ERP data is often described as a company's "crown jewels" because it contains a trove of valuable information. Customer data, inventory, budgets, payroll and sales orders are all types of data that ERP systems hold and transact.
Yet for all that value, ERP data security is an often unsung topic and ERP systems can be vulnerable to security threats. That's especially the case for organizations moving from on-premises systems to cloud-based systems.
In the first of a two-part series, Greg Wendt, executive director of security for Appsian in Dallas, discusses what organizations need to consider about ERP data security as the cloud becomes more prevalent.
Appsian provides ERP security services primarily for SAP and Oracle PeopleSoft systems, including access control, compliance and audit, and threat protection.
What are a few of the main ERP data security issues that organizations face today?
Greg Wendt: Historically, ERP implementations have been on-premises and they've been some of the later [systems] to shift into cloud-based environments, but this is changing. What we are seeing more of is that some organizations are [moving ERP systems to] either a cloud hyperscaler like an AWS, a vendor-specific cloud or a hosting provider. But across the board, we are seeing that the security departments inside these organizations are definitely concerned as to what's happening with this and who has access to the data once this occurs. Typically, when ERP shifts to the cloud, most of the development instances have a full copy of production, so they have the same sensitive data as production does. A lot of these organizations are attempting to change that, so they don't have that level of information in all of these different systems.
What are some of the concerns that people have about moving to the cloud?
Wendt: Let's say you go into a hosted environment where the vendor not only runs the hardware and the software for you, but also administers the application. The vendor is actually logging into your application, and it has powerful accounts that can get into your application set. So you have to ask: What is the vendor accessing? What is it seeing?
Some organizations are very apprehensive to move to the cloud because of those security concerns. They don't want all of that private, sensitive data in an area where they might not have full control over it. So we're seeing a shift to controls around the data, whether it's multi-factor authentication or data masking, especially for those accounts that are based on who may be accessing what type of data or if it's private, personal information type of data. What we've seen is a layering in of a lot of those controls especially throughout the development stack, not just the production implementation, because of that full realm of private data sitting throughout the development stack.
Are there other reasons why organizations might be reluctant to move ERP systems to the cloud?
Wendt: These are often mission-critical systems, so you have to talk about disaster recovery and what happens if your network gets cut or severed. At an organization that I worked with in the past, we had a lot of construction going on around it and we had our up-to-the-internet cut three different times within a year. They cut the fiber lines, which aren't exactly quick and easy to fix. So you could be down for 24 to 48 hours. If you're on-premises, you still have access to all of those systems. But if it's in the cloud, you don't because you can't get there.
Is there anything particular about ERP systems that makes them more vulnerable?
Wendt: ERPs have become more of a challenge because they're not necessarily as clear-cut to define and find out who has access to what information. A lot of ERPs are now built to where they're metadata-driven applications, so you have to understand that metadata to really understand what a user is accessing. For example, when you look at PeopleSoft, to understand what a field is at the database level, you have to look at how that is defined and how it's built within the PeopleTool layer of the ERP system. Because of the complexity of ERPs, whether it's PeopleSoft or SAP, it does make it more challenging to understand what people are doing.
What are some measures organizations can take to improve ERP data security?
Wendt: Definitely from an implementation of security level, it needs to be contextual-based security inside of the application. If you think of the ways you utilize your applications, maybe based upon how you're accessing that application, you have to have data that's either masked or you have to do stepped up multi-factor authentication. You can also control access to that particular transaction based upon where the user is coming from. These are very contextual, attribute-based controls that are layered into the application and that gives the control back to the organization. Because typically once you go to an internet-enabled application, many of these ERP applications are just user ID and password authenticated, so they're vulnerable once a hacker gets a hold of those credentials. This is why the phishing attacks are so successful, because they get access to that system and all the roles and transactions that that user has access to. That's where you want to enforce least-privileged access when they're coming in from an untrusted location. That's where you come into extra layers of protection and decide through those attributes what somebody should really be able to do, see or edit.
