Why Security matters
According to a research study by the Cloud Security Alliance (CSA), 69% of enterprises are moving mission-critical information to the cloud. These migrations are massively complex and take meticulous planning to ensure success. At the same time, the research shows 65% of businesses are worried about migrating their sensitive data, while 59% of them have security concerns.
The reason? Mission-critical applications and their associated data are at the heart of every organization’s operation. These applications come from leading vendors such as SAP and Oracle and deliver Enterprise Resources Planning (ERP), Customer Relationships Management (CRM), Product Lifecycle Management, Human Capital Management, Supply Chain Management, and Business Intelligence functionality. Each module contains sensitive information from sales, marketing, finance, customers, human resources, intellectual property, and more – so the stakes are high.
And while businesses have made great strides in protecting critical data, organizations, such as the Department of Homeland Security, have issued warnings explaining why the stakes are so much higher. In fact, a recent IDC survey showed that two-thirds of businesses said that downtime of mission-critical business applications could cost their organization $50,000 per hour.
As businesses look to migrate these applications to the cloud, it’s no wonder security is top of mind. But it’s essential to understand how their cloud security strategy stacks up against the security of their on-premises environments.
Protection From On-Prem to the Cloud
There is a misconception that on-premises mission-critical applications can rely on firewalls and other perimeter and end-point defenses for protection. While there is protection added, these point solutions don’t understand the protocols, technology, or complexity of business applications. These perimeter solutions work well to ensure bad actors don’t get into an organization’s network, but cannot help when it comes to understanding threats to an ERP or CRM system or when someone obtains critical data from these applications.
This situation worsens as enterprises move applications to the cloud. Today, CISOs and other business leaders should realize the attack surface is expanding in the cloud. Moreover, there are often discrepancies within businesses on who is responsible for protecting the business application data.
Regarding technology-related risks, with software-as-a-Service (SaaS) business applications, organizations are often shifting accountability for some of the security controls and the patching process to the SaaS provider. In an infrastructure-as-a-Service (IaaS) model, it varies as patching can be outsourced to the cloud service provider or controlled by the business’s security team.
And while the organization’s responsibility around data always remains the same regardless of whether the applications are running on-premise or in the cloud, there is no standard shared responsibility model for security. When it comes to applications that house the “crown jewels” of a business, protection should always be a priority. Security teams need to ensure they understand their responsibility within the service-level agreement they have with partners.
Even though cloud security has advanced so much over the past five years, more often than not, neither the cloud service provider nor mission-critical application vendor will monitor or protect applications to the extent every company needs, and compliance mandates require.
Key Cloud Security Considerations
The good news is that IT organizations and security teams migrating their mission-critical business applications to the cloud don’t have to do it alone. Leading independent organizations, like the Cloud Security Alliance (CSA), provide valuable checklists and guidelines to ensure a smooth migration.
The CSA’s Top 20 Controls for Cloud Enterprise Resource Planning (ERP) Customers prescribes the most critical controls organizations need to review as they begin a migration journey. It includes issues like authentication, user account management, baseline configurations, data encryption, change management controls, vulnerability assessments, and more.
But just because you know what concerns to address and controls to explore doesn’t mean you’re ready to migrate. Businesses should strongly consider tools to help automate the discovery of potential errors before, during, and after the migration.
Security From Beginning to End
The cloud migration process offers companies a unique opportunity to reset and evaluate their current mission-critical application security and compliance status. However, without the proper tools in place, this can be incredibly time-consuming, costly, and difficult to scale.
To help, businesses should look for security solutions that can automate traditional tasks and deliver insights that discover, assess and fix code errors, application-layer vulnerabilities and misconfigurations. A system of this magnitude can support CSA’s top controls. It can also address problems early on in the migration process and fix legacy issues before they transition to the cloud. This level of visibility accelerates migrations by building security and compliance from the start. It also reduces costs by remediating issues that could become complicated down the road.
After a migration, keeping business applications in a secure and compliant state is also a challenge. Whether in an IaaS, PaaS, or SaaS cloud service model, organizations need to invest in tools to continuously monitor business applications to ensure they’re protecting what matters, including data and end-users, from attacks.
From increased scalability and flexibility to cost savings and uptime, the benefits of the cloud are clear. Still, without the proper guidelines and tools in place, businesses can put some of their most sensitive data at risk as they migrate mission-critical applications to the cloud. Industry support groups, and leading application testing and security software can help organizations understand gaps in security and compliance before, during, and after migrations to ensure they move to the cloud with confidence.
By Juan Perez-Etchegoyen
As CTO, JP leads the innovation team that keeps Onapsis on the cutting edge of the Business-Critical Application Security market, addressing some of the most complex problems that organizations are currently facing while managing and securing their ERP landscapes. JP helps manage the development of new products as well as support the ERP cybersecurity research efforts that have garnered critical acclaim for the Onapsis Research Labs.
JP is regularly invited to speak and host trainings at global industry conferences, including Black Hat, HackInTheBox, AppSec, Troopers, Oracle OpenWorld and SAP TechEd, and is a founding member of the Cloud Security Alliance (CSA) Cloud ERP Working Group. Over his professional career, JP has led many Information Security consultancy projects for some of the world’s biggest companies around the globe in the fields of penetration and web application testing, vulnerability research, cybersecurity infosec auditing/standards, vulnerability research and more.