In a matter of a few years, IT departments across most industries have fully embraced cloud computing and its benefits. While cloud computing is popular, is it secure?
It is often a huge headline in the news when an organization’s ERP software is comprised due to a cloud security breach. This negative press was once the motivating factor for organizations to stay on-premise, but with the overwhelming advantages of moving to the cloud, businesses are making the move in order to stay competitive.
While moving from an on-premise infrastructure to a cloud-based one shifts some of the responsibility from the organization’s IT department to the cloud service provider (CSP), security remains a focal point for which both parties should bear responsibility.
Understanding who is responsible for which security measures is crucial to keeping your organization’s data safe in the cloud. According to Gartner, “In nearly all cases, it is the user – not the cloud provider – who fails to manage the controls used to protect an organization’s data.”1
This is similar to what we’ve found in our ERP implementation experience – people, not technology, determine the success of an ERP project. We’ve seen all different aspects of ERP implementations – including security – fail based on a lack of organizational alignment between people, processes and technology.
In fact, our 2019 ERP Report shows that more than a third of organizations experienced budget overruns due to organizational issues, and more than half of organizations experienced timeline overruns due to organizational and/or training issues.
2020 ERP Report
This report summarizes our independent research into organizations' selection and implementation decisions and their project results.
Whether you are currently using cloud computing, are planning to a move to the cloud or are staying on-premise, it’s important to know the difference in security design. Below we’ve outlined the key differences between on-premise and cloud security, as well as some of the advantages and disadvantages to both.
Differences Between On-premise and Cloud Computing
1. Ownership of Responsibilities
The biggest difference between on-premise and cloud security design is the amount of responsibility that rests on the organization itself. With an on-premise infrastructure, a business is responsible for ERP system security from end to end. They procure the servers where the data will be housed, build and manage the firewalls used to control access to the network and control the ability to query and extract data from the system.
In a cloud world, these security responsibilities are shared between the organization and the cloud service provider (e.g. Amazon Web Services or Microsoft Azure). This is often referred to as the “shared responsibility model.” Depending on what type of service a cloud customer is subscribed to, the security responsibilities of the customer differs:
Infrastructure as a Service
In the case of infrastructure as a service (IaaS), cloud customers are not responsible for physical elements, such as the actual hardware that applications are hosted on or data centers. Instead, they need only to manage the provisioning of virtual machines, secure the virtual network and monitor all applications and interfaces within the network.
Platform as a Service
When it comes to platform as a service (PaaS), the cloud service provider inherits additional security responsibilities. Since the customer is now paying for an entire platform, as opposed to only the cloud infrastructure, the CSP now manages the duties listed for IaaS as well as the provisioning of virtual machines and securing the virtual network. The cloud customer is still responsible for their data, monitoring their interfaces and securing their applications.
Software as a Service
For software as a service (SaaS), the CSP is responsible for all the previously mentioned duties for IaaS and PaaS, plus they are responsible for the application itself. This makes sense as now the cloud customer is paying to use the CSP’s application hosted on their platform and cloud infrastructure. In this case, the cloud customer is responsible for the security of their data and all interfaces.
In all cases, it is the sole responsibility of the customer to ensure that their specific security requirements are being met. If your organization is planning a move to the cloud, it’s helpful to list all your security requirements. When meeting with potential CSPs, give them the list of your requirements, and let them vet how their service can meet your requirements.
It’s extremely important to note – even though in a cloud-based environment many of the responsibilities now lay with the CSP, the cloud customer must follow the appropriate processes and procedures and hire knowledgeable personnel in order to maintain the integrity of a secure cloud. Designing and documenting processes around ERP security can help the organization prepare its IT staff for new roles and responsibilities. A strong business process management methodology is essential when defining new business processes.
2. Points of Access
Another key difference between on-premise security and cloud security considerations is the means in which the network is accessed. On-premise ERP systems only exist on the devices they are installed on. When business users need to access their company data in an on-premise environment, they need to be physically in the office (on the company’s network).
For example, an employee could have SAP installed on their work laptop, allowing them to view company data from that device (on the company network, of course). The same employee could also have a personal laptop that does not have SAP installed. This makes controlling access to applications and data simple, as there is only a single access point.
While this may pose challenges for employees working remotely, they can always use a virtual private network (VPN) to log into their in-office device. VPNs are secure because they require a security key or other means of identity management
In a cloud-based environment, employees can access company applications via a web browser. This means that any device with internet access becomes an entry point to business critical data.