The rest is here:
Take care of ERP data security when moving to the cloud - TechTarget
- Box for Android - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- eUKhost - eNlight Cloud Hosting! - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Cloud Computing -- Oracle is Ready to Take You There - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- What is Cloud Computing? - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Webinar - Cloud Computing: Why You Should Care - 2010-10-14 - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- What is Cloud Hosting? - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Cloud Computing Misconceptions and Benefits - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Cloud Hosting and How it is Set to Change Internet Commerce - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Awesome Cloud Computing Explained with Animation - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Rackspace Cloud Race - UK cloud hosting - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Improved Cloud Service Delivery And Hosting | IBM - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Cloud Computing Explained - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Software companies turn to Savvis for cloud hosting and other SaaS services - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Sky News Tech Report on Cloud Computing - Macquarie Telecom Interview - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- BitNami Cloud Hosting Demo - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Fully managed Cloud Computing solution using your current IT infrastructure (Closed Caption) - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- Cloud Hosting Server Provisioning - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- iomart Hosting Provides Cloud Storage and Backup for new Branding Network [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- Harris plans to stop offering remote cloud hosting [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- iomart Hosting provides cloud storage and backup for new UK branding network [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- DynamicOps Debuts "Fastest Path to Cloud" Seminar and Webinar [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- Harris Corporation to Discontinue Cyber Hosting Operation; Will Continue Providing Advanced Cyber Security and Cloud ... [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- Tutorial! Amazon Cloud Minecraft Server Hosting! - Video [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- MachPanel 4.3 - SaaS and Cloud Hosting Control Panel for Windows - Video [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- Webair Carrier Neutral Cloud: Open Network Access in the Cloud [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- iomart Hosting Takes UK Digital Media Agency Into the Cloud [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- FireHost Grows Executive Team on Heels of European Expansion; Appoints Jim Ciampaglio as Sr. Vice President of Global ... [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- INetU Managed Hosting is SOC 2 and SOC 3 Compliant [Last Updated On: February 29th, 2012] [Originally Added On: February 29th, 2012]
- Web Host Webair Adds Carrier Neutral Cloud Services [Last Updated On: February 29th, 2012] [Originally Added On: February 29th, 2012]
- FireHost Appoints Jim Ciampaglio as Sr. Vice President of Global Sales and Marketing [Last Updated On: February 29th, 2012] [Originally Added On: February 29th, 2012]
- BitRock CEO on BitNami Cloud Hosting - Video [Last Updated On: February 29th, 2012] [Originally Added On: February 29th, 2012]
- Harris kills remote hosting service as customers shun cloud storage [Last Updated On: February 29th, 2012] [Originally Added On: February 29th, 2012]
- Understand Cloud computing in 60secs - Video [Last Updated On: February 29th, 2012] [Originally Added On: February 29th, 2012]
- Systech Integrators® Forms Strategic Relationship With Rackspace Hosting® to Offer Cloud Hosting Services for SAP® ... [Last Updated On: March 1st, 2012] [Originally Added On: March 1st, 2012]
- Dedicated & Cloud Hosting Provider Codero Names Industry Veteran Emil Sayegh, President & CEO [Last Updated On: March 1st, 2012] [Originally Added On: March 1st, 2012]
- Cloud Computing and Technology Mobility - Video [Last Updated On: March 1st, 2012] [Originally Added On: March 1st, 2012]
- Cloud Hosting Providers - Video [Last Updated On: March 3rd, 2012] [Originally Added On: March 3rd, 2012]
- Online Education Innovator Gives Virtual Internet Cloud Services an A+ [Last Updated On: March 3rd, 2012] [Originally Added On: March 3rd, 2012]
- SingleHop Introduces the Hosting Industry's First Customer Bill of Rights [Last Updated On: March 6th, 2012] [Originally Added On: March 6th, 2012]
- Cloud Services Provider Intermedia Launches Integrated Partner Program [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- Cloud Services Provider Intermedia Now Offering Microsoft Office 365 [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- Inside IT Cloud Computing Security - Video [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- Lansing Cloud Host Introduces Faster ‘Storm SSD’ [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- Leading Industry Analyst Firm positions Hosting.com as a Challenger in Managed Hosting Magic Quadrant [Last Updated On: March 8th, 2012] [Originally Added On: March 8th, 2012]
