Medium and midsize businesses often are less risk-averse than big companies when it comes to shifting applications to the cloud. This means they can transform into more agile organizations faster, but it can also mean they sometimes adopt cloud strategies without fully understanding how they differ from previous approaches—and how that impacts the goals of IT operations and SecOps across the organization.
Security is a critical area where this misunderstanding can cause problems, especially because organizations are moving more of their business-critical applications into the cloud, as well as developing their own cloud applications. According to the Oracle and KPMG Cloud Threat Report 2019, 70 percent of businesses report a higher use of business-critical cloud applications year-over-year.
Because many companies that want to shift their core applications into the cloud often start with enterprise resource planning (ERP), we’ve compiled a list of three best practices for starting out on the right foot to keep your finance data as secure as possible.
Big companies might have more exposure because of a larger footprint of data, users, and physical assets, but that’s about the only difference size makes when it comes to data security.
First, scammers and thieves target opportunity, wherever it is. It doesn’t matter if you produce or deliver “non-technical” services. Do your sales and/or services teams use cell phones, tablets, and laptops? Do your employees and customers use mobile apps or websites to interact? Do you use digital platforms to process credit cards, purchase orders, and accounts payable/receivable? These are examples of commonplace business practices that can introduce data risk without appropriate security measures.
Second, when business-critical data is stolen or misappropriated, the business suffers no matter if one customer is harmed or a hundred; and regardless of the volume of data that was compromised or breached. There’s a range of pain depending upon scope of the event, of course, but it’s still business pain, which means loss of valuable resources—time, customers, reputation, intellectual property, capabilities, revenue, etc. A century ago, the most valuable asset was oil; today, the most valuable asset is data, according to The Economist.
Finally, data loss or exposure frequently starts with employees, and it takes only one mistake, one forgotten patch, or one rouge action for a harmful event to result. Unfortnately, lack of skills and qualified staff is a top cybersecurity challenge for all sizes of business based on the Oracle and KPMG Cloud Threat Report research. So hiring more hands to improve data security isn’t always an option for most companies. One of the top areas of budget spend in business today is in training around data protection and privacy needs. This is a trend likely to continue in years to come to help mitigate the risk of “human error.” It is also imperative that organizations identify the critical controls for ERP Cloud to see it is not just about user credentials. It is so much more.
Moving an on-premise application to the cloud is a good time to review current security policies and develop new policies, workflows, and response programs around data protection. For example, one of the first challenges when moving ERP is credentialing for authorized users. These older applications could have been in place literally for decades, so maintenance of user entitlements could be lagging in terms of deprovisioning old users and correcting entitlements as employees change roles. Starting this process can be time-consuming for the first cloud application, but those credentials and entitlements can be reused for onboarding additional cloud apps, such as for human capital management or supply chain management applications.
Many organizations struggle with this because they focus on managing the entitlements for each of their hundreds of users. The more practical approach is the use of groups. By instituting entitlements for each role, organizations can then make sure users are maintained in the correct “role” and also manage role changes using an HR system.
Once this protocol has been established, set up a governance mechanism to monitor and manage the compliance and usage of credentials and their entitlements. If these entitlements are outdated or wrong, it’s a security risk. You don’t want former employees or those who have shifted roles to retain access privileges to data they shouldn’t see. At the same time, you want to govern levels of data access to make sure these have not been changed in a rouge action.
Using cloud apps and other services doesn’t eliminate your responsibilities for securing data. Your responsibilities include identifying critical assets, assessing data value and risk level, and determining whether or not a provider is capable of managing those risks.
You also need to be clear on your ongoing responsibilities. Security is a shared responsibility between vendor and client, but a lot of companies aren’t completely clear on the division of labor. In the Oracle and KPMG Cloud Threat Report, 82 percent of cloud users said they have experienced security events due to confusion over Shared Responsibility Security Models. In addition, many cyber leaders are confused: 90 percent said they’re not sure of their team’s responsibilities for securing SaaS services versus the cloud provider. These events included the introduction of malware, unauthorized access to data, and an increase in audit risk due to exposure.
It is imperative that no cloud service should be used in business unless IT and security leaders establish the ground rules of their ownership of processes and document the cloud provider’s role and responsibilities. This needs to be reviewed every six months for changes that might impact a customer’s Service Level Agreement (SLA) with their own customers and partners.
As I'll discuss in the next two blogs in this series, cloud has many advantages for securing data, but to start out as you move ERP and other applications to the cloud, remember these three tips: always take data security seriously, use the cloud to move to improve data protection and governance, and be completely clear with vendors on who has what responsibilities so no gaps are created.
In my next blog, I'll describe some of the risks businesses take by not completely securing their finance data.