Cloud-based environments also allow the use of application program interfaces (APIs). While APIs can be used with applications running on-premise, their use didn’t become normalized until cloud service (and software) providers began pre-building them into their platforms. Now, interfacing with third party software applications is as easy as exposing the appropriate API and allowing third party access to your environment.
This ease of interfacing has its benefits but adds an additional layer of complexity when it comes to security design. In an on-premise environment, interfacing with outside systems is usually driven by the IT department, and the communication channel must be built in collaboration with the third party. With this approach, security considerations can be designed into the communication channel up front.
When utilizing an API to create, read, update or delete data in another system it is crucial that proper planning takes place. Not all permissions are typically needed by an API to perform its designated function. Identifying proper permissions and their repercussions is just as important. We always advise against taking the easy road and just giving full permissions to an API.
When creating the API, you should investigate the security of the system you are interfacing with. One question to ask when interfacing is this: “If this system security is breached how can it affect our data?” Developing your connector or API with this in mind can save you headaches and potential lawsuits down the road.
The Advantages and Disadvantages of On-premise and Cloud Computing
Whether you have an on-premise infrastructure or are already in the cloud, there are some strong advantages to both in terms of security:
Advantages of Cloud Security
A huge advantage when it comes to security in the cloud is the accessibility of security tools built by the cloud service provider or ERP vendor. Usually, for an additional fee, CSPs like Amazon, Microsoft and Google offer built-in security tools that help your IT department identify and remediate network vulnerabilities and provide suggestions on how to improve your security design.
Cloud service providers have a lot riding on the security of your data – namely, their reputation. Even if a data breach is the fault of a cloud customer, the reputation of the CSP also takes a hit. Because of this, CSPs have heavily invested in machine learning to help identify weak spots in your system and notify you immediately in case of an attack.
Another benefit of security in the cloud is the level of automation that can be achieved leveraging APIs. These APIs make it simple to orchestrate incoming and outgoing messages between your company’s network and third parties, ensuring that the proper authentication methods are in place each step of the way.
Disadvantages of Cloud Security
While the use of APIs can be considered an advantage in terms of automation, it can also be seen as a disadvantage when looking at the amount of access points to manage. If you have several third parties automatically accessing your environment, it can be difficult to monitor all the inbound and outbound traffic. In the case of a breach, it is even more problematic to find out where your security issues lie.
Advantages of On-premise Security
An obvious advantage of an on-premise security design is the clarity of responsibilities and ownership around security requirements. With a physical data center, it’s easy to see that access to the facility must be protected by the customer. The ownership of security requirements falls 100-percent on the organization.
As long as the organization prepares its people and processes, its data security will be strong. An organization must not only prepare its IT department but its end users, as well. While end users have a very different set of security responsibilities, their role is no less important. Some organizations develop an organizational change management plan to prepare employees for the security considerations of a new ERP system.
Disadvantages of On-premise Security
With the ownership of the data center resting solely on the business, the amount of security responsibilities given to your IT department is more than double that of cloud-based security.
Additionally, in an on-premise environment, there is usually little to no automation in terms of communicating with third parties. This means your IT department must securely build and manage a channel of communication each time a new vendor is added to your ecosystem.
Lastly, as if your IT department doesn’t have enough on its plate, the majority of security tools made for on-premise environments are outdated. With new ways for cybercriminals to access sensitive company data, security tools must constantly evolve to keep up with new threats. When the defense is no match for the threat, IT professionals must be even more diligent in monitoring your network’s security.
The most common form of attack on company networks is not so much a virus or brute force hacking. It is social engineering and elevated permissions granted to individuals or groups not requiring full access. This is the result of not having a solidified IT plan and documentation.
You can address social engineering by having official training for all staff on the attackers’ methods and tactics. Non-essential security permissions can be audited and refined by your in-house IT security professional or an external IT auditing firm.
Where Should You Host Your ERP System?
During ERP selection, cyber security is a concern for many organizations. Ultimately, security depends less on technology and more on your people and processes.
For example, cloud hosting may be more secure than on-premise hosting if your internal IT department is not large enough, skilled enough or prepared enough to manage the full security of an on-premise ERP system. However, a cloud environment still requires internal security responsibilities, so a strong internal team and clearly defined processes are still essential.
Panorama’s ERP consultants take the time to understand your organization’s unique situation. We can help you prepare your people and processes for the challenges of either cloud or on-premise security.
- Gartner, Is the Cloud Secure?, https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/, March 2018