- Hosting.com Positioned as Challenger in Managed Hosting in Gartner's Magic Quadrant [Last Updated On: March 8th, 2012] [Originally Added On: March 8th, 2012]
- ServInt Announces the First Finalist for Its Inaugural Sextant Award, Recognizing the Most Effective Use of the ... [Last Updated On: March 8th, 2012] [Originally Added On: March 8th, 2012]
- Leading Analyst Firm Recognizes Savvis as a Leader in Two Cloud-Focused Magic Quadrants [Last Updated On: March 8th, 2012] [Originally Added On: March 8th, 2012]
- UK Cloud Computing Company iomart Hosting Recruits Scotland Footballers to Kick off New Campaign [Last Updated On: March 9th, 2012] [Originally Added On: March 9th, 2012]
- Rackspace Hosting Positioned as a Leader in the Leaders Quadrant of the Magic Quadrant for Managed Hosting Providers [Last Updated On: March 9th, 2012] [Originally Added On: March 9th, 2012]
- 4t Networks Offers Red Hat Enterprise Linux 6 for Cloud Hosting [Last Updated On: March 9th, 2012] [Originally Added On: March 9th, 2012]
- elchemyv2.wmv - Video [Last Updated On: March 9th, 2012] [Originally Added On: March 9th, 2012]
- Steve VanRoekel Keynote, NIST Cloud Computing Forum and Workshop IV - Video [Last Updated On: March 11th, 2012] [Originally Added On: March 11th, 2012]
- Hosting.com Enhances Backup Capabilities to Deliver Leading-Edge Data Recovery Solution for Businesses Any Size ... [Last Updated On: March 12th, 2012] [Originally Added On: March 12th, 2012]
- Online Tech Hosts Webinar on Cloud Computing in EHR/RCM Systems [Last Updated On: March 12th, 2012] [Originally Added On: March 12th, 2012]
- Hosting.com Enhances Backup & Data Recovery [Last Updated On: March 12th, 2012] [Originally Added On: March 12th, 2012]
- ServInt Introduces Its New Flex Line of High-Performance, Fully Managed Dedicated Servers [Last Updated On: March 14th, 2012] [Originally Added On: March 14th, 2012]
- Telefonica targets LatAm with business cloud [Last Updated On: March 14th, 2012] [Originally Added On: March 14th, 2012]
- TCWH Announces New InMotion Hosting Review 2012 [Last Updated On: March 14th, 2012] [Originally Added On: March 14th, 2012]
- Lokahi Expands Cloud Offering to Include Managed Security Services Through Partnership With StillSecure [Last Updated On: March 15th, 2012] [Originally Added On: March 15th, 2012]
- Eco Cloud Hosting IPv6 Ready with Web Application Firewall and Load Balancer - Video [Last Updated On: March 15th, 2012] [Originally Added On: March 15th, 2012]
- Private SharePoint Cloud Beats Other Cloud Hosting Options for Enterprises on Price, Practicality [Last Updated On: March 17th, 2012] [Originally Added On: March 17th, 2012]
- Private SharePoint Cloud Beats Other Cloud Hosting Options for Enterprises, Says AISN [Last Updated On: March 17th, 2012] [Originally Added On: March 17th, 2012]
- CaymanSecurity.com Introduces Secure Cloud Hosting Services [Last Updated On: March 19th, 2012] [Originally Added On: March 19th, 2012]
- Storm On Demand Introduces Windows Cloud Hosting [Last Updated On: March 20th, 2012] [Originally Added On: March 20th, 2012]
- Citrix Streamlines Delivery of Cloud-Hosted Apps and Desktops [Last Updated On: March 20th, 2012] [Originally Added On: March 20th, 2012]
- Cloud Computing Explained.mp4 - Video [Last Updated On: March 20th, 2012] [Originally Added On: March 20th, 2012]
- AMD Opteron 3200 Chips Target Cloud, Web Hosting [Last Updated On: March 20th, 2012] [Originally Added On: March 20th, 2012]
- Understanding the Cloud Computing Stack: SaaS, PaaS and IaaS | CloudU - Video [Last Updated On: March 21st, 2012] [Originally Added On: March 21st, 2012]
- Racemi Joins Rackspace Cloud Tools Program [Last Updated On: March 22nd, 2012] [Originally Added On: March 22nd, 2012]
- iNetRadio Adds User Music Cloud Hosting [Last Updated On: April 18th, 2012] [Originally Added On: April 18th, 2012]
- Managed Hosting Company, OneNeck IT Services, Selected by Southwest Home Builder for Cloud Services [Last Updated On: April 18th, 2012] [Originally Added On: April 18th, 2012]
- What is Cloud Hosting? - Australian Cloud Hosting Providers - Video [Last Updated On: April 18th, 2012] [Originally Added On: April 18th, 2012]
- Courion Leverages NaviSite's Enterprise Cloud to Deliver Identity and Access Management Software-as-a-Service [Last Updated On: April 24th, 2012] [Originally Added On: April 24th, 2012]
- TLD Solutions Launches Next Generation "4GH" Web Hosting [Last Updated On: May 4th, 2012] [Originally Added On: May 4th, 2012]
- ElasticHosts unveils simple cloud web hosting for SMEs [Last Updated On: May 4th, 2012] [Originally Added On: May 4th, 2012]
- Rackspace Hosting 1Q net income up on higher sales [Last Updated On: May 8th, 2012] [Originally Added On: May 8th, 2012]
- Infinitely Virtual Announces Support for Microsoft SQL Server 2012, Providing Cloud-Ready Hosting with Mission ... [Last Updated On: May 8th, 2012] [Originally Added On: May 8th, 2012]
- Kore Domains Launches Revolutionary New "4GH" Web Hosting Solution [Last Updated On: May 8th, 2012] [Originally Added On: May 8th, 2012]
- 4GH Web Hosting Europa Launches 4GH Cloud Web Hosting Solution in European Data Center [Last Updated On: May 10th, 2012] [Originally Added On: May 10th, 2012]
- Hughes Cloud Services & Hosting Showcases Its Comprehensive Enterprise IT Offering At ... [Last Updated On: May 12th, 2012] [Originally Added On: May 12th, 2012]