I recently proposed this question to Daryl Crockett, well known for her role specializing in data cleansing and data security. As in much of consulting, the answer often “depends” on many variables.
Let’s start the discussion by using the Equifax situation as a glaring and public example of a high-profile cybersecurity breach. Sure, they stored data in the cloud, but ultimately lax security procedures, controls, uninstalled patches, multiple systems, etc. led to the disasterous (allegedly preventable) event.
So, don’t expect a cloud application to make up for a lack of a detailed security protocol or protect your financial interests. Equifax is reportedly paying dearly (around $700 million) in consumer relief and fines.
Then there’s the question of who is trying to attack you and just how sophisticated are they? In the Equifax breach, it was recently announced that the Department of Justice has indicted four Chinese nationals with ties to the Chinese military. A group like this is far more sophisticated (and dangerous) than a group of criminal hackers, although Equifax’s lack of common-sense controls was so egregious that they were prone to being hacked anyway. The point being - this problem is getting worse and the attackers more devious and potent.
Here are some valuable perspectives on the cloud and security:
If you are running an on-premise version (vs. a cloud ERP system) this means that your company is running a stand-alone version of the application on a server you control. Maybe it’s running on a server in the basement of your office, or maybe it is a with a Managed Service Provider (MSP).
That’s right – you might be running an on-prem software version of your application with data stored in your “private” cloud. It’s likely over time you have customized your software to suit your company’s specific needs, and updates must be made carefully, so you don’t break what you already have.
Typically, your ERP support provider will send updates that your IT team will have the responsibility to apply. If you are running an “on-prem” version of your ERP, it is very important (and your responsibility) that you have multiple environments (i.e. Dev, QA, Prod) and test thoroughly. IT must also manage users’ access to the system, what data can be extracted and reported on, and what other applications can read/write to your ERP data.
Let’s say you migrate to a cloud ERP system. In this case, your software and your ERP data will reside in the ERP’s data center. In most cases you will be in a “multi-tenancy” model, meaning that your data is stored together with other companies – and you will have access only to your data. The cloud ERP provider will be responsible for the security of your ERP data.
In this regard your data is usually very secure, provided you manage user access properly. Access for terminated employees must be removed promptly. Users should have access to only the data and modules which match their roles, and users must be continually educated and monitored with regards to data and password security.
The cloud ERP provider will periodically push out functional and security software updates to you automatically, usually on a published schedule, with the understanding that your company will be responsible for testing the pending version of your software. If you find a problem during this ERP testing, you will work with your software provider.
The cloud ERP software makes it more convenient for your company to obtain the latest functionality and security. However, what you may sacrifice is some ability to customize the software to your business needs. Since you share your software with thousands of other companies, there are only certain elements of your system which can be modified. Thus, if your company must have certain functionality which is not supported by the cloud-ERP, then you may be forced to use additional software. This means the cloud-ERP will have to share data with another system. Any time you have an interfacing systems, the overall risk to your data goes up – from both a quality and security perspective.
Think of your ERP as a walled castle in the cloud. The software provider will do a great job defending your castle and data contents. They have built a secure-entry drawbridge to verify all registered users coming into the castle. But when your company starts adding other doors and windows to the castle through which your data can be shared and viewed, the castle becomes inherently less secure.
Your company’s IT team must manage ERP user access, but also must secure all the systems and devices outside of the castle that are able to view and download data. And that is precisely the security gap the “bad actors” will target. They will attack through your integration points. They will look for weaknesses in other systems and devices outside of the ERP castle walls in which your precious data is stored. And they will try to steer your users into sharing their user credentials to the castle.
Each person’s definition of “safe” will differ. Ms. Crockett has identified some important considerations as well as responsibilities your company must “own” whether you are cloud-based or on-prem. There are others – such as internal hacking which also must be considered and managed. On the proactive front, you might want to consider advanced encryption or additional layers of password protection.
We have only touched upon what has become a very complicated and evolving challenge of today’s digital world.