting with SAP and then Oracle. The top 20 controls is currently in peer review and will be released in a couple of weeks:

Top 20 Critical Controls for Cloud ERP Customers: This document aims to be a guide for assessing and prioritizing the most critical controls that organizations should take into account when trying to secure their business-critical applications in the cloud. The document also contains an overview of cloud ERP security, control details and associated threats and risks.