X

Advice and Information for Finance Professionals

5 Questions to Ask When Choosing a Secure ERP Cloud Provider

Yaldah Hakim Rashid
Director, Cloud Applications Product Marketing

In a recent Harvard Business Review survey, Cloud Computing Comes of Age, 62% of 376 CxOs surveyed expressed data security in the cloud as a top concern.

Does this mean you shouldn’t put ERP data in the cloud?  Some used to believe that. Another survey from Gartner and FEI, Critical CFO Technology Needs, shows that thinking is changing. Recently, 53% of CFOs surveyed have said they have come to rely on the cloud to store and process their financial data versus 21% in 2013. Why the shift?

The truth is that some have found that there are certain cloud providers that put more focus, investment and resources into cloud data security than they and their own staff ever could—reducing IT costs and risk. 

Yet most of the early cloud providers and even some of the new ones focus on reducing their own operating costs by underfunding secure database management and by disguising the riskier multi-tenant approach to cloud as a benefit to the customers. And sadly, this approach does not really benefit the customer.

Needless to say, as you start the process of vetting cloud providers, data security, cost and processing power in the cloud should be examined carefully, especially in high-volume transaction environments such as telecommunications, financial services and others. As an aid, we have put together 5 questions that can help you decide on choosing a secure ERP cloud provider. 

1. Is your ERP cloud provider viable?

All types of companies are offering ERP cloud services and some are doing it at bargain-basement prices. You’ve heard the old adage “you get what you pay for.”

That is not the way you want to go with critical finance data. You want a provider that invests heavily in cloud security, invests in building in data security at every layer of the stack, and one that hires and trains a team of cloud security experts who proactively monitor, guard and patch potential problems before they occur.

When evaluating the viability of your cloud provider, you should be asking:

  • How long has this provider been investing in secure cloud data management at the enterprise cloud level and will they be around tomorrow?
  • What is their track record in cloud security and what is the notification and resolution process in the event of a potential breach?
  • What is the level of expertise of the global team assigned and the tools they use to look after cloud security at every layer of the stack?

2. Is your ERP cloud designed to be secure at every layer?

When evaluating a cloud provider, it is important to ask if their cloud is designed to be secure at every layer of the technology stack. Investing in and designing security measures and options at every layer—starting from physical data center security to network, hardware, chip and operating system, as well as to storage disk, database, platform and finally the application layer—can make for a very secure cloud. Here are some high points from each layer to consider when choosing a secure cloud provider:

  • Application-role-based access – users can only access data appropriate for their role through assigned rights
  • Platform – global access controls and identity management
  • Storage – encryption at rest
  • Database –  with a variety of options at the database level to secure data (such as Database Vault Option) even administrators cannot view the data
  • Operating system and runtime Java – security built into each of these layers
  • Chip and hardware – silicon-secured memory hardwired into the silicon chip; software in silicon for database and applications
  • Network and physical – enterprise grade security designed with VPN access, firewalls, and physical security at the data centers; mantraps and biometrics access controls, as well as armed guards and other physical security to guard the network and the data center(s) itself 
  • Backup – data backups should come standard and with varying levels of redundancy, with the ability to retrieve all your data and all attachments easily
  • Support – badged security and data management experts looking after your database, infrastructure and applications 24x7
  • Additional advanced options – for those that require extra security for their data 

3. Is your accounting data isolated, secure and available for high performance processing?

Many SaaS providers encourage customers to put their vital business data into their multi-tenant cloud servers. They do so because it is a much less expensive option for them. Sadly, those savings are rarely passed on to their customers.

This practice exposes data to great risks and exposes your business to potential processing slowdowns.

As an example: most multi-tenant cloud providers cram as many customers as they can into the same limited data space, restricting high-performance processing and concurrently placing all their customers’ data together, increasing risk—all because it is far cheaper for the cloud provider manage all their customers’ data in one database. 

This inherently increases risk. Your business critical data could be inadvertently accessed by others, even competitors. Something that is commingled is not more secure than something that is isolated.  Simply stated, a multi-tenant cloud provider is not the most secure for storing and processing your ERP data in the cloud.

Another drawback to multi-tenant cloud design is processing performance. In a multi-tenant cloud architecture, your transactional processing speed and reporting performance may be affected by “noisy neighbors.” For example, if one of your co-tenants is doing massive payroll updates or high-volume computational financial transactions, this can greatly slow down processing that you need to do quickly—such as a period close, for example.

Now, compare this with secure data isolation architecture. In this instance, your data is physically isolated from other customers’ data. And, your performance (processing time and reporting performance) will not be slowed down or compromised due to the volume of work they may be processing.

Lastly, in a multi-tenant cloud, the cloud provider dictates when you upgrade because all customers must upgrade at once. What if their timing isn’t best for your business? Let’s say you are a retailer and your cloud provider decides to perform a time-consuming upgrade in a month that is peak for your business. You cannot opt out of that upgrade and that may impact your business at the wrong time. Look for a cloud provider that allows you to choose when to upgrade. 

4. Does your ERP cloud provider offer global unified access controls?

Does your cloud provider offer unified access controls globally? Does your cloud provider have unified access controls between on-premises systems and cloud-based applications? These are important questions.

Global access controls are vital because they provide role-based access so that only qualified and sanctioned users have access to specific data and certain functions based on their role. And, with global access controls, employees and even contractors who leave the company are systematically removed from all application access easily and consistently. When these global controls are in place, it reduces risk that former employees or contractors have access to your critical data and business information. 

5. Is your ERP cloud provider up to date on compliance and regulatory standards?

What about the topic of “local data residency”? This means enabling the option to keep your data in a data center within country or regional boundaries.

There are a myriad of standards for data protection and local data residency. In some cases, every country or region can have its own requirements. With these rules/standards changing often it is almost impossible for you to keep track of all the standards and changes globally. The rules vary country by country especially in Europe, the Middle East and across Asia Pacific.

In addition, many sectors, including government, healthcare and financial services, require compliance with industry-based data privacy and security standards.

A top-tier cloud provider will have a broad compliance portfolio which will help you with industry and country standards both from a data residency and compliance standpoint.

Conclusion

We all know the benefits of cloud.  Yet, it is important to mitigate risk when moving your important data to the cloud, especially financial data. In addition to reducing risk, lowering costs, increasing agility and allowing for faster innovation, an advanced cloud provider can give you secure data management concurrently in the cloud and on-premises, while bringing you peace of mind.  For more information you can download the executive brief here.

 